TechSpot

Another Sirefef victim over here. -_-

By Mr. Bucket
Jul 7, 2012
  1. Reading these forums...apparently this thing is running rampant.

    I noticed the problem when my computer randomly froze and restarted on me....All my firewalls and anti-viruses were turned off and windows shuts down after just a minute or 2 of use.

    I managed to pick up the name in microsoft security essentails as Sirefef.W

    The worst part is, is that they seemed to mess with my factory restore image, so I can't start from scratch, even if I wanted to.

    I run a windows 7 Home Premium 64 bit system.
    Lenovo IdeaPad Z560

    Can someone be my savior and help me? This one's a toughie. >_<
     
  2. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================================

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  3. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    Scan result of Farbar Recovery Scan Tool Version: 07-07-2012 02
    Ran by SYSTEM at 07-07-2012 01:49:28
    Running from G:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe [2598280 2010-06-23] (ELAN Microelectronics Corp.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [935288 2009-09-04] (Adobe Systems Incorporated)
    HKU\Pat\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [740216 2012-02-27] (BitTorrent, Inc.)
    HKU\Pat\...\Run: [Google Update] "C:\Users\Pat\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-07-16] (Google Inc.)
    HKU\Pat\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3478336 2012-01-24] (DT Soft Ltd)
    HKU\Pat\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17425584 2012-06-14] (Skype Technologies S.A.)
    Tcpip\Parameters: [DhcpNameServer] 68.87.64.146 68.87.75.194 68.87.71.226
    Startup: C:\Users\Pat\Start Menu\Programs\Startup\Jobulator.lnk
    ShortcutTarget: Jobulator.lnk -> C:\Program Files (x86)\Jobulator\Jobulator.exe ()
    ==================== Services (Whitelisted) ======
    3 IGRS; "C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe" [38152 2009-07-14] (Lenovo Group Limited)
    3 Lenovo ReadyComm AppSvc; "C:\Program Files\Lenovo\ReadyComm\AppSvc.exe" [509192 2009-08-14] (Lenovo Group Limited)
    3 Lenovo ReadyComm ConnSvc; "C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe" [579400 2009-09-22] (Lenovo Group Limited)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    2 NitroDriverReadSpool2; "C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe" [216072 2012-05-16] (Nitro PDF Software)
    2 nlsX86cc; C:\windows\SysWOW64\NLSSRV32.EXE [69640 2012-05-16] (Nalpeiron Ltd.)
    4 Oasis2Service; "C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe" [46080 2010-06-23] ()
    3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)
    2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)
    2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
    2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2320920 2009-12-09] (Intel Corporation)
    ========================== Drivers (Whitelisted) =============
    3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)
    1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-02-08] (DT Soft Ltd)
    0 NBVol; C:\Windows\System32\Drivers\NBVol.sys [72240 2011-12-01] (Nero AG)
    0 NBVolUp; C:\Windows\System32\Drivers\NBVolUp.sys [15920 2011-12-01] (Nero AG)
    3 usbsmi; C:\Windows\System32\DRIVERS\SMIksdrv.sys [200704 2010-04-20] (SMI)
    3 wdmirror; C:\Windows\System32\Drivers\wdmirror.sys [11280 2009-07-16] (Lenovo)
    3 WinRing0_1_2_0; \??\C:\Users\Pat\Downloads\RealTemp_370\WinRing0x64.sys [14544 2008-07-26] (OpenLibSys.org)
    3 BcmSqlStartupSvc; [x]
    3 EagleX64; \??\C:\windows\system32\drivers\EagleX64.sys [x]
    2 IviRegMgr; [x]
    2 RichVideo; [x]
    3 SQLWriter; [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-07-06 20:59 - 2012-07-06 20:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4C5F80B573D12828
    2012-07-06 20:45 - 2012-07-06 20:45 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A8BEF0D3D114D71E
    2012-07-06 20:25 - 2012-07-06 20:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CA258C2B4689C033
    2012-07-06 20:20 - 2012-07-06 20:20 - 00000000 ____D C:\Users\Pat\Downloads\Pat22
    2012-07-06 20:15 - 2012-07-06 20:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C1542D0F8BE95AAB
