TechSpot

[A] Internet Explorer being redirected

Inactive
By ccchester
Sep 17, 2012
  1. My Internet Explorer has been being redirected for over a week. I thought I had fixed the problem, but it popped up again the other day. When I ran MalwareBytes it said it didn't find any threats but when I went to the quarantine section there were 25 all created on 9/12/12. Among the names listed were Trojan.Vundo, PUP.MyWebSearch, PUP.Funmoods Rogue.AntiVirus, and Adware.Minibug. I think these are the same things that I removed the first time I ran the program several days ago.


    Here are my logs. Thanks in advance for your help.

    Malwarebytes Anti-Malware 1.65.0.1400
    www.malwarebytes.org
    Database version: v2012.09.15.05
    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Cynthia :: CYNTHIA-PC [administrator]
    9/17/2012 11:11:47 AM
    mbam-log-2012-09-17 (11-11-47).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 186042
    Time elapsed: 5 minute(s), 48 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-09-17 17:33:06
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.04.0
    Running: gmer.exe; Driver: C:\Users\Cynthia\AppData\Local\Temp\fxliafow.sys

    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421
    Run by Cynthia at 17:34:20 on 2012-09-17
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1134 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\real\realplayer\Update\realsched.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Users\Cynthia\AppData\Roaming\Spotify\spotify.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://my.yahoo.com/?_bc=1
    uSearch Page =
    uWindow Title = Internet Explorer, optimized for Bing and MSN
    mStart Page = hxxp://www.google.com
    mDefault_Page_URL = hxxp://www.google.com
    uInternet Settings,ProxyOverride = <local>
    mSearchAssistant =
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
    BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [imscr] "c:\windows\system32\rundll32.exe" "c:\users\cynthia\appdata\roaming\imscr.dll",get_gAMA_fixed
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Spotify] "c:\users\cynthia\appdata\roaming\spotify\Spotify.exe" /uri spotify:autostart
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    StartupFolder: c:\users\cynthia\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    Trusted Zone: mlxchange.com\mfr
    Trusted Zone: yahoo.com\cm.my
    DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
    TCP: Interfaces\{0A283A52-1221-4105-ABD3-9F51AEF85DAC} : DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 214664]
    R1 MpKsl7fac1549;MpKsl7fac1549;c:\programdata\microsoft\microsoft antimalware\definition updates\{5c42ac65-eac4-47f5-ac76-f8e2cbfb4b68}\MpKsl7fac1549.sys [2012-9-17 29904]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-11 21504]
    R3 RTL8187;Trust USB WiFi Adapter;c:\windows\system32\drivers\rtl8187.sys [2007-2-14 288256]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-1 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-1 136176]
    S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-16 79816]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-16 35272]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-16 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-16 40552]
    S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
    S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2012-8-31 13024]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== File Associations ===============
    .
    scrfile="%1" /S "%3"
    .
    =============== Created Last 30 ================
    .
    2012-09-17 21:32:51 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5c42ac65-eac4-47f5-ac76-f8e2cbfb4b68}\MpKsl7fac1549.sys
    2012-09-16 21:36:28 7022536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5c42ac65-eac4-47f5-ac76-f8e2cbfb4b68}\mpengine.dll
    2012-09-16 15:44:01 -------- d-----w- c:\users\cynthia\appdata\local\Spotify
    2012-09-16 15:42:32 -------- d-----w- c:\users\cynthia\appdata\roaming\Spotify
    2012-09-16 15:41:57 -------- d-----w- c:\users\cynthia\appdata\local\Deployment
    2012-09-16 15:41:57 -------- d-----w- c:\users\cynthia\appdata\local\Apps
    2012-09-15 19:54:32 7022536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-09-13 01:08:19 -------- d-----w- c:\program files\CCleaner
    2012-09-12 19:23:03 -------- d-----w- c:\users\cynthia\appdata\roaming\Malwarebytes
    2012-09-12 19:22:45 -------- d-----w- c:\programdata\Malwarebytes
    2012-09-12 19:22:42 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-12 19:22:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-09-10 18:37:11 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-09-10 18:37:10 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-09-07 03:57:37 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{7f0ccf80-75a9-46e1-9182-73b4e5928ae6}\gapaengine.dll
    2012-09-07 03:49:51 -------- d-----w- c:\program files\Microsoft Security Client
    2012-09-04 17:01:28 -------- d-----w- c:\program files\WinDirStat
    2012-08-31 22:00:11 -------- d-----w- c:\program files\Defraggler
    2012-08-31 21:35:46 288256 ----a-w- c:\windows\system\rtl8187.sys
    2012-08-31 21:35:43 -------- d-----w- c:\program files\Trust USB WiFi Adapter Driver
    2012-08-31 21:19:54 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2012-08-31 21:03:52 1601024 ----a-w- c:\users\cynthia\appdata\roaming\imscr.dll
    2012-08-31 20:56:13 -------- d-----w- c:\users\cynthia\appdata\local\Downloaded Installations
    2012-08-31 19:55:11 -------- d-----w- c:\program files\IDT
    2012-08-31 19:41:53 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
    2012-08-31 19:41:44 -------- d-----w- c:\program files\SlimDrivers
    2012-08-25 08:04:16 -------- d-----w- c:\program files\Windows Portable Devices
    2012-08-25 07:32:05 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-08-25 07:32:05 172032 ----a-w- c:\windows\system32\wintrust.dll
    2012-08-25 07:32:05 157696 ----a-w- c:\windows\system32\imagehlp.dll
    2012-08-25 07:32:05 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-08-25 07:25:42 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-08-23 13:12:02 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-08-23 13:12:02 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-08-23 13:12:01 1218048 ----a-w- c:\program files\windows journal\NBDoc.DLL
    2012-08-23 13:12:00 983040 ----a-w- c:\program files\windows journal\JNTFiltr.dll
    2012-08-23 13:12:00 964608 ----a-w- c:\program files\windows journal\JNWDRV.dll
    2012-08-23 13:12:00 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
    2012-08-23 13:12:00 1404928 ----a-w- c:\program files\common files\microsoft shared\ink\InkObj.dll
    2012-08-23 13:11:59 47104 ----a-w- c:\program files\windows journal\PDIALOG.exe
    2012-08-23 13:11:54 797696 ----a-w- c:\windows\system32\FntCache.dll
    2012-08-23 13:11:53 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2012-08-23 13:10:10 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-08-23 13:10:09 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-08-23 13:10:09 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-08-23 13:09:54 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
    2012-08-23 13:09:54 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
    2012-08-23 13:09:54 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2012-08-23 13:09:54 217088 ----a-w- c:\windows\system32\psisrndr.ax
    2012-08-23 13:09:49 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-08-23 13:09:49 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-08-23 13:09:46 623616 ----a-w- c:\windows\system32\localspl.dll
    2012-08-23 13:09:04 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-08-23 13:08:44 429056 ----a-w- c:\windows\system32\EncDec.dll
    2012-08-23 13:08:18 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2012-08-23 13:08:16 66560 ----a-w- c:\windows\system32\packager.dll
    2012-08-23 13:08:13 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-08-23 13:08:11 680448 ----a-w- c:\windows\system32\msvcrt.dll
    2012-08-23 13:08:07 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2012-08-23 13:06:38 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-08-23 13:06:38 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-08-23 13:06:19 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-08-23 13:06:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-08-23 13:06:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-08-23 13:06:14 707584 ----a-w- c:\program files\common files\system\wab32.dll
    2012-08-23 13:04:58 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-08-23 13:04:57 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-08-23 13:04:57 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-08-23 13:04:56 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-08-23 13:04:56 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-08-23 13:04:55 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-08-23 13:04:50 231424 ----a-w- c:\windows\system32\msshsq.dll
    2012-08-23 12:37:33 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-08-23 12:21:08 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-08-23 12:20:27 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-08-23 12:20:16 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-08-23 12:20:16 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-08-23 02:15:33 98816 ----a-w- c:\windows\system32\mfps.dll
    2012-08-23 02:13:28 369664 ----a-w- c:\windows\system32\WMPhoto.dll
    2012-08-23 02:13:28 252928 ----a-w- c:\windows\system32\dxdiag.exe
    2012-08-23 02:13:28 195584 ----a-w- c:\windows\system32\dxdiagn.dll
    2012-08-23 02:13:27 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2012-08-23 02:13:27 519680 ----a-w- c:\windows\system32\d3d11.dll
    2012-08-23 02:13:27 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2012-08-23 02:13:27 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2012-08-22 20:18:57 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-08-22 18:45:55 -------- d-----w- c:\windows\system32\eu-ES
    2012-08-22 18:45:55 -------- d-----w- c:\windows\system32\ca-ES
    2012-08-22 18:45:54 -------- d-----w- c:\windows\system32\vi-VN
    2012-08-22 18:14:59 627712 ----a-w- c:\windows\system32\user32.dll
    2012-08-22 18:13:59 842240 ----a-w- c:\windows\system32\systemcpl.dll
    2012-08-22 18:12:39 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
    2012-08-22 18:12:39 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2012-08-22 18:12:39 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
    2012-08-22 18:12:39 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
    2012-08-22 18:12:39 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
    2012-08-22 18:12:39 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
    2012-08-22 18:12:39 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
    2012-08-22 18:12:38 705536 ----a-w- c:\windows\system32\SmiEngine.dll
    2012-08-22 18:12:37 218624 ----a-w- c:\windows\system32\wdscore.dll
    2012-08-22 18:12:37 130560 ----a-w- c:\windows\system32\PkgMgr.exe
    2012-08-22 18:12:31 247808 ----a-w- c:\windows\system32\drvstore.dll
    2012-08-21 14:33:19 53248 ----a-w- c:\windows\system32\CSVer.dll
    2012-08-21 14:13:59 -------- d-----w- C:\dell
    2012-08-21 13:42:45 -------- d-----w- c:\users\cynthia\appdata\local\SlimWare Utilities Inc
    .
    ==================== Find3M ====================
    .
    2012-08-23 02:15:33 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2012-08-23 02:13:29 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
    .
    ============= FINISH: 17:35:54.89 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/14/2007 3:15:34 AM
    System Uptime: 9/17/2012 11:32:04 AM (6 hours ago)
    .
    Motherboard: Gateway | |
    Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | uFCPGA2 | 1000/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 139 GiB total, 112.41 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 3.152 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP813: 9/16/2012 5:33:42 PM - Windows Update
    RP814: 9/17/2012 2:02:25 PM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe Download Manager
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.5.2
    AviSynth 2.5
    Browser Address Error Redirector
    CCleaner
    Defraggler
    Encompass Installation Manager
    Gateway Recovery Center Installer
    getPlus(R) for Adobe
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    Malwarebytes Anti-Malware version 1.65.0.1400
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Digital Image Library 9 - Blocker
    Microsoft Digital Image Starter Edition 2006
    Microsoft Digital Image Starter Edition 2006 Editor
    Microsoft Digital Image Starter Edition 2006 Library
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft WSE 2.0 SP3 Runtime
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    OGA Notifier 2.0.0048.0
    OpenOffice.org 3.3
    Point
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    REALTEK RTL8187 Wireless LAN Driver
    RealUpgrade 1.1
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Spotify
    SupportSoft Assisted Service
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Trust USB WiFi Adapter Driver
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    WinDirStat 1.1.2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/15/2012 7:23:59 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: On Access Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver skipped scanning items and is in pass through mode. This may be due to low resource conditions.
    9/13/2012 12:07:51 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
    9/10/2012 6:57:48 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Adobe Flash Player Update Service service to connect.
    9/10/2012 6:57:48 AM, Error: Service Control Manager [7000] - The Adobe Flash Player Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    9/10/2012 2:08:35 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user Cynthia-PC\Cynthia SID (S-1-5-21-2100033693-1561413150-3002188466-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =========================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    =======================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =======================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  3. ccchester

    ccchester TS Rookie Topic Starter

    I ran TDSSKiller and it said it didn't find anything, but for some reason it wouldn't let me copy and paste the log. RougeKiller ran just fine and I was able to get a log, but anwMBR got stuck when I ran it and either shut down the computer or closed the program. This seemed to happen when it was scanning some app data from encompass installer. I'm not sure it ever really finished, but I tried to get a log from it.