    2012-07-06 20:06 - 2012-07-06 20:06 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-06 20:06 - 2012-07-06 20:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-06 20:05 - 2012-07-06 20:05 - 12621696 ____A (Microsoft Corporation) C:\Users\Pat\Downloads\mseinstall(2).exe
    2012-07-06 19:58 - 2012-07-06 19:58 - 00347424 ____A (Microsoft Corporation) C:\Users\Pat\Downloads\MicrosoftFixit.wu.Run.exe
    2012-07-05 13:46 - 2012-07-05 13:46 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-05 13:42 - 2012-07-06 19:47 - 00009728 ____H C:\Users\Pat\AppData\Roaming\desktop.ini
    2012-07-04 15:49 - 2012-07-06 13:22 - 00000000 ____D C:\Users\Pat\Documents\Thief - Deadly Shadows
    2012-07-04 15:46 - 2012-07-04 15:46 - 00001671 ____A C:\Users\Pat\Desktop\t3 - Shortcut.lnk
    2012-07-04 13:41 - 2012-07-04 13:42 - 00000000 ____D C:\Users\Public\Documents\Thief - Deadly Shadows
    2012-07-04 13:39 - 2012-07-04 13:39 - 00000000 ____D C:\Users\Pat\Downloads\t3_unprotected
    2012-07-04 13:32 - 2012-07-04 13:52 - 00000000 ____D C:\Program Files (x86)\Thief - Deadly Shadows
    2012-07-04 12:39 - 2012-07-05 13:33 - 00000000 ____D C:\Users\Pat\Downloads\Deus Ex - Human Revolution
    2012-07-04 12:33 - 2012-07-04 12:33 - 00000000 ____D C:\Users\Pat\Downloads\Deus.Ex.Human.Revolution.v1.4.651.0.Update.&.The Missing.Link.v1.4.66.0.Update-BlackEcho
    2012-07-04 12:30 - 2012-07-04 12:56 - 00000000 ____D C:\Users\Pat\Downloads\Thief 3 Deadly Shadows [PC] [MULTi5] [EN ES GR FR IT] [SpaTorrent.com]
    2012-06-28 22:37 - 2012-06-28 23:45 - 209803023 ____A C:\Users\Pat\Downloads\Phineas.and.Ferb.720p.HDTV.What.a.Croc.J3FF.mkv
    2012-06-28 20:46 - 2012-06-28 20:46 - 00000000 ____D C:\Users\Pat\Desktop\Recettear_patch_1108
    2012-06-28 20:45 - 2012-06-28 20:46 - 00000000 ____D C:\Users\Pat\Desktop\Recettear - An Item Shop's Tale
    2012-06-28 20:42 - 2012-06-28 20:42 - 00000000 ____D C:\Users\Pat\Downloads\Recettear_patch_1108
    2012-06-28 04:26 - 2012-06-28 04:44 - 00000000 ____D C:\Users\Pat\Downloads\Phineas and Ferb
    2012-06-28 04:26 - 2012-06-28 04:27 - 00000000 ____D C:\Users\Pat\Downloads\Regular Show 3x31
    2012-06-28 04:25 - 2012-06-28 04:29 - 00000000 ____D C:\Users\Pat\Downloads\Adventure Time 4x13
    2012-06-28 04:24 - 2012-06-28 04:24 - 00000000 ____D C:\Users\Pat\Downloads\Futurama.S07E03.720p.HDTV.x264-IMMERSE
    2012-06-27 20:55 - 2012-06-27 20:55 - 00000000 ____D C:\Users\Pat\AppData\Roaming\RenPy
    2012-06-27 20:55 - 2012-06-27 20:55 - 00000000 ____D C:\Users\Pat\AppData\Roaming\NVIDIA
    2012-06-22 12:08 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-22 12:08 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-22 12:08 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-22 12:08 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-22 12:08 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-22 12:08 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-22 12:08 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-22 12:08 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-22 12:08 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-21 17:40 - 2012-06-21 17:48 - 00000000 ____D C:\Users\Pat\Downloads\Adventure Time 4x11
    2012-06-21 17:38 - 2012-06-21 17:54 - 00000000 ____D C:\Users\Pat\Downloads\Futurama.S07E02.720p.HDTV.x264-IMMERSE
    2012-06-20 17:50 - 2012-06-20 17:50 - 00000000 ____D C:\Users\Pat\Desktop\__rpg
    2012-06-20 17:50 - 2011-03-13 11:58 - 00376896 ____A C:\Users\Pat\Desktop\_DS_MENU.DAT
    2012-06-20 17:49 - 2012-06-20 17:49 - 00000000 ____D C:\Users\Pat\Downloads\Wood_R4_v1.48
    2012-06-20 17:48 - 2012-06-20 17:48 - 01655557 ____A C:\Users\Pat\Downloads\Wood_R4_v1.48.rar
    2012-06-20 09:44 - 2012-06-20 09:44 - 00000000 ____D C:\Users\Pat\Downloads\NDS - Pokemon Conquest (USA) (Clean + Patched)
    2012-06-19 19:00 - 2012-06-19 19:00 - 00000000 ____D C:\Users\Pat\Downloads\Just Love A Framework for Christian Sexual Ethics by Margaret Farley
    2012-06-17 14:58 - 2012-06-17 15:31 - 1141644924 ____A C:\Users\Pat\Desktop\3sUnKnOwN.avi
    2012-06-17 14:58 - 2012-06-17 15:20 - 00000000 ____D C:\Users\Pat\Downloads\The Three Stooges 2012 TS Xvid UnKnOwN
    2012-06-17 13:12 - 2012-06-17 13:12 - 00000000 ____D C:\Users\Pat\Downloads\The.Three.Stooges.COMPLETE.Collection-TD
    2012-06-17 13:11 - 2012-06-18 03:03 - 00000000 ____D C:\Users\Pat\Downloads\The Three Stooges Shorts Collection (1-43)
    2012-06-17 13:08 - 2012-06-18 10:20 - 00000000 ____D C:\Users\Pat\Downloads\STOOGES
    2012-06-17 13:08 - 2012-06-18 03:24 - 00000000 ____D C:\Users\Pat\Downloads\3 Stooges D2 1943 - 1945
    2012-06-17 13:08 - 2012-06-17 19:26 - 00000000 ____D C:\Users\Pat\Downloads\The Three Stooges Shorts - Volume 6 (113-136)
    2012-06-17 13:03 - 2012-06-17 13:36 - 254943789 ____A C:\Users\Pat\Desktop\the three stooges - 3 dumb clucks (1937).mp4
    2012-06-15 10:34 - 2012-06-09 00:29 - 00000000 ____D C:\Users\Pat\Desktop\Tor Browser
    2012-06-15 10:31 - 2012-06-15 10:31 - 23748738 ____A (Igor Pavlov) C:\Users\Pat\Downloads\tor-browser-2.2.37-1_en-US.exe
    2012-06-15 10:31 - 2012-06-09 00:29 - 00000000 ____D C:\Users\Pat\Downloads\Tor Browser
    2012-06-13 12:10 - 2012-05-14 20:01 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-13 12:10 - 2012-05-14 19:59 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-13 12:10 - 2012-05-14 19:03 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-13 12:10 - 2012-05-14 19:00 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-13 12:10 - 2012-04-19 21:42 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-13 12:10 - 2012-04-19 21:42 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-13 12:10 - 2012-04-19 21:42 - 02454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-13 12:10 - 2012-04-19 21:42 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-13 12:10 - 2012-04-19 21:42 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-06-13 12:10 - 2012-04-19 21:42 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-13 12:10 - 2012-04-19 21:42 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-13 12:10 - 2012-04-19 21:42 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-13 12:10 - 2012-04-19 21:00 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-13 12:10 - 2012-04-19 21:00 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-13 12:10 - 2012-04-19 20:57 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-13 12:10 - 2012-04-19 20:57 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2012-06-13 12:10 - 2012-04-19 20:57 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-13 12:10 - 2012-04-19 20:56 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-13 12:10 - 2012-04-19 20:56 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-13 12:10 - 2012-04-19 20:56 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-13 12:10 - 2012-04-19 19:45 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-13 12:10 - 2012-04-19 19:16 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-13 12:10 - 2012-04-16 21:31 - 00918016 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-13 12:10 - 2012-04-16 20:34 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-13 12:09 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-13 12:09 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-06-13 12:09 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-06-13 12:09 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-06-13 12:09 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-06-13 12:09 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-13 12:09 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-06-13 12:09 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-06-13 12:09 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-06-13 12:09 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-06-13 12:09 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-06-13 12:09 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-06-13 12:09 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-06-13 12:09 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-06-13 12:09 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-06-13 12:09 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-06-13 12:09 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
    2012-06-12 08:11 - 2012-06-12 09:17 - 515487984 ____A C:\Users\Pat\Downloads\Recettear An Item Shop's Tale.rar
    2012-06-12 08:10 - 2012-06-13 19:39 - 00000000 ____D C:\Users\Pat\Downloads\recettear