    RogueKiller V8.0.3 [09/13/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Normal mode
    User : Cynthia [Admin rights]
    Mode : Remove -- Date : 09/18/2012 11:51:52
    ¤¤¤ Bad processes : 1 ¤¤¤
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
    ¤¤¤ Registry Entries : 5 ¤¤¤
    [RUN][BLACKLIST DLL] HKCU\[...]\Run : imscr ("C:\Windows\System32\rundll32.exe" "C:\Users\Cynthia\AppData\Roaming\imscr.dll",get_gAMA_fixed) -> DELETED
    [TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> DELETED
    [TASK][RESIDU] AutomaticBackup : C:\Windows\System32\rundll32.exe -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    ¤¤¤ Infection : ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts
    127.0.0.1 localhost
    ::1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD1600BEVS-22RST0 +++++
    --- User ---
    [MBR] f5b09c0b0d97bae40024b7590fdf9d72
    [BSP] 1eb68e628d5cb6c2d363086208c5bdd2 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 9969 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20418615 | Size: 142655 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt



    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-09-18 12:34:46
    -----------------------------
    12:34:46.003 OS Version: Windows 6.0.6002 Service Pack 2
    12:34:46.003 Number of processors: 2 586 0xE08
    12:34:46.003 ComputerName: CYNTHIA-PC UserName: Cynthia
    12:34:47.773 Initialize success
    12:37:57.892 AVAST engine defs: 12091400
    12:39:55.483 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    12:39:55.483 Disk 0 Vendor: WDC_WD16 04.0 Size: 152627MB BusType: 3
    12:39:55.503 Disk 0 MBR read successfully
    12:39:55.503 Disk 0 MBR scan
    12:39:55.513 Disk 0 unknown MBR code
    12:39:55.523 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 9969 MB offset 63
    12:39:55.543 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142655 MB offset 20418615
    12:39:55.563 Disk 0 scanning sectors +312576705
    12:39:55.663 Disk 0 scanning C:\Windows\system32\drivers
    12:40:19.783 Service scanning
    12:40:36.543 Service MpKsl4f2f3aaf c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50D42144-9448-4617-8C5D-7C1986E7AB06}\MpKsl4f2f3aaf.sys **LOCKED** 32
    12:41:00.243 Modules scanning
    12:41:05.043 Disk 0 trace - called modules:
    12:41:05.443 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
    12:41:05.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8618a228]
    12:41:05.463 3 CLASSPNP.SYS[8899d8b3] -> nt!IofCallDriver -> [0x85760bd8]
    12:41:05.473 5 acpi.sys[880976bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84868028]
    12:41:07.243 AVAST engine scan C:\Windows
    12:41:11.433 AVAST engine scan C:\Windows\system32
    12:47:37.844 AVAST engine scan C:\Windows\system32\drivers
    12:48:06.914 AVAST engine scan C:\Users\Cynthia
    13:03:55.672 Disk 0 MBR has been saved successfully to "C:\Users\Cynthia\Desktop\MBR.dat"
    13:03:55.942 The log file has been saved successfully to "C:\Users\Cynthia\Desktop\aswMBR.txt"
     
  4. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    =====================================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  5. ccchester

    ccchester TS Rookie Topic Starter

    Here's the ComboFix log.


    ComboFix 12-09-18.07 - Cynthia 09/19/2012 10:34:57.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1305 [GMT -4:00]
    Running from: c:\users\Cynthia\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Windows
    c:\users\Cynthia\AppData\Roaming\imscr.dll
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\system\rtl8187.sys
    c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\regtlib.exe
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-19 to 2012-09-19 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-19 14:42 . 2012-09-19 14:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-09-19 14:42 . 2012-09-19 14:42 -------- d-----w- c:\users\Cynthia\AppData\Local\temp
    2012-09-18 16:30 . 2012-09-18 16:30 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{50D42144-9448-4617-8C5D-7C1986E7AB06}\MpKsl4f2f3aaf.sys
    2012-09-18 15:46 . 2012-09-18 15:46 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{50D42144-9448-4617-8C5D-7C1986E7AB06}\MpKsleddd4e27.sys
    2012-09-18 12:42 . 2012-08-23 04:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{50D42144-9448-4617-8C5D-7C1986E7AB06}\mpengine.dll
    2012-09-17 21:37 . 2012-08-23 04:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-16 15:44 . 2012-09-19 14:29 -------- d-----w- c:\users\Cynthia\AppData\Local\Spotify
    2012-09-16 15:42 . 2012-09-19 14:29 -------- d-----w- c:\users\Cynthia\AppData\Roaming\Spotify
    2012-09-16 15:41 . 2012-09-16 15:42 -------- d-----w- c:\users\Cynthia\AppData\Local\Deployment
    2012-09-16 15:41 . 2012-09-16 15:41 -------- d-----w- c:\users\Cynthia\AppData\Local\Apps
    2012-09-13 01:08 . 2012-09-13 01:08 -------- d-----w- c:\program files\CCleaner
    2012-09-12 19:23 . 2012-09-12 19:23 -------- d-----w- c:\users\Cynthia\AppData\Roaming\Malwarebytes
    2012-09-12 19:22 . 2012-09-12 19:22 -------- d-----w- c:\programdata\Malwarebytes
    2012-09-12 19:22 . 2012-09-12 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-09-12 19:22 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-10 18:37 . 2012-09-10 18:37 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-09-10 18:37 . 2012-09-10 18:37 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-09-07 03:57 . 2012-09-07 03:57 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7F0CCF80-75A9-46E1-9182-73B4E5928AE6}\gapaengine.dll
    2012-09-07 03:49 . 2012-09-07 03:50 -------- d-----w- c:\program files\Microsoft Security Client
    2012-09-04 17:01 . 2012-09-04 17:01 -------- d-----w- c:\program files\WinDirStat
    2012-08-31 22:00 . 2012-08-31 22:00 -------- d-----w- c:\program files\Defraggler
    2012-08-31 21:35 . 2012-08-31 21:35 -------- d-----w- c:\program files\Trust USB WiFi Adapter Driver
    2012-08-31 21:19 . 2009-02-11 21:11 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2012-08-31 21:19 . 2012-08-31 21:19 -------- d-----w- c:\users\Cynthia\AppData\Roaming\InstallShield
    2012-08-31 20:56 . 2012-08-31 20:56 -------- d-----w- c:\users\Cynthia\AppData\Local\Downloaded Installations
    2012-08-31 19:55 . 2012-08-31 19:55 -------- d-----w- c:\program files\IDT
    2012-08-31 19:41 . 2012-09-04 16:32 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
    2012-08-31 19:41 . 2012-09-05 00:19 -------- d-----w- c:\program files\SlimDrivers
    2012-08-25 08:04 . 2012-08-25 08:04 -------- d-----w- c:\program files\Windows Portable Devices
    2012-08-25 07:32 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-08-25 07:32 . 2012-02-29 15:11 172032 ----a-w- c:\windows\system32\wintrust.dll
    2012-08-25 07:32 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
    2012-08-25 07:32 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-08-25 07:25 . 2012-07-04 14:02 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-08-23 13:12 . 2012-03-30 12:39 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-08-23 13:12 . 2012-03-29 13:39 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-08-23 13:12 . 2012-02-01 15:11 1218048 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
    2012-08-23 13:12 . 2012-02-01 15:10 983040 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
    2012-08-23 13:12 . 2012-02-01 15:10 964608 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
    2012-08-23 13:12 . 2012-02-01 15:10 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
    2012-08-23 13:12 . 2012-02-01 15:10 1404928 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
    2012-08-23 13:11 . 2012-02-01 13:58 47104 ----a-w- c:\program files\Windows Journal\PDIALOG.exe
    2012-08-23 13:11 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2012-08-23 13:11 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2012-08-23 13:10 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-08-23 13:10 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-08-23 13:10 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-08-23 13:09 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2012-08-23 13:09 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
    2012-08-23 13:09 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
    2012-08-23 13:09 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
    2012-08-23 13:09 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-08-23 13:09 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-08-23 13:09 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll
    2012-08-23 13:09 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-08-23 13:08 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
    2012-08-23 13:08 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2012-08-23 13:08 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
    2012-08-23 13:08 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-08-23 13:08 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
    2012-08-23 13:08 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2012-08-23 13:06 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-08-23 13:06 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-08-23 13:06 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-08-23 13:06 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-08-23 13:06 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-08-23 13:06 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
    2012-08-23 13:04 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-08-23 13:04 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-08-23 13:04 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-08-23 13:04 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-08-23 13:04 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-08-23 13:04 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-08-23 13:04 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
    2012-08-23 12:37 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-08-23 12:21 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-08-23 12:21 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-08-23 12:21 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-08-23 12:21 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-08-23 12:20 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
    2012-08-23 12:20 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-08-23 12:20 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-08-23 12:20 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-08-23 12:20 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-08-23 02:15 . 2012-08-23 02:15 98816 ----a-w- c:\windows\system32\mfps.dll
    2012-08-23 02:13 . 2012-08-23 02:13 369664 ----a-w- c:\windows\system32\WMPhoto.dll
    2012-08-23 02:13 . 2012-08-23 02:13 252928 ----a-w- c:\windows\system32\dxdiag.exe
    2012-08-23 02:13 . 2012-08-23 02:13 195584 ----a-w- c:\windows\system32\dxdiagn.dll
    2012-08-23 02:13 . 2012-08-23 02:13 519680 ----a-w- c:\windows\system32\d3d11.dll
    2012-08-23 02:13 . 2012-08-23 02:13 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2012-08-23 02:13 . 2012-08-23 02:13 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2012-08-23 02:13 . 2012-08-23 02:13 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2012-08-22 20:18 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-08-22 18:45 . 2012-08-22 18:46 -------- d-----w- c:\windows\system32\ca-ES
    2012-08-22 18:45 . 2012-08-22 18:46 -------- d-----w- c:\windows\system32\eu-ES
    2012-08-22 18:45 . 2012-08-22 18:46 -------- d-----w- c:\windows\system32\vi-VN
    2012-08-22 18:14 . 2009-04-11 06:28 627712 ----a-w- c:\windows\system32\user32.dll
    2012-08-22 18:13 . 2009-04-11 06:28 842240 ----a-w- c:\windows\system32\systemcpl.dll
    2012-08-22 18:12 . 2009-04-11 06:28 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
    2012-08-22 18:12 . 2009-04-11 06:28 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2012-08-22 18:12 . 2009-04-11 06:28 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
    2012-08-22 18:12 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
    2012-08-22 18:12 . 2009-04-11 06:28 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
    2012-08-22 18:12 . 2009-04-11 06:28 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
    2012-08-22 18:12 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
    2012-08-22 18:12 . 2009-04-11 06:28 705536 ----a-w- c:\windows\system32\SmiEngine.dll
    2012-08-22 18:12 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
    2012-08-22 18:12 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
    2012-08-22 18:12 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
    2012-08-21 14:33 . 2011-12-06 19:55 53248 ----a-w- c:\windows\system32\CSVer.dll
    2012-08-21 14:13 . 2012-08-21 14:13 -------- d-----w- C:\dell
    2012-08-21 13:42 . 2012-09-04 23:31 -------- d-----w- c:\users\Cynthia\AppData\Local\SlimWare Utilities Inc
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-23 02:13 . 2012-08-23 02:13 4096 ----a-w- c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-24 68856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "Spotify"="c:\users\Cynthia\AppData\Roaming\Spotify\Spotify.exe" [2012-09-16 5576408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2012-05-17 296056]
    "EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-11 2756608]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2000-01-01 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2000-01-01 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2000-01-01 133656]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\users\Cynthia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Users^Cynthia^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Alert.lnk]
    path=c:\users\Cynthia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Alert.lnk
    backup=c:\windows\pss\Desktop Alert.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2100033693-1561413150-3002188466-1000]
    "EnableNotificationsRef"=dword:00000002
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2100033693-1561413150-3002188466-500]
    "EnableNotificationsRef"=dword:00000002
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-19 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-27 13:02]
    .
    2012-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-02 01:51]
    .
    2012-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-02 01:51]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com/?_bc=1
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: mlxchange.com\mfr
    Trusted Zone: yahoo.com\cm.my
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
    DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2012-09-19 10:47:15
    ComboFix-quarantined-files.txt 2012-09-19 14:47
    .
    Pre-Run: 119,346,163,712 bytes free
    Post-Run: 119,355,621,376 bytes free
    .
    - - End Of File - - 72A5D0F4AE6BBE4ED339AA408E0A7988
     