    ============ 3 Months Modified Files ========================
    2012-07-06 21:46 - 2011-07-16 16:08 - 04063645 ____A C:\FaceProv.log
    2012-07-06 21:46 - 2009-07-13 21:08 - 00025864 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-06 21:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-06 21:45 - 2009-07-13 20:51 - 00047040 ____A C:\Windows\setupact.log
    2012-07-06 21:44 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-07-06 21:38 - 2012-03-11 13:34 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-06 21:18 - 2011-07-16 16:18 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1893159273-810026186-2473565105-1001UA.job
    2012-07-06 20:59 - 2012-07-06 20:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4C5F80B573D12828
    2012-07-06 20:45 - 2012-07-06 20:45 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A8BEF0D3D114D71E
    2012-07-06 20:42 - 2011-06-17 00:57 - 00068466 ____A C:\Windows\PFRO.log
    2012-07-06 20:28 - 2012-03-11 13:34 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-06 20:25 - 2012-07-06 20:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CA258C2B4689C033
    2012-07-06 20:23 - 2009-07-13 21:13 - 00730572 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-06 20:15 - 2012-07-06 20:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C1542D0F8BE95AAB
    2012-07-06 20:10 - 2011-07-16 16:18 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1893159273-810026186-2473565105-1001Core.job
    2012-07-06 20:07 - 2011-06-17 00:41 - 01218700 ____A C:\Windows\WindowsUpdate.log
    2012-07-06 20:07 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-06 20:07 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-06 20:06 - 2012-03-25 13:41 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-06 20:06 - 2011-08-22 17:47 - 00744722 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-06 20:05 - 2012-07-06 20:05 - 12621696 ____A (Microsoft Corporation) C:\Users\Pat\Downloads\mseinstall(2).exe
    2012-07-06 19:58 - 2012-07-06 19:58 - 00347424 ____A (Microsoft Corporation) C:\Users\Pat\Downloads\MicrosoftFixit.wu.Run.exe
    2012-07-06 19:47 - 2012-07-05 13:42 - 00009728 ____H C:\Users\Pat\AppData\Roaming\desktop.ini
    2012-07-06 16:15 - 2011-07-22 20:28 - 00000550 ____A C:\Users\Pat\Desktop\CVS times.txt
    2012-07-04 15:46 - 2012-07-04 15:46 - 00001671 ____A C:\Users\Pat\Desktop\t3 - Shortcut.lnk
    2012-07-02 13:52 - 2011-07-16 16:19 - 00002385 ____A C:\Users\Pat\Desktop\Google Chrome.lnk
    2012-06-28 23:45 - 2012-06-28 22:37 - 209803023 ____A C:\Users\Pat\Downloads\Phineas.and.Ferb.720p.HDTV.What.a.Croc.J3FF.mkv
    2012-06-27 22:01 - 2011-07-16 16:47 - 00000241 ____A C:\Users\Pat\Desktop\Team Fortress 2.url
    2012-06-20 17:48 - 2012-06-20 17:48 - 01655557 ____A C:\Users\Pat\Downloads\Wood_R4_v1.48.rar
    2012-06-17 15:31 - 2012-06-17 14:58 - 1141644924 ____A C:\Users\Pat\Desktop\3sUnKnOwN.avi
    2012-06-17 13:36 - 2012-06-17 13:03 - 254943789 ____A C:\Users\Pat\Desktop\the three stooges - 3 dumb clucks (1937).mp4
    2012-06-15 10:31 - 2012-06-15 10:31 - 23748738 ____A (Igor Pavlov) C:\Users\Pat\Downloads\tor-browser-2.2.37-1_en-US.exe
    2012-06-14 15:36 - 2009-07-13 20:45 - 00291384 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-14 07:13 - 2011-11-06 06:20 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-13 07:33 - 2011-10-19 15:40 - 00001107 ___AH C:\IPH.PH
    2012-06-12 09:17 - 2012-06-12 08:11 - 515487984 ____A C:\Users\Pat\Downloads\Recettear An Item Shop's Tale.rar
    2012-06-04 13:18 - 2012-06-04 13:14 - 208693552 ____A (Nero AG) C:\Users\Pat\Downloads\Nero_KwikMedia-11.2.00900_free.exe
    2012-06-03 19:33 - 2011-07-22 09:00 - 00414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-06-03 18:54 - 2012-06-03 18:42 - 398407424 ____A (Nero AG) C:\Users\Pat\Downloads\Nero-11.2.00900_trial.exe
    2012-06-02 14:19 - 2012-06-22 12:08 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-22 12:08 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-22 12:08 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-22 12:08 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-22 12:08 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-22 12:08 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-22 12:08 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-22 12:08 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-22 12:08 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-28 15:05 - 2012-05-10 09:54 - 00012800 ____A C:\CurrentFileterGrp.grf
    2012-05-25 12:18 - 2012-05-25 12:18 - 00002059 ____A C:\Users\Public\Desktop\Nitro Pro 7.lnk
    2012-05-25 12:16 - 2012-05-25 12:14 - 58803048 ____A (Nitro PDF Software) C:\Users\Pat\Downloads\nitro_pdf_professional7_x64.exe
    2012-05-20 20:11 - 2012-05-20 19:51 - 228638868 ____A C:\Users\Pat\Downloads\Phineas.and.Ferb.HDTV.Agent.Doof..Minor.Monogram.XviD.J3FF.avi
    2012-05-20 20:07 - 2012-05-20 19:52 - 207023122 ____A C:\Users\Pat\Downloads\Phineas.and.Ferb.HDTV.The.Mom.Attractor..Cranius Maximus.XviD.J3FF.avi
    2012-05-20 15:58 - 2012-05-20 15:58 - 00000020 ___SH C:\Users\UpdatusUser\ntuser.ini