  6. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    Looks good :)

    Any current issues?

    =========================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. ccchester

    ccchester TS Rookie Topic Starter

    The redirecting seems to have stopped but, I noticed other weird stuff. My scroll pad seems to work off and on and there was a pop up message that said: Activate your Windows now (with a icon of 2 keys). I have a seven year old vista and I don't know why it's asking me to do this. Also, even when I close all windows including internet explorer - task master still seems to have about seven active IE entries going when I am not on the internet.
    Thanks.


    OTL Extras logfile created on: 9/20/2012 9:53:35 PM - Run 1
    OTL by OldTimer - Version 3.2.64.0 Folder = C:\Users\Cynthia\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 31.89% Memory free
    4.21 Gb Paging File | 2.31 Gb Available in Paging File | 54.86% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 139.31 Gb Total Space | 109.58 Gb Free Space | 78.66% Space Free | Partition Type: NTFS
    Drive D: | 9.74 Gb Total Space | 3.17 Gb Free Space | 32.53% Space Free | Partition Type: NTFS

    Computer Name: CYNTHIA-PC | User Name: Cynthia | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .html [@ = FirefoxHTML] -- Reg Error: Key error. File not found

    [HKEY_USERS\S-1-5-21-2100033693-1561413150-3002188466-1000\SOFTWARE\Classes\<extension>]
    .bat [@ = batfile] -- Reg Error: Key error. File not found
    .cmd [@ = cmdfile] -- Reg Error: Key error. File not found
    .com [@ = ComFile] -- Reg Error: Key error. File not found
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found
    .pif [@ = piffile] -- Reg Error: Key error. File not found
    .vbs [@ = VBSFile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    https [open] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2100033693-1561413150-3002188466-1000]
    "EnableNotificationsRef" = 2

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2100033693-1561413150-3002188466-500]
    "EnableNotificationsRef" = 2

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1
    "DisableUnicastResponsesToMulticastBroadcast" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "TCP Query User{17D71B52-5AA0-4473-AC58-95D8728535BB}C:\users\cynthia\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\cynthia\appdata\roaming\spotify\spotify.exe |
    "TCP Query User{AFFE7348-5F42-47EA-850B-57A07ED651AB}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "TCP Query User{C0878FC4-8AA2-4E2C-9A8B-4F2BACA29057}C:\program files\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
    "TCP Query User{E86142FE-2694-416A-839B-C6E1F765E7C1}C:\program files\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
    "TCP Query User{EE1AEDC2-6094-4C37-8038-D107BDEF4542}C:\users\cynthia\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\cynthia\appdata\roaming\spotify\spotify.exe |
    "UDP Query User{04437E79-6F4C-456A-BA1A-09782264B51E}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "UDP Query User{1903AD9C-1D60-4D2C-AEE6-5AA7394A83C1}C:\program files\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
    "UDP Query User{217DF5D5-AB96-4954-91E2-667622E322FE}C:\program files\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
    "UDP Query User{9473F5FD-E140-450C-A0BC-486BD42BEBB4}C:\users\cynthia\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\cynthia\appdata\roaming\spotify\spotify.exe |
    "UDP Query User{FCB952A0-593B-4239-8E4E-E6B6B567EF69}C:\users\cynthia\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\cynthia\appdata\roaming\spotify\spotify.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{06FE1146-4FF8-45DF-B0D9-CBA8E38C708C}" = REALTEK RTL8187 Wireless LAN Driver
    "{07CEBBBD-E6EF-4265-BC65-777BD5C1FCD7}" = Point
    "{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = TIPCI
    "{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
    "{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
    "{44C05309-60F4-410B-BC32-31733CFF1A41}" = Microsoft Digital Image Starter Edition 2006 Editor
    "{4FE542EB-FF0B-4739-94DD-25C8AE0AB251}" = Microsoft Digital Image Starter Edition 2006 Library
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
    "{607398CF-354B-4E21-B1BC-549424BFD04C}" = TIPCI
    "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}" = Gateway Recovery Center Installer
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{876854B3-6F71-40EC-AD7C-A995C0B0EE0A}" = Trust USB WiFi Adapter Driver
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.2
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
    "{E1D34262-4885-45F7-BC46-3594A7B0B097}" = Encompass Installation Manager
    "{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
    "{F05E2B98-DA04-4FFA-8D08-DA218E6A2B47}" = Point
    "{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime
    "{F751F153-0D23-4ED5-85D5-BAE46893D1F9}" = Point
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "AviSynth" = AviSynth 2.5
    "CCleaner" = CCleaner
    "Defraggler" = Defraggler
    "Google Updater" = Google Updater
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "InstallShield_{607398CF-354B-4E21-B1BC-549424BFD04C}" = Texas Instruments PCIxx21/x515/xx12 drivers.
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "PictureItSuiteTrial_v12" = Microsoft Digital Image Starter Edition 2006
    "RealPlayer 15.0" = RealPlayer
    "SynTPDeinstKey" = Synaptics Pointing Device Driver

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2100033693-1561413150-3002188466-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Spotify" = Spotify
    "WinDirStat" = WinDirStat 1.1.2

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 3/3/2011 8:34:10 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:12 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:12 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:12 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:14 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:14 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:14 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:15 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:15 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    Error - 3/3/2011 8:34:15 AM | Computer Name = Cynthia-PC | Source = Bonjour Service | ID = 100
    Description =

    [ Media Center Events ]
    Error - 12/22/2007 5:28:59 PM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 4/17/2008 8:34:32 PM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

    Error - 5/21/2008 9:49:19 PM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

    Error - 5/29/2008 8:02:20 PM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

    Error - 5/30/2008 3:40:51 PM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

    Error - 5/31/2008 4:47:20 PM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

    Error - 6/2/2008 7:21:39 PM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

    Error - 6/3/2008 1:00:38 PM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

    Error - 6/7/2008 2:33:43 AM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

    Error - 8/28/2008 11:05:24 AM | Computer Name = Cynthia-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    [ System Events ]
    Error - 9/18/2012 12:23:26 PM | Computer Name = Cynthia-PC | Source = Service Control Manager | ID = 7024
    Description =

    Error - 9/18/2012 12:23:26 PM | Computer Name = Cynthia-PC | Source = Service Control Manager | ID = 7031
    Description =

    Error - 9/18/2012 9:36:28 PM | Computer Name = Cynthia-PC | Source = DCOM | ID = 10010
    Description =

    Error - 9/19/2012 10:23:53 AM | Computer Name = Cynthia-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 10:20:19 AM on 9/19/2012 was unexpected.

    Error - 9/19/2012 10:34:28 AM | Computer Name = Cynthia-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 9/19/2012 10:34:53 AM | Computer Name = Cynthia-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.135.1498.0 Update Source: %%859 Update Stage:
    %%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error
    code: 0x8024402c Error description: An unexpected problem occurred while checking
    for updates. For information on installing or troubleshooting updates, see Help
    and Support.

    Error - 9/19/2012 10:37:58 AM | Computer Name = Cynthia-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 9/19/2012 10:42:49 AM | Computer Name = Cynthia-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 9/20/2012 11:54:17 AM | Computer Name = Cynthia-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 1:25:55 AM on 9/20/2012 was unexpected.

    Error - 9/20/2012 1:01:33 PM | Computer Name = Cynthia-PC | Source = Ntfs | ID = 262199
    Description = The file system structure on the disk is corrupt and unusable. Please
    run the chkdsk utility on the volume \Device\HarddiskVolume2.