    2012-05-20 09:30 - 2012-05-20 09:30 - 00001189 ____A C:\Users\Public\Desktop\Diablo III.lnk
    2012-05-20 09:20 - 2012-05-20 09:20 - 32288896 ____A (Blizzard Entertainment) C:\Users\Pat\Downloads\Diablo-III-Setup-enUS.exe
    2012-05-17 17:53 - 2012-05-17 17:22 - 00282459 ____A C:\Users\Pat\Downloads\Legend of Zelda, The - A Link to the Past (Europe).zst
    2012-05-17 17:53 - 2012-05-17 17:14 - 00008192 ____A C:\Users\Pat\Downloads\Legend of Zelda, The - A Link to the Past (Europe).srm
    2012-05-17 17:53 - 2012-05-17 17:05 - 00020676 ____A C:\Users\Pat\Desktop\zsnesw.cfg
    2012-05-17 17:53 - 2012-05-17 17:05 - 00003814 ____A C:\Users\Pat\Desktop\zinput.cfg
    2012-05-17 17:10 - 2012-05-17 17:05 - 00000288 ____A C:\Users\Pat\Desktop\rominfo.txt
    2012-05-17 17:09 - 2012-05-17 17:05 - 00002480 ____A C:\Users\Pat\Desktop\zmovie.cfg
    2012-05-17 17:08 - 2012-05-17 17:08 - 01572864 ____A C:\Users\Pat\Downloads\Legend of Zelda, The - A Link to the Past (Europe).sfc
    2012-05-17 17:05 - 2012-05-17 17:05 - 00008952 ____A C:\Users\Pat\Desktop\zfont.txt
    2012-05-17 17:04 - 2012-05-17 17:04 - 00703140 ____A C:\Users\Pat\Downloads\Legend of Zelda, The - A Link to the Past (Europe).zip
    2012-05-16 11:33 - 2012-05-16 11:33 - 00069640 ____A (Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
    2012-05-16 11:32 - 2012-05-25 12:18 - 00029704 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalmon2.dll
    2012-05-16 11:32 - 2012-05-25 12:18 - 00017928 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalui2.dll
    2012-05-14 20:01 - 2012-06-13 12:10 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-14 19:59 - 2012-06-13 12:10 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-14 19:03 - 2012-06-13 12:10 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-14 19:00 - 2012-06-13 12:10 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-14 17:32 - 2012-06-13 12:09 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-12 14:36 - 2012-05-12 14:36 - 00001031 ____A C:\Users\Pat\Desktop\CDisplayEx.lnk
    2012-05-12 14:35 - 2012-05-12 14:35 - 05749280 ____A (Henri Gourvest. ) C:\Users\Pat\Downloads\CDisplayEx_V1.8.exe
    2012-05-11 09:58 - 2012-05-08 14:09 - 733620224 ____A C:\Users\Pat\Downloads\Tutti A Hollywood Con I Muppet -The Muppet movie.avi
    2012-05-04 03:06 - 2012-06-13 12:09 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 02:03 - 2012-06-13 12:09 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-13 12:09 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-04-30 21:40 - 2012-06-13 12:09 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:55 - 2012-06-13 12:09 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-25 21:41 - 2012-06-13 12:09 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 21:41 - 2012-06-13 12:09 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 21:34 - 2012-06-13 12:09 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-23 21:37 - 2012-06-13 12:09 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 21:37 - 2012-06-13 12:09 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 21:37 - 2012-06-13 12:09 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 20:36 - 2012-06-13 12:09 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 20:36 - 2012-06-13 12:09 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 20:36 - 2012-06-13 12:09 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-04-19 21:42 - 2012-06-13 12:10 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-04-19 21:42 - 2012-06-13 12:10 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-04-19 21:42 - 2012-06-13 12:10 - 02454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-04-19 21:42 - 2012-06-13 12:10 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-04-19 21:42 - 2012-06-13 12:10 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-04-19 21:42 - 2012-06-13 12:10 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-04-19 21:42 - 2012-06-13 12:10 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-04-19 21:42 - 2012-06-13 12:10 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-04-19 21:00 - 2012-06-13 12:10 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-04-19 21:00 - 2012-06-13 12:10 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-04-19 20:57 - 2012-06-13 12:10 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-04-19 20:57 - 2012-06-13 12:10 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2012-04-19 20:57 - 2012-06-13 12:10 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-04-19 20:56 - 2012-06-13 12:10 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-04-19 20:56 - 2012-06-13 12:10 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-04-19 20:56 - 2012-06-13 12:10 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-04-19 19:45 - 2012-06-13 12:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-04-19 19:16 - 2012-06-13 12:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-04-16 21:31 - 2012-06-13 12:10 - 00918016 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-04-16 20:34 - 2012-06-13 12:10 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-04-12 17:52 - 2012-03-30 17:22 - 00000513 ____A C:\Users\Pat\Desktop\Rayman Origins.lnk

    ZeroAccess:
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03}
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03}\@
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03}\L
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03}\n
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03}\U
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03}\U\00000001.@
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03}\U\80000000.@
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03}\U\800000cb.@
    ZeroAccess:
    C:\Users\Pat\AppData\Local\{09829da7-7670-ac83-78c4-af55cbaa0f03}
    C:\Users\Pat\AppData\Local\{09829da7-7670-ac83-78c4-af55cbaa0f03}\@
    C:\Users\Pat\AppData\Local\{09829da7-7670-ac83-78c4-af55cbaa0f03}\L
    C:\Users\Pat\AppData\Local\{09829da7-7670-ac83-78c4-af55cbaa0f03}\U
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 15%
    Total physical RAM: 3958.85 MB
    Available physical RAM: 3351.95 MB
    Total Pagefile: 3957 MB
    Available Pagefile: 3345.35 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB
    ======================= Partitions =========================
    1 Drive c: () (Fixed) (Total:421.81 GB) (Free:53.6 GB) NTFS
    2 Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:25.96 GB) NTFS
    4 Drive g: (FreeAgent Drive) (Fixed) (Total:465.76 GB) (Free:11.5 GB) NTFS
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: () (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 1024 KB
    Disk 1 Online 465 GB 1024 KB
    Disk 2 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 200 MB 1024 KB
    Partition 2 Primary 421 GB 201 MB
    Partition 0 Extended 28 GB 422 GB
    Partition 4 Logical 28 GB 422 GB
    Partition 3 OEM 14 GB 451 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y NTFS Partition 200 MB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 421 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D LENOVO NTFS Partition 28 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 12
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 6 LENOVO_PART NTFS Partition 14 GB Healthy Hidden
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 465 GB 31 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FreeAgent D NTFS Partition 465 GB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-06-28 18:02
    ======================= End Of Log ==========================
     