    < End of report >


    OTL logfile created on: 9/20/2012 9:53:35 PM - Run 1
    OTL by OldTimer - Version 3.2.64.0 Folder = C:\Users\Cynthia\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 31.89% Memory free
    4.21 Gb Paging File | 2.31 Gb Available in Paging File | 54.86% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 139.31 Gb Total Space | 109.58 Gb Free Space | 78.66% Space Free | Partition Type: NTFS
    Drive D: | 9.74 Gb Total Space | 3.17 Gb Free Space | 32.53% Space Free | Partition Type: NTFS

    Computer Name: CYNTHIA-PC | User Name: Cynthia | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/09/20 21:53:05 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Cynthia\Desktop\OTL.exe
    PRC - [2012/09/10 14:37:10 | 000,690,888 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
    PRC - [2012/08/25 09:01:54 | 000,307,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    PRC - [2012/05/17 14:41:37 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
    PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2012/03/26 17:03:40 | 000,258,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe
    PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
    PRC - [2011/12/11 00:48:30 | 002,756,608 | ---- | M] (Eastman Kodak Company) -- C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe
    PRC - [2011/01/17 18:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
    PRC - [2011/01/17 18:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
    PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2009/02/11 17:38:40 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    PRC - [2009/02/11 17:38:38 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/05/04 13:42:47 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll


    ========== Services (SafeList) ==========

    SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV - [2009/09/03 11:51:46 | 000,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper)
    SRV - [2009/02/11 17:38:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
    SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\stwrt.sys -- (STHDA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Cynthia\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
    DRV - [2012/09/04 12:32:45 | 000,013,024 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SWDUMon.sys -- (SWDUMon)
    DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
    DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
    DRV - [2006/11/02 03:41:49 | 001,010,560 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
    DRV - [2006/11/02 03:30:56 | 002,589,184 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw2v32.sys -- (NETw2v32)
    DRV - [2006/11/02 03:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
    DRV - [1999/12/31 20:00:00 | 000,290,816 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
    DRV - [1999/12/31 20:00:00 | 000,288,256 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8187.sys -- (RTL8187)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Value error.
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    IE - HKLM\..\SearchScopes,DefaultScope = {7A198A62-1ABF-418D-9843-C26DC49957A7}
    IE - HKLM\..\SearchScopes\{073da794-72ee-4938-b54f-ead77d5861b5}: "URL" = http://search.freecause.com/search?ourmark=4&fr=freecause&ei=utf-8&type=60447&p={searchTerms}
    IE - HKLM\..\SearchScopes\{7A198A62-1ABF-418D-9843-C26DC49957A7}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6707
    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6707
    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/?_bc=1
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..\URLSearchHook: - No CLSID value found
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..\SearchScopes\{073da794-72ee-4938-b54f-ead77d5861b5}: "URL" = http://search.freecause.com/search?ourmark=4&fr=freecause&ei=utf-8&type=60447&p={searchTerms}
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..\SearchScopes\{7A198A62-1ABF-418D-9843-C26DC49957A7}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..\SearchScopes\{BDDCCFAA-D69A-46B9-9670-1949168B8D9D}: "URL" = http://www.google.com/search?q={sea...={outputEncoding}&sourceid=ie7&rlz=1I7GGRP_en
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
    FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: File not found

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/09/04 16:29:41 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2012/09/19 10:42:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll (Gateway Inc.)
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
    O4 - HKLM..\Run: [EKAIO2StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe (Eastman Kodak Company)
    O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
    O4 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000..\Run: [Spotify] C:\Users\Cynthia\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
    O4 - Startup: C:\Users\Cynthia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
    O15 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..Trusted Domains: mlxchange.com ([mfr] http in Trusted sites)
    O15 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..Trusted Domains: yahoo.com ([cm.my] http in Trusted sites)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0A283A52-1221-4105-ABD3-9F51AEF85DAC}: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\Cynthia\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
    O24 - Desktop BackupWallPaper: C:\Users\Cynthia\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\...com [@ = ComFile] -- Reg Error: Key error. File not found
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/09/20 21:52:45 | 000,600,064 | ---- | C] (OldTimer Tools) -- C:\Users\Cynthia\Desktop\OTL.exe
    [2012/09/19 10:47:28 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/09/19 10:47:22 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/09/19 10:47:22 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Local\temp
    [2012/09/19 10:32:51 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/09/19 10:32:51 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/09/19 10:32:51 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/09/19 10:32:43 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/09/19 10:32:25 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/09/18 21:43:16 | 004,752,754 | R--- | C] (Swearware) -- C:\Users\Cynthia\Desktop\ComboFix.exe
    [2012/09/18 11:50:13 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\Desktop\RK_Quarantine
    [2012/09/17 19:25:14 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Cynthia\Desktop\TDSSKiller.exe
    [2012/09/16 11:44:01 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Local\Spotify
    [2012/09/16 11:42:32 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Roaming\Spotify
    [2012/09/16 11:41:57 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Local\Deployment
    [2012/09/16 11:41:57 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Local\Apps
    [2012/09/12 21:08:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
    [2012/09/12 21:08:19 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2012/09/12 15:23:03 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Roaming\Malwarebytes
    [2012/09/12 15:22:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/09/12 15:22:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/09/12 15:22:42 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/09/12 15:22:42 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/09/12 15:20:06 | 010,524,080 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Cynthia\Desktop\mbam-setup-1.65.0.1400.exe
    [2012/09/12 15:11:33 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\Desktop\bootkit_remover
    [2012/09/06 23:49:51 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/09/04 21:04:21 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2012/09/04 13:01:29 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat
    [2012/09/04 13:01:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat
    [2012/09/04 13:01:28 | 000,000,000 | ---D | C] -- C:\Program Files\WinDirStat
    [2012/08/31 19:38:00 | 000,000,000 | R--D | C] -- C:\Users\Cynthia\Documents\Documents\Documents\Notes
    [2012/08/31 18:00:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Defraggler
    [2012/08/31 18:00:11 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
    [2012/08/31 17:35:43 | 000,000,000 | ---D | C] -- C:\Program Files\Trust USB WiFi Adapter Driver
    [2012/08/31 17:21:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel® Matrix Storage Manager
    [2012/08/31 17:19:24 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Roaming\InstallShield
    [2012/08/31 16:56:13 | 000,000,000 | ---D | C] -- C:\Users\Cynthia\AppData\Local\Downloaded Installations
    [2012/08/31 15:55:11 | 000,000,000 | ---D | C] -- C:\Program Files\IDT
    [2012/08/31 15:41:44 | 000,000,000 | ---D | C] -- C:\Program Files\SlimDrivers
    [2012/08/31 15:41:40 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Downloaded Installers
    [2012/08/31 14:08:22 | 000,000,000 | R--D | C] -- C:\Users\Cynthia\Pictures
    [2012/08/25 04:04:16 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
    [2012/08/22 14:45:55 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
    [2012/08/22 14:45:55 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
    [2012/08/22 14:45:54 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/09/20 21:53:05 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Cynthia\Desktop\OTL.exe
    [2012/09/20 21:46:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/09/20 21:42:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/09/20 21:42:11 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/09/20 21:42:11 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/09/20 12:17:10 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
    [2012/09/20 11:54:29 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/09/19 10:42:43 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/09/19 10:32:16 | 004,752,754 | R--- | M] (Swearware) -- C:\Users\Cynthia\Desktop\ComboFix.exe
    [2012/09/18 13:03:55 | 000,000,512 | ---- | M] () -- C:\Users\Cynthia\Desktop\MBR.dat
    [2012/09/18 11:47:27 | 000,000,000 | ---- | M] () -- C:\Users\Cynthia\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
    [2012/09/18 11:46:11 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Cynthia\Desktop\TDSSKiller.exe
    [2012/09/16 11:43:59 | 000,001,721 | ---- | M] () -- C:\Users\Cynthia\Desktop\Spotify.lnk
    [2012/09/12 21:08:20 | 000,000,804 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
    [2012/09/12 15:39:42 | 000,404,416 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/09/12 15:35:00 | 000,302,592 | ---- | M] () -- C:\Users\Cynthia\Desktop\gmer.exe
    [2012/09/12 15:22:54 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/09/12 15:20:30 | 010,524,080 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Cynthia\Desktop\mbam-setup-1.65.0.1400.exe
    [2012/09/12 15:11:00 | 000,044,607 | ---- | M] () -- C:\Users\Cynthia\Desktop\bootkit_remover.zip
    [2012/09/12 12:25:40 | 000,171,241 | ---- | M] () -- C:\Users\Cynthia\blow flower beautiful girl.jpg
    [2012/09/12 12:18:33 | 000,039,447 | ---- | M] () -- C:\Users\Cynthia\blow flower 2 space
    [2012/09/10 12:51:38 | 012,278,974 | ---- | M] () -- C:\Users\Cynthia\Desktop\earths-forbidden-secrets-part-one.pdf
    [2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/09/06 23:50:09 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/09/06 23:49:57 | 000,614,930 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/09/06 23:49:57 | 000,108,860 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/09/04 13:20:21 | 000,000,828 | ---- | M] () -- C:\Users\Cynthia\Desktop\WinDirStat.lnk
    [2012/09/04 12:32:45 | 000,013,024 | ---- | M] () -- C:\Windows\System32\drivers\SWDUMon.sys
    [2012/09/03 11:17:20 | 000,030,669 | ---- | M] () -- C:\Users\Cynthia\Documents\Documents\Documents\The Blood Covenant by E.W. Kenyon.odt
    [2012/08/31 16:04:10 | 000,016,060 | ---- | M] () -- C:\Windows\System32\results.xml
    [2012/08/25 04:03:33 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    [2012/08/25 04:03:16 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    [2012/08/22 22:22:48 | 000,000,943 | ---- | M] () -- C:\Users\Cynthia\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2012/08/22 22:17:19 | 000,008,798 | ---- | M] () -- C:\Windows\System32\icrav03.rat
    [2012/08/22 22:17:19 | 000,001,988 | ---- | M] () -- C:\Windows\System32\ticrf.rat
    [2012/08/22 22:17:03 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/09/19 10:32:51 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/09/19 10:32:51 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/09/19 10:32:51 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/09/19 10:32:51 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/09/19 10:32:51 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/09/18 13:03:55 | 000,000,512 | ---- | C] () -- C:\Users\Cynthia\Desktop\MBR.dat
    [2012/09/16 11:43:59 | 000,001,721 | ---- | C] () -- C:\Users\Cynthia\Desktop\Spotify.lnk
    [2012/09/16 11:43:59 | 000,001,707 | ---- | C] () -- C:\Users\Cynthia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
    [2012/09/12 21:08:20 | 000,000,804 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
    [2012/09/12 15:38:34 | 000,404,416 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/09/12 15:22:54 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/09/12 15:11:00 | 000,044,607 | ---- | C] () -- C:\Users\Cynthia\Desktop\bootkit_remover.zip
    [2012/09/12 12:25:39 | 000,171,241 | ---- | C] () -- C:\Users\Cynthia\blow flower beautiful girl.jpg
    [2012/09/12 12:18:32 | 000,039,447 | ---- | C] () -- C:\Users\Cynthia\blow flower 2 space
    [2012/09/10 12:51:37 | 012,278,974 | ---- | C] () -- C:\Users\Cynthia\Desktop\earths-forbidden-secrets-part-one.pdf
    [2012/09/06 23:50:00 | 000,001,826 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/09/04 13:01:29 | 000,000,828 | ---- | C] () -- C:\Users\Cynthia\Desktop\WinDirStat.lnk
    [2012/09/03 10:58:29 | 000,030,669 | ---- | C] () -- C:\Users\Cynthia\Documents\Documents\Documents\The Blood Covenant by E.W. Kenyon.odt
    [2012/08/31 17:04:01 | 000,000,000 | ---- | C] () -- C:\Users\Cynthia\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
    [2012/08/31 16:04:10 | 000,016,060 | ---- | C] () -- C:\Windows\System32\results.xml
    [2012/08/31 15:45:37 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1587.dll
    [2012/08/31 15:45:29 | 000,032,912 | ---- | C] () -- C:\Windows\System32\iglhxs32.vp
    [2012/08/31 15:41:53 | 000,013,024 | ---- | C] () -- C:\Windows\System32\drivers\SWDUMon.sys
    [2012/08/25 04:03:33 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    [2012/08/25 04:03:16 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    [2012/08/22 22:17:03 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
    [2012/08/22 16:24:24 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
    [2012/08/22 14:15:17 | 000,130,008 | ---- | C] () -- C:\Windows\System32\systemsf.ebd
    [2012/08/22 14:15:15 | 000,009,239 | ---- | C] () -- C:\Windows\System32\spcinstrumentation.man
    [2012/08/22 14:15:03 | 000,442,788 | ---- | C] () -- C:\Windows\System32\dot3.tmf
    [2012/08/22 14:15:01 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2012/08/22 14:15:01 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2012/08/22 14:14:58 | 000,392,170 | ---- | C] () -- C:\Windows\System32\onex.tmf
    [2012/08/22 14:14:53 | 000,344,698 | ---- | C] () -- C:\Windows\System32\eaphost.tmf
    [2012/08/22 14:14:37 | 000,208,966 | ---- | C] () -- C:\Windows\System32\WFP.TMF
    [2012/08/22 14:14:34 | 000,092,918 | ---- | C] () -- C:\Windows\System32\slmgr.vbs
    [2012/08/22 14:13:05 | 000,009,212 | ---- | C] () -- C:\Windows\System32\RacUR.xml
    [2012/08/22 14:12:54 | 000,000,153 | ---- | C] () -- C:\Windows\System32\RacUREx.xml
    [2012/04/03 23:50:26 | 000,000,680 | ---- | C] () -- C:\Users\Cynthia\AppData\Local\d3d9caps.dat
    [2011/02/08 20:31:53 | 000,000,000 | ---- | C] () -- C:\Users\Cynthia\AppData\Roaming\wklnhst.dat
    [2009/12/07 13:17:08 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
    [2007/12/11 14:41:01 | 000,000,058 | ---- | C] () -- C:\ProgramData\mchguid.ini
    [2007/07/11 14:59:26 | 000,000,095 | ---- | C] () -- C:\Users\Cynthia\AppData\Local\fusioncache.dat
    [2007/06/27 16:55:35 | 000,044,032 | ---- | C] () -- C:\Users\Cynthia\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== ZeroAccess Check ==========

    [2008/03/11 11:11:11 | 000,000,102 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@babylon[1].txt
    [2008/05/20 14:24:12 | 000,000,140 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@findlaw[2].txt
    [2008/06/04 09:59:23 | 000,000,135 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@google[2].txt
    [2008/01/10 12:54:49 | 000,000,127 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@hssports.wftv[2].txt
    [2009/10/06 19:20:06 | 000,000,461 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[1].txt
    [2009/08/23 10:19:10 | 000,000,807 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[2].txt
    [2009/12/15 23:23:51 | 000,000,339 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[4].txt
    [2006/11/02 08:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    ========== LOP Check ==========

    [2012/08/31 13:56:48 | 000,000,000 | ---D | M] -- C:\Users\Cynthia\AppData\Roaming\Dropbox
    [2012/05/04 13:44:49 | 000,000,000 | ---D | M] -- C:\Users\Cynthia\AppData\Roaming\OpenOffice.org
    [2007/06/27 16:33:24 | 000,000,000 | ---D | M] -- C:\Users\Cynthia\AppData\Roaming\SampleView
    [2012/08/31 12:49:39 | 000,000,000 | ---D | M] -- C:\Users\Cynthia\AppData\Roaming\ScanSoft
    [2012/09/20 00:50:02 | 000,000,000 | ---D | M] -- C:\Users\Cynthia\AppData\Roaming\Spotify
    [2011/02/08 20:31:57 | 000,000,000 | ---D | M] -- C:\Users\Cynthia\AppData\Roaming\Template

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    < End of report >
     
  8. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    Did you wait a bit?

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Value error.
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
      IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
      IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
      IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..\URLSearchHook: - No CLSID value found
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
      O15 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..Trusted Domains: mlxchange.com ([mfr] http in Trusted sites)
      O15 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\..Trusted Domains: yahoo.com ([cm.my] http in Trusted sites)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab (Reg Error: Key error.)
      O37 - HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\...com [@ = ComFile] -- Reg Error: Key error. File not found
      [2012/08/31 17:04:01 | 000,000,000 | ---- | C] () -- C:\Users\Cynthia\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
      [2008/03/11 11:11:11 | 000,000,102 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@babylon[1].txt
      [2008/05/20 14:24:12 | 000,000,140 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@findlaw[2].txt
      [2008/06/04 09:59:23 | 000,000,135 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@google[2].txt
      [2008/01/10 12:54:49 | 000,000,127 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@hssports.wftv[2].txt
      [2009/10/06 19:20:06 | 000,000,461 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[1].txt
      [2009/08/23 10:19:10 | 000,000,807 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[2].txt
      [2009/12/15 23:23:51 | 000,000,339 | ---- | M] () -- C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[4].txt
      [2006/11/02 08:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
      @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:DFC5A2B2
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.
     
  9. ccchester

    ccchester TS Rookie Topic Starter

    I ran OTL a second time the way you suggested. However, after running it the first time I got this error message:

    Windows did not pass genuine validation Security Essentials will become disabled in 30 days if you do not resolve this issue.
    To continue using Security Essentials, click Go online and resolve now and get genuine Windows.

    But when I clicked on the link they gave to fix it, I got this message: This file does not have a program associated with it for performing this action. Create an association in the Set Associations control panel.

    The background on my computer is black and when it was booting up I saw this in the bottom right hand corner of the screen.

    Windows Vista (TM)
    Build 6002
    This copy of Windows is not genuine

    This seemed to happen only after I ran OTL. Do you think it could have deleted something? What should I do to fix?

    Thanks for your help.



    All processes killed
    ========== OTL ==========
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Secondary_Page_URL| /E : value set successfully!
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Secondary Start Pages| /E : value set successfully!
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKU\S-1-5-21-2100033693-1561413150-3002188466-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    Registry value HKEY_USERS\S-1-5-21-2100033693-1561413150-3002188466-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-2100033693-1561413150-3002188466-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mlxchange.com\mfr\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-2100033693-1561413150-3002188466-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yahoo.com\cm.my\ deleted successfully.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\Windows\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    File oft XML Parser for Java file:///C:/Windows/Java/classes/xmldso.cab not found.
    Starting removal of ActiveX control Microsoft XML Parser for Java
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
    Registry key HKEY_USERS\S-1-5-21-2100033693-1561413150-3002188466-1000_Classes\.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-2100033693-1561413150-3002188466-1000_Classes\ComFile\ not found.
    HKEY_LOCAL_MACHINE\Software\Classes\.com\\|comfile /E : value set successfully!
    C:\Users\Cynthia\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@babylon[1].txt moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@findlaw[2].txt moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@google[2].txt moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@hssports.wftv[2].txt moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[1].txt moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[2].txt moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mcafee[4].txt moved successfully.
    C:\Windows\assembly\Desktop.ini moved successfully.
    ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Cynthia
    ->Temp folder emptied: 65353 bytes
    ->Temporary Internet Files folder emptied: 9175579 bytes
    ->Flash cache emptied: 506 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 84 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16768 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 9.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Cynthia

    User: Default

    User: Default User

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Cynthia
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.64.0 log created on 09212012_071614
    Files\Folders moved on Reboot...
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\aceUAC[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\aceUAC[2].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\ext-render-secure[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\fc[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCA1L6NAD.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCA29DVET.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCA5SVC62.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCA721VBL.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCA8DP9G5.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCA8EUBSH.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAAOKGCE.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAAT0WAV.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCACK9IVC.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCACU3BXW.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCADUL488.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAEN5M8I.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAFVA97X.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAGRGAJP.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAI3F1AQ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAR7J69X.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAR8ROOZ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAX2VSLG.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAY2N63Y.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttonsCAZ1J8UQ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[10].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[11].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[1].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[2].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[3].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[4].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[5].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[6].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[7].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[8].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\topbuttons[9].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PDQ8C4IV\xframe-proxy_20110929[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\0[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\ext-render-secure[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\ext-render-secure[2].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA0FQY83.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA1X05L2.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA3TE983.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA47RD3U.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA5HC2R3.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA61JBVU.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA79AN8G.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA79JNQE.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCA8H6J51.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCABK9YRR.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAC98RJT.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAGC5A8W.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAIJNGKX.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAKZ09WL.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCALC08SJ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAMD9PPA.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCANFF1HO.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAP8O8D4.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAQ531FM.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCASTA3UR.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAV8U8RY.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAW8FRM2.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttonsCAXVA83Z.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[10].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[11].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[1].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[2].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[3].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[4].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[5].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[6].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[7].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[8].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\topbuttons[9].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M5DXXB87\xframe-proxy_20110929[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\0[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCA1GU3O1.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCA2FZ06R.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCA40PLEA.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCA62DI9Z.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCA87HL1Q.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCA8TV2PJ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAA1F2BI.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAB9VU6H.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCACYCBPK.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAD56VPR.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAE90826.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAEKR4KQ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAFEC0B4.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAGD0ZR5.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAIT1BG5.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAK3XLJQ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAL43MDV.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCALLCTVP.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAMESV2K.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAN1C7MS.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAQ3LF32.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAQM39LE.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAU2CYGA.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAU80HVJ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAVN40YX.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAWEW2EP.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAYPG8DL.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttonsCAYZENUL.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[10].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[11].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[1].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[2].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[3].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[4].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[5].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[6].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[7].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[8].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHL4USE3\topbuttons[9].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\0[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCA2QSJO6.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCA402L8H.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCA581638.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCA5KR0T4.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCA6ES7C7.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCA6UVOYX.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCA9AHX8G.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAAAS2HC.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAAD9NTM.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAAOF53Z.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCABS5BX9.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAEDW8LZ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAG2V0Q5.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAGF4GNX.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAGPYAGO.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAHU2Z8O.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAJAXQ6K.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAJG1861.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAJUHNV9.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAJZ3AI1.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAK2VJAW.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAK39OUR.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCALCS03I.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCALSZ2NK.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCANZR2DZ.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAOELG1F.xml moved successfully.
    File\Folder C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAPL2XLG.xml not found!
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAS05417.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAS5SEVM.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAS6DXA0.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCASIJ94Z.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCATPSG69.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAU0U9DX.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAWR4EJ8.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAXIQJWN.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttonsCAYL236N.xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[10].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[11].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[1].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[2].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[3].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[4].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[5].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[6].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[7].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[8].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\topbuttons[9].xml moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3S2K7AQF\um[1].htm moved successfully.
    C:\Users\Cynthia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
     
  10. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    I don't see anything in OTL fix which could cause that issue.

    OTL created restore point before it run yesterday.
    Try to use it and see it solves the issue.
     
  11. ccchester

    ccchester TS Rookie Topic Starter

    I found this on the internet:

    "OTL does not create a backup so unless ERUNT or another backup program is in use you are relying on System Restore if a problem develops. With the types of infections prevalent nowadays it is wise to have a fall back position. Installation of the Recovery Console is recommended."

    My computer is now rejecting my product key and says that if I do not fix this problem within 29 days, my computer will cease to function. I tried to do a system restore, but all my restore points previous to running OTL were wiped out. My CD/DVD drive is not working so I can't try to reinstall my windows. Any advice?
     
     
  12. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  13. ccchester

    ccchester TS Rookie Topic Starter

    OK. Here's the log.

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-09-2012
    Ran by SYSTEM at 23-09-2012 23:27:50
    Running from E:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ==================== Registry (Whitelisted) ===================
    HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-02-11] (Intel Corporation)
    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [815104 2006-11-16] (Synaptics, Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
    HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot [296056 2012-05-17] (RealNetworks, Inc.)
    HKLM\...\Run: [EKAIO2StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe [2756608 2011-12-10] (Eastman Kodak Company)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Cynthia\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
    HKU\Cynthia\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2007-07-24] (Google Inc.)
    HKU\Cynthia\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
    HKU\Cynthia\...\Run: [Spotify] "C:\Users\Cynthia\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [5576408 2012-09-16] (Spotify Ltd)
    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
    Startup: C:\Users\Cynthia\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
    ==================== Services (Whitelisted) ===================
    3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [48368 2009-09-03] (NOS Microsystems Ltd.)
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    ==================== Drivers (Whitelisted) ====================
    3 ac97intc; C:\Windows\System32\drivers\ac97intc.sys [108032 2006-11-01] (Intel Corporation)
    3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [7296 2003-09-23] (GARMIN Corp.)
    3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [79816 2009-09-16] (McAfee, Inc.)
    3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [35272 2009-09-16] (McAfee, Inc.)
    1 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [214664 2009-09-16] (McAfee, Inc.)
    3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.)
    3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [40552 2009-09-16] (McAfee, Inc.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 NETw2v32; C:\Windows\System32\DRIVERS\NETw2v32.sys [2589184 2006-11-01] (Intel® Corporation)
    3 RTL8187; C:\Windows\System32\DRIVERS\RTL8187.sys [288256 1999-12-31] (Realtek Semiconductor Corporation )
    3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13024 2012-09-04] ()
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 catchme; \??\C:\Users\Cynthia\AppData\Local\Temp\catchme.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 STHDA; C:\Windows\System32\drivers\stwrt.sys [x]
    3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [x]
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2012-09-22 09:48 - 2012-09-22 09:49 - 07200144 ____A C:\Users\Cynthia\Downloads\watersound.mpeg
    2012-09-21 03:16 - 2012-09-21 03:16 - 00000000 ____D C:\_OTL
    2012-09-20 18:04 - 2012-09-20 18:04 - 00034954 ____A C:\Users\Cynthia\Desktop\Extras.Txt
    2012-09-20 18:02 - 2012-09-20 18:02 - 00062816 ____A C:\Users\Cynthia\Desktop\OTL.Txt
    2012-09-20 17:52 - 2012-09-20 17:53 - 00600064 ____A (OldTimer Tools) C:\Users\Cynthia\Desktop\OTL.exe
    2012-09-19 06:47 - 2012-09-19 06:47 - 00016770 ____A C:\ComboFix.txt
    2012-09-19 06:32 - 2012-09-19 06:47 - 00000000 ___AD C:\Qoobox
    2012-09-19 06:32 - 2012-09-19 06:45 - 00000000 ____D C:\Windows\erdnt
    2012-09-19 06:32 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-09-19 06:32 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-09-19 06:32 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-09-19 06:32 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-09-19 06:32 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-09-19 06:32 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-09-19 06:32 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-09-19 06:32 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-09-18 17:43 - 2012-09-19 06:32 - 04752754 ____R (Swearware) C:\Users\Cynthia\Desktop\ComboFix.exe
    2012-09-18 09:03 - 2012-09-18 09:03 - 00001994 ____A C:\Users\Cynthia\Desktop\aswMBR.txt
    2012-09-18 09:03 - 2012-09-18 09:03 - 00000512 ____A C:\Users\Cynthia\Desktop\MBR.dat
    2012-09-18 08:29 - 2012-09-18 08:29 - 04731392 ____A (AVAST Software) C:\Users\Cynthia\Downloads\aswMBR (1).exe
    2012-09-18 07:53 - 2012-09-18 07:54 - 04731392 ____A (AVAST Software) C:\Users\Cynthia\Downloads\aswMBR.exe
    2012-09-18 07:51 - 2012-09-18 07:51 - 00001895 ____A C:\Users\Cynthia\Desktop\RKreport[1].txt
    2012-09-18 07:51 - 2012-09-18 07:51 - 00001738 ____A C:\Users\Cynthia\Desktop\RKreport[2].txt
    2012-09-18 07:50 - 2012-09-18 07:51 - 00000000 ____D C:\Users\Cynthia\Desktop\RK_Quarantine
    2012-09-18 07:50 - 2012-09-18 07:50 - 01378816 ____A C:\Users\Cynthia\Downloads\RogueKiller.exe
    2012-09-18 07:44 - 2012-09-18 07:45 - 02193278 ____A C:\Users\Cynthia\Downloads\tdsskiller.zip
    2012-09-17 15:25 - 2012-09-18 07:46 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Cynthia\Desktop\TDSSKiller.exe
    2012-09-17 13:33 - 2012-09-17 13:34 - 00607260 ____R (Swearware) C:\Users\Cynthia\Downloads\dds (1).com
    2012-09-16 07:44 - 2012-09-23 16:11 - 00000000 ____D C:\Users\Cynthia\Local Settings\Spotify
    2012-09-16 07:44 - 2012-09-23 16:11 - 00000000 ____D C:\Users\Cynthia\Local Settings\Application Data\Spotify
    2012-09-16 07:44 - 2012-09-23 16:11 - 00000000 ____D C:\Users\Cynthia\AppData\Local\Spotify
    2012-09-16 07:43 - 2012-09-16 07:43 - 00001721 ____A C:\Users\Cynthia\Desktop\Spotify.lnk
    2012-09-16 07:42 - 2012-09-23 18:56 - 00000000 ____D C:\Users\Cynthia\Application Data\Spotify
    2012-09-16 07:42 - 2012-09-23 18:56 - 00000000 ____D C:\Users\Cynthia\AppData\Roaming\Spotify
    2012-09-16 07:41 - 2012-09-16 07:42 - 00000000 ____D C:\Users\Cynthia\Local Settings\Deployment
    2012-09-16 07:41 - 2012-09-16 07:42 - 00000000 ____D C:\Users\Cynthia\Local Settings\Application Data\Deployment
    2012-09-16 07:41 - 2012-09-16 07:42 - 00000000 ____D C:\Users\Cynthia\AppData\Local\Deployment
    2012-09-16 07:41 - 2012-09-16 07:41 - 00000000 ____D C:\Users\Cynthia\AppData\Local\Apps\2.0
    2012-09-12 17:08 - 2012-09-12 17:08 - 00000804 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-09-12 17:08 - 2012-09-12 17:08 - 00000804 ____A C:\Users\All Users\Desktop\CCleaner.lnk
    2012-09-12 17:08 - 2012-09-12 17:08 - 00000000 ____D C:\Program Files\CCleaner
    2012-09-12 13:14 - 2012-09-12 13:14 - 00607260 ____R (Swearware) C:\Users\Cynthia\Downloads\dds.com
    2012-09-12 11:40 - 2012-09-12 11:40 - 00104104 ____A C:\Users\Cynthia\Local Settings\GDIPFONTCACHEV1.DAT
    2012-09-12 11:40 - 2012-09-12 11:40 - 00104104 ____A C:\Users\Cynthia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-09-12 11:40 - 2012-09-12 11:40 - 00104104 ____A C:\Users\Cynthia\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-09-12 11:38 - 2012-09-12 11:39 - 00404416 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-09-12 11:33 - 2012-09-12 11:34 - 00294216 ____A C:\Users\Cynthia\Downloads\gmer.zip
    2012-09-12 11:23 - 2012-09-12 11:23 - 00000000 ____D C:\Users\Cynthia\Application Data\Malwarebytes
    2012-09-12 11:23 - 2012-09-12 11:23 - 00000000 ____D C:\Users\Cynthia\AppData\Roaming\Malwarebytes
    2012-09-12 11:22 - 2012-09-12 11:22 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-09-12 11:22 - 2012-09-12 11:22 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-09-12 11:22 - 2012-09-12 11:22 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-09-12 11:22 - 2012-09-12 11:22 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-09-12 11:22 - 2012-09-12 11:22 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-09-12 11:22 - 2012-09-07 13:04 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-09-12 11:20 - 2012-09-12 11:20 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Cynthia\Desktop\mbam-setup-1.65.0.1400.exe
    2012-09-12 11:11 - 2012-09-12 11:11 - 00044607 ____A C:\Users\Cynthia\Desktop\bootkit_remover.zip
    2012-09-12 11:11 - 2012-09-12 11:11 - 00000000 ____D C:\Users\Cynthia\Desktop\bootkit_remover
    2012-09-12 08:26 - 2012-09-12 08:26 - 00171241 ____A C:\Users\Cynthia\Downloads\blow flower beautiful girl
    2012-09-12 08:18 - 2012-09-12 08:18 - 00039447 ____A C:\Users\Cynthia\blow flower 2 space
    2012-09-10 10:37 - 2012-09-10 10:37 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-09-10 10:37 - 2012-09-10 10:37 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-09-10 09:47 - 2012-09-23 19:19 - 00663312 ____A C:\Windows\WindowsUpdate.log
    2012-09-06 19:49 - 2012-09-06 19:50 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-09-04 09:01 - 2012-09-04 09:20 - 00000828 ____A C:\Users\Cynthia\Desktop\WinDirStat.lnk
    2012-09-04 09:01 - 2012-09-04 09:01 - 00000000 ____D C:\Program Files\WinDirStat
    2012-08-31 14:00 - 2012-08-31 14:00 - 00000000 ____D C:\Program Files\Defraggler
    2012-08-31 13:35 - 2012-08-31 13:35 - 00000000 ____D C:\Program Files\Trust USB WiFi Adapter Driver
    2012-08-31 13:19 - 2012-08-31 13:19 - 00000000 ____D C:\Users\Cynthia\Application Data\InstallShield
    2012-08-31 13:19 - 2012-08-31 13:19 - 00000000 ____D C:\Users\Cynthia\AppData\Roaming\InstallShield
    2012-08-31 13:19 - 2009-02-11 13:11 - 00329752 ____A (Intel Corporation) C:\Windows\System32\Drivers\iaStor.sys
    2012-08-31 12:56 - 2012-08-31 12:56 - 00000000 ____D C:\Users\Cynthia\Local Settings\Downloaded Installations
    2012-08-31 12:56 - 2012-08-31 12:56 - 00000000 ____D C:\Users\Cynthia\Local Settings\Application Data\Downloaded Installations
    2012-08-31 12:56 - 2012-08-31 12:56 - 00000000 ____D C:\Users\Cynthia\AppData\Local\Downloaded Installations
    2012-08-31 12:04 - 2012-08-31 12:04 - 00016060 ____A C:\Windows\System32\results.xml
    2012-08-31 11:55 - 2012-08-31 11:55 - 00000000 ____D C:\Program Files\IDT
    2012-08-31 11:45 - 1999-12-31 16:00 - 03293184 ____A (Intel Corporation) C:\Windows\System32\igfxress.dll
    2012-08-31 11:45 - 1999-12-31 16:00 - 02420736 ____A (Intel Corporation) C:\Windows\System32\ig4icd32.dll
    2012-08-31 11:45 - 1999-12-31 16:00 - 02307072 ____A (Intel Corporation) C:\Windows\System32\Drivers\igdkmd32.sys
    2012-08-31 11:45 - 1999-12-31 16:00 - 02174976 ____A (Intel Corporation) C:\Windows\System32\ig4dev32.dll
    2012-08-31 11:45 - 1999-12-31 16:00 - 00539160 ____A (Intel Corporation) C:\Windows\System32\igfxcfg.exe
    2012-08-31 11:45 - 1999-12-31 16:00 - 00204800 ____A (Intel Corporation) C:\Windows\System32\igfxpph.dll
    2012-08-31 11:45 - 1999-12-31 16:00 - 00192512 ____A (Intel Corporation) C:\Windows\System32\igfxrell.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00192512 ____A (Intel Corporation) C:\Windows\System32\igfxrdeu.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00188416 ____A (Intel Corporation) C:\Windows\System32\igfxrnld.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00188416 ____A (Intel Corporation) C:\Windows\System32\igfxrita.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00188416 ____A (Intel Corporation) C:\Windows\System32\igfxresp.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00184320 ____A (Intel Corporation) C:\Windows\System32\igfxrhun.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00184320 ____A (Intel Corporation) C:\Windows\System32\igfxrfra.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00180224 ____A (Intel Corporation) C:\Windows\System32\igfxrrus.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00180224 ____A (Intel Corporation) C:\Windows\System32\igfxrptg.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00180224 ____A (Intel Corporation) C:\Windows\System32\igfxrptb.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00180224 ____A (Intel Corporation) C:\Windows\System32\igfxrplk.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00176128 ____A (Intel Corporation) C:\Windows\System32\igfxrsve.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00176128 ____A (Intel Corporation) C:\Windows\System32\igfxrsky.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00176128 ____A (Intel Corporation) C:\Windows\System32\igfxrnor.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00176128 ____A (Intel Corporation) C:\Windows\System32\igfxrfin.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00176128 ____A (Intel Corporation) C:\Windows\System32\igfxrdan.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00176128 ____A (Intel Corporation) C:\Windows\System32\igfxrcsy.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00172032 ____A (Intel Corporation) C:\Windows\System32\igfxrtrk.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00172032 ____A (Intel Corporation) C:\Windows\System32\igfxrslv.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00170520 ____A (Intel Corporation) C:\Windows\System32\igfxzoom.exe
    2012-08-31 11:45 - 1999-12-31 16:00 - 00170520 ____A (Intel Corporation) C:\Windows\System32\igfxext.exe
    2012-08-31 11:45 - 1999-12-31 16:00 - 00163840 ____A (Intel Corporation) C:\Windows\System32\igfxrtha.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00159744 ____A (Intel Corporation) C:\Windows\System32\igfxrara.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00155648 ____A (Intel Corporation) C:\Windows\System32\igfxrheb.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00147456 ____A C:\Windows\System32\igfxCoIn_v1587.dll
    2012-08-31 11:45 - 1999-12-31 16:00 - 00141848 ____A (Intel Corporation) C:\Windows\System32\igfxtray.exe
    2012-08-31 11:45 - 1999-12-31 16:00 - 00135168 ____A (Intel Corporation) C:\Windows\System32\igfxdo.dll
    2012-08-31 11:45 - 1999-12-31 16:00 - 00131072 ____A (Intel Corporation) C:\Windows\System32\igfxrjpn.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00126976 ____A (Intel Corporation) C:\Windows\System32\igfxrkor.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00122880 ____A (Intel Corporation) C:\Windows\System32\igfxcpl.cpl
    2012-08-31 11:45 - 1999-12-31 16:00 - 00114688 ____A (Intel Corporation) C:\Windows\System32\igfxrchs.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00110592 ____A (Intel Corporation) C:\Windows\System32\igfxrcht.lrc
    2012-08-31 11:45 - 1999-12-31 16:00 - 00069632 ____A (Intel Corporation) C:\Windows\System32\oemdspif.dll
    2012-08-31 11:45 - 1999-12-31 16:00 - 00032912 ____A C:\Windows\System32\iglhxs32.vp
    2012-08-31 11:45 - 1999-12-31 16:00 - 00024576 ____A (Intel Corporation) C:\Windows\System32\igfxexps.dll
    2012-08-31 11:41 - 2012-09-04 08:32 - 00013024 ____A C:\Windows\System32\Drivers\SWDUMon.sys
    2012-08-31 11:41 - 2012-08-31 11:41 - 00000000 ____D C:\Users\Public\Documents\Downloaded Installers
    2012-08-31 11:41 - 2012-08-31 11:41 - 00000000 ____D C:\Users\All Users\Documents\Downloaded Installers
    2012-08-25 00:04 - 2012-08-25 00:04 - 00000000 ____D C:\Program Files\Windows Portable Devices
    2012-08-25 00:03 - 2012-08-25 00:03 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2012-08-25 00:03 - 2012-08-25 00:03 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_07_00.Wdf
    2012-08-24 23:39 - 2009-09-30 17:02 - 02537472 ____A (Microsoft Corporation) C:\Windows\System32\wpdshext.dll
    2012-08-24 23:39 - 2009-09-30 17:02 - 00334848 ____A (Microsoft Corporation) C:\Windows\System32\PortableDeviceApi.dll
    2012-08-24 23:39 - 2009-09-30 17:02 - 00087552 ____A (Microsoft Corporation) C:\Windows\System32\WPDShServiceObj.dll
    2012-08-24 23:39 - 2009-09-30 17:02 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\BthMtpContextHandler.dll
    2012-08-24 23:39 - 2009-09-30 17:02 - 00030208 ____A (Microsoft Corporation) C:\Windows\System32\WPDShextAutoplay.exe
    2012-08-24 23:39 - 2009-09-30 17:01 - 00546816 ____A (Microsoft Corporation) C:\Windows\System32\wpd_ci.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00350208 ____A (Microsoft Corporation) C:\Windows\System32\WPDSp.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\WpdMtp.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00196608 ____A (Microsoft Corporation) C:\Windows\System32\PortableDeviceWMDRM.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00160256 ____A (Microsoft Corporation) C:\Windows\System32\PortableDeviceTypes.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00100864 ____A (Microsoft Corporation) C:\Windows\System32\PortableDeviceClassExtension.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00081920 ____A (Microsoft Corporation) C:\Windows\System32\wpdbusenum.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00061952 ____A (Microsoft Corporation) C:\Windows\System32\WpdMtpUS.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00060928 ____A (Microsoft Corporation) C:\Windows\System32\PortableDeviceConnectApi.dll
    2012-08-24 23:39 - 2009-09-30 17:01 - 00040448 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WpdUsb.sys
    2012-08-24 23:39 - 2009-09-30 17:01 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\WpdConns.dll
    2012-08-24 23:39 - 2009-09-09 18:01 - 03023360 ____A (Microsoft Corporation) C:\Windows\System32\UIRibbon.dll
    2012-08-24 23:39 - 2009-09-09 18:00 - 01164800 ____A (Microsoft Corporation) C:\Windows\System32\UIRibbonRes.dll
    2012-08-24 23:39 - 2009-09-09 18:00 - 00092672 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
    2012-08-24 23:32 - 2012-02-29 07:11 - 00172032 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
    2012-08-24 23:32 - 2012-02-29 07:11 - 00005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
    2012-08-24 23:32 - 2012-02-29 07:09 - 00157696 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
    2012-08-24 23:32 - 2012-02-29 05:32 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
    2012-08-24 23:25 - 2012-07-04 06:02 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    ==================== 3 Months Modified Files ==================
    2012-09-23 19:19 - 2012-09-10 09:47 - 00663312 ____A C:\Windows\WindowsUpdate.log
    2012-09-23 19:19 - 2006-11-02 05:01 - 00032544 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-09-23 19:19 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-23 19:19 - 2006-11-02 04:47 - 00003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-23 19:19 - 2006-11-02 04:47 - 00003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-23 19:13 - 2009-02-13 15:07 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job
    2012-09-23 18:51 - 2011-02-01 17:51 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-09-23 17:51 - 2011-02-01 17:51 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-09-22 17:16 - 2006-11-02 02:22 - 42729472 ____A C:\Windows\System32\config\software_previous
    2012-09-22 17:16 - 2006-11-02 02:22 - 39583744 ____A C:\Windows\System32\config\components_previous
    2012-09-22 17:16 - 2006-11-02 02:22 - 26214400 ____A C:\Windows\System32\config\system_previous
    2012-09-22 17:16 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
    2012-09-22 17:16 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
    2012-09-22 17:16 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\default_previous
    2012-09-22 09:49 - 2012-09-22 09:48 - 07200144 ____A C:\Users\Cynthia\Downloads\watersound.mpeg
    2012-09-20 18:04 - 2012-09-20 18:04 - 00034954 ____A C:\Users\Cynthia\Desktop\Extras.Txt
    2012-09-20 18:02 - 2012-09-20 18:02 - 00062816 ____A C:\Users\Cynthia\Desktop\OTL.Txt
    2012-09-20 17:53 - 2012-09-20 17:52 - 00600064 ____A (OldTimer Tools) C:\Users\Cynthia\Desktop\OTL.exe
    2012-09-19 06:47 - 2012-09-19 06:47 - 00016770 ____A C:\ComboFix.txt
    2012-09-19 06:42 - 2006-11-02 02:23 - 00000215 ____A C:\Windows\system.ini
    2012-09-19 06:32 - 2012-09-18 17:43 - 04752754 ____R (Swearware) C:\Users\Cynthia\Desktop\ComboFix.exe
    2012-09-18 09:03 - 2012-09-18 09:03 - 00001994 ____A C:\Users\Cynthia\Desktop\aswMBR.txt
    2012-09-18 09:03 - 2012-09-18 09:03 - 00000512 ____A C:\Users\Cynthia\Desktop\MBR.dat
    2012-09-18 08:29 - 2012-09-18 08:29 - 04731392 ____A (AVAST Software) C:\Users\Cynthia\Downloads\aswMBR (1).exe
    2012-09-18 07:54 - 2012-09-18 07:53 - 04731392 ____A (AVAST Software) C:\Users\Cynthia\Downloads\aswMBR.exe
    2012-09-18 07:51 - 2012-09-18 07:51 - 00001895 ____A C:\Users\Cynthia\Desktop\RKreport[1].txt
    2012-09-18 07:51 - 2012-09-18 07:51 - 00001738 ____A C:\Users\Cynthia\Desktop\RKreport[2].txt
    2012-09-18 07:50 - 2012-09-18 07:50 - 01378816 ____A C:\Users\Cynthia\Downloads\RogueKiller.exe
    2012-09-18 07:46 - 2012-09-17 15:25 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Cynthia\Desktop\TDSSKiller.exe
    2012-09-18 07:45 - 2012-09-18 07:44 - 02193278 ____A C:\Users\Cynthia\Downloads\tdsskiller.zip
    2012-09-17 13:34 - 2012-09-17 13:33 - 00607260 ____R (Swearware) C:\Users\Cynthia\Downloads\dds (1).com
    2012-09-16 07:43 - 2012-09-16 07:43 - 00001721 ____A C:\Users\Cynthia\Desktop\Spotify.lnk
    2012-09-12 17:31 - 2006-11-02 02:24 - 62164608 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-09-12 17:08 - 2012-09-12 17:08 - 00000804 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-09-12 17:08 - 2012-09-12 17:08 - 00000804 ____A C:\Users\All Users\Desktop\CCleaner.lnk
    2012-09-12 13:14 - 2012-09-12 13:14 - 00607260 ____R (Swearware) C:\Users\Cynthia\Downloads\dds.com
    2012-09-12 11:40 - 2012-09-12 11:40 - 00104104 ____A C:\Users\Cynthia\Local Settings\GDIPFONTCACHEV1.DAT
    2012-09-12 11:40 - 2012-09-12 11:40 - 00104104 ____A C:\Users\Cynthia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-09-12 11:40 - 2012-09-12 11:40 - 00104104 ____A C:\Users\Cynthia\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-09-12 11:39 - 2012-09-12 11:38 - 00404416 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-09-12 11:35 - 2011-07-16 18:21 - 00302592 ____A C:\Users\Cynthia\Desktop\gmer.exe
    2012-09-12 11:34 - 2012-09-12 11:33 - 00294216 ____A C:\Users\Cynthia\Downloads\gmer.zip
    2012-09-12 11:22 - 2012-09-12 11:22 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-09-12 11:22 - 2012-09-12 11:22 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-09-12 11:20 - 2012-09-12 11:20 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\Cynthia\Desktop\mbam-setup-1.65.0.1400.exe
    2012-09-12 11:11 - 2012-09-12 11:11 - 00044607 ____A C:\Users\Cynthia\Desktop\bootkit_remover.zip
    2012-09-12 08:26 - 2012-09-12 08:26 - 00171241 ____A C:\Users\Cynthia\Downloads\blow flower beautiful girl
    2012-09-12 08:18 - 2012-09-12 08:18 - 00039447 ____A C:\Users\Cynthia\blow flower 2 space
    2012-09-10 10:37 - 2012-09-10 10:37 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-09-10 10:37 - 2012-09-10 10:37 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-09-07 13:04 - 2012-09-12 11:22 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-09-06 19:50 - 2012-08-22 12:24 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-09-06 19:49 - 2006-11-02 02:33 - 00734252 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-09-04 09:20 - 2012-09-04 09:01 - 00000828 ____A C:\Users\Cynthia\Desktop\WinDirStat.lnk
    2012-09-04 08:32 - 2012-08-31 11:41 - 00013024 ____A C:\Windows\System32\Drivers\SWDUMon.sys
    2012-08-31 12:04 - 2012-08-31 12:04 - 00016060 ____A C:\Windows\System32\results.xml
    2012-08-25 00:03 - 2012-08-25 00:03 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2012-08-25 00:03 - 2012-08-25 00:03 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_07_00.Wdf
    2012-08-22 18:17 - 2012-08-22 18:17 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
    2012-08-22 18:17 - 2012-08-22 18:17 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-08-22 18:17 - 2012-08-22 18:17 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-08-22 18:17 - 2012-08-22 18:17 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00580608 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00434176 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00367104 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
    2012-08-22 18:17 - 2012-08-22 18:17 - 00353792 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00353584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00227840 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00223232 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00203776 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00162304 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
    2012-08-22 18:17 - 2012-08-22 18:17 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
    2012-08-22 18:17 - 2012-08-22 18:17 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-08-22 18:17 - 2012-08-22 18:17 - 00130560 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00123392 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00118784 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00114176 ____A (Microsoft Corporation) C:\Windows\System32\advpack.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00101888 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00086528 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00078848 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
    2012-08-22 18:17 - 2012-08-22 18:17 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
    2012-08-22 18:17 - 2012-08-22 18:17 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2012-08-22 18:17 - 2012-08-22 18:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00066048 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00063488 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
    2012-08-22 18:17 - 2012-08-22 18:17 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00035840 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
    2012-08-22 18:17 - 2012-08-22 18:17 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
    2012-08-22 18:17 - 2012-08-22 18:17 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
    2012-08-22 18:17 - 2006-11-01 22:32 - 00008798 ____A C:\Windows\System32\icrav03.rat
    2012-08-22 18:17 - 2006-11-01 22:32 - 00001988 ____A C:\Windows\System32\ticrf.rat
    2012-08-22 18:15 - 2012-08-22 18:15 - 02873344 ____A (Microsoft Corporation) C:\Windows\System32\mf.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 01554432 ____A (Microsoft Corporation) C:\Windows\System32\xpsservices.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 01075712 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 01029120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00979456 ____A (Microsoft Corporation) C:\Windows\System32\MFH264Dec.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00847360 ____A (Microsoft Corporation) C:\Windows\System32\OpcServices.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00667648 ____A (Microsoft Corporation) C:\Windows\System32\printfilterpipelinesvc.exe
    2012-08-22 18:15 - 2012-08-22 18:15 - 00638336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
    2012-08-22 18:15 - 2012-08-22 18:15 - 00586240 ____A (Microsoft Corporation) C:\Windows\System32\stobject.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00486400 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00478720 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00357376 ____A (Microsoft Corporation) C:\Windows\System32\MFHEAACdec.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00302592 ____A (Microsoft Corporation) C:\Windows\System32\mfmp4src.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00261632 ____A (Microsoft Corporation) C:\Windows\System32\mfreadwrite.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00258048 ____A (Microsoft Corporation) C:\Windows\System32\winspool.drv
    2012-08-22 18:15 - 2012-08-22 18:15 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\mfplat.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00189952 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00135680 ____A (Microsoft Corporation) C:\Windows\System32\XpsRasterService.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00098816 ____A (Microsoft Corporation) C:\Windows\System32\mfps.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
    2012-08-22 18:15 - 2012-08-22 18:15 - 00026112 ____A (Microsoft Corporation) C:\Windows\System32\printfilterpipelineprxy.dll
    2012-08-22 18:13 - 2012-08-22 18:13 - 00974848 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
    2012-08-22 18:13 - 2012-08-22 18:13 - 00519680 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
    2012-08-22 18:13 - 2012-08-22 18:13 - 00369664 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
    2012-08-22 18:13 - 2012-08-22 18:13 - 00321024 ____A (Microsoft Corporation) C:\Windows\System32\PhotoMetadataHandler.dll
    2012-08-22 18:13 - 2012-08-22 18:13 - 00252928 ____A (Microsoft Corporation) C:\Windows\System32\dxdiag.exe
    2012-08-22 18:13 - 2012-08-22 18:13 - 00195584 ____A (Microsoft Corporation) C:\Windows\System32\dxdiagn.dll
    2012-08-22 18:13 - 2012-08-22 18:13 - 00189440 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
    2012-08-22 17:59 - 2012-08-22 17:58 - 20158824 ____A (Microsoft Corporation) C:\Users\Cynthia\Downloads\BOIE9_ENUS_BO0085_VIS.EXE
    2012-08-22 17:47 - 2012-08-22 17:46 - 22294856 ____A (Microsoft Corporation) C:\Users\Cynthia\Downloads\BOIE9_ENUS_BO0084_VIS.EXE
    2012-08-21 06:22 - 2012-08-21 06:23 - 00200869 ____A C:\Users\Cynthia\Downloads\SATA Driver Intel Ver.7.0.0.1020.zip
    2012-08-21 06:13 - 2012-08-21 06:13 - 08937128 ____A C:\Users\Cynthia\Downloads\R167846.EXE
    2012-07-12 16:58 - 2012-05-26 13:59 - 00032398 ____A C:\Users\Cynthia\My Documents\My first Notebook.odt
    2012-07-12 16:58 - 2012-05-26 13:59 - 00032398 ____A C:\Users\Cynthia\Documents\My first Notebook.odt
    2012-07-04 06:02 - 2012-08-24 23:25 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-29 08:01 - 2012-08-23 05:09 - 00467968 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points =========================
    Restore point made on: 2012-09-20 17:55:33
    Restore point made on: 2012-09-22 13:48:58
    Restore point made on: 2012-09-22 14:07:33
    Restore point made on: 2012-09-22 17:13:00
    Restore point made on: 2012-09-22 17:50:38
    Restore point made on: 2012-09-23 18:12:04
    ==================== Memory info ===========================
    Percentage of memory in use: 13%
    Total physical RAM: 2037.56 MB
    Available physical RAM: 1759.66 MB
    Total Pagefile: 1969.45 MB
    Available Pagefile: 1821.73 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.52 MB
    ==================== Partitions =============================
    1 Drive c: () (Fixed) (Total:139.31 GB) (Free:111.87 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (HP Pocket Media Drive) (Fixed) (Total:74.52 GB) (Free:46.83 GB) NTFS
    4 Drive r: (MS-RAMDRIVE) (Fixed) (Total:0.01 GB) (Free:0.01 GB) FAT
    5 Drive x: (Recovery) (Fixed) (Total:9.74 GB) (Free:3.16 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 1528 KB
    Disk 1 Online 75 GB 9 MB
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 10 GB 32 KB
    Partition 2 Primary 139 GB 10 GB
    =========================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 X Recovery NTFS Partition 10 GB Healthy Boot
    =========================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 139 GB Healthy
    =========================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 0 Extended 75 GB 8033 KB
    Partition 1 Logical 75 GB 8064 KB
    =========================================================
    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E HP Pocket M NTFS Partition 75 GB Healthy
    =========================================================
    Last Boot: 2012-09-23 11:06
    ==================== End Of Log ============================
     
  14. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    * Click on Start, then Run.
    * Copy and Paste the bold text below in to the Run Box:


    cmd /c dir /a /s C:\QooBox\Quarantine\Registry_backups >log.txt&start log.txt


    * Then click on OK.
    * A Text File will open up, please Copy and Paste the contents in your next reply.
     
  15. ccchester

    ccchester TS Rookie Topic Starter

    I tried to do what you said, but I got this error message:

    "Windows cannot find log.txt. Make sure you have typed the name correctly, and then try again."

    I tried again, making sure I had copied it correctly, but still got the same response. What does that mean, and what should I do next?
     
  16. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    My bad. One backslash was missing.
    I corrected the command.
    Please retry.
     
  17. ccchester

    ccchester TS Rookie Topic Starter

    Where is the command? What exactly will this do?
     
  18. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    My reply #14.
    I edited that command.
     
  19. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    Still with me?
     
  20. Broni

    Broni Malware Annihilator Posts: 48,005   +271

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.