  4. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
     
  5. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    Farbar Recovery Scan Tool Version: 07-07-2012 02
    Ran by SYSTEM at 2012-07-07 20:25:24
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2012-07-06 21:44] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======
     
  6. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  7. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 07-07-2012 02
    Ran by SYSTEM at 2012-07-07 20:48:22 Run:1
    Running from G:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\System32\services.exe.4C5F80B573D12828 moved successfully.
    C:\Windows\System32\services.exe.A8BEF0D3D114D71E moved successfully.
    C:\Windows\System32\services.exe.CA258C2B4689C033 moved successfully.
    C:\Windows\System32\services.exe.C1542D0F8BE95AAB moved successfully.
    C:\Windows\Installer\{09829da7-7670-ac83-78c4-af55cbaa0f03} moved successfully.
    C:\Users\Pat\AppData\Local\{09829da7-7670-ac83-78c4-af55cbaa0f03} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====









    ComboFix 12-07-07.04 - Pat 07/07/2012 21:01:25.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3959.2254 [GMT -4:00]
    Running from: c:\users\Pat\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\users\Pat\AppData\Roaming\desktop.ini
    c:\users\Pat\AppData\Roaming\Love
    c:\users\Pat\AppData\Roaming\Love\mari0\options.txt
    c:\users\Pat\AppData\Roaming\ntuser.dat
    c:\windows\s.bat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-08 to 2012-07-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-08 01:09 . 2012-07-08 01:09 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65773ED-356D-4787-8287-A399E66F09C0}\offreg.dll
    2012-07-07 09:49 . 2012-07-07 09:49 -------- d-----w- C:\FRST
    2012-07-07 04:09 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{06128B3D-23B2-454D-AF7F-A8929F30000F}\gapaengine.dll
    2012-07-07 04:09 . 2012-06-18 07:12 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A65773ED-356D-4787-8287-A399E66F09C0}\mpengine.dll
    2012-07-07 04:06 . 2012-07-07 04:06 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-07-07 04:06 . 2012-07-07 04:06 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-07 04:01 . 2012-07-07 04:01 -------- d-----w- c:\users\Pat\AppData\Local\ElevatedDiagnostics
    2012-07-05 21:46 . 2012-07-05 21:46 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-04 21:32 . 2012-07-04 21:52 -------- d-----w- c:\program files (x86)\Thief - Deadly Shadows
    2012-07-04 21:31 . 2003-11-10 22:13 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
    2012-07-04 21:31 . 2003-11-10 22:12 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
    2012-07-04 21:31 . 2003-11-10 22:12 192512 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
    2012-07-04 21:31 . 2003-11-10 22:10 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
    2012-07-04 21:31 . 2003-11-10 22:14 729088 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
    2012-07-04 21:31 . 2003-11-10 22:11 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
    2012-07-04 21:31 . 2012-07-04 21:31 311428 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
    2012-07-04 21:31 . 2012-07-04 21:31 188548 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
    2012-06-28 04:55 . 2012-06-28 04:55 -------- d-----w- c:\users\Pat\AppData\Roaming\NVIDIA
    2012-06-28 04:55 . 2012-06-28 04:55 -------- d-----w- c:\users\Pat\AppData\Roaming\RenPy
    2012-06-22 20:08 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-22 20:08 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-22 20:08 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-22 20:08 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-22 20:08 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-22 20:08 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-22 20:08 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-22 20:08 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-22 20:08 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-18 23:23 . 2012-06-18 23:23 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-18 23:23 . 2012-06-18 23:23 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-13 20:09 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-04 03:33 . 2011-07-22 17:00 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-04 02:49 . 2012-06-04 02:49 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2012-06-04 02:48 . 2012-06-04 02:48 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2012-06-04 02:44 . 2012-06-04 02:44 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2012-06-04 02:43 . 2012-06-04 02:43 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-05-16 19:33 . 2012-05-16 19:33 69640 ----a-w- c:\windows\SysWow64\NLSSRV32.EXE
    2012-05-16 19:32 . 2012-05-25 20:18 29704 ----a-w- c:\windows\system32\nitrolocalmon2.dll
    2012-05-16 19:32 . 2012-05-25 20:18 17928 ----a-w- c:\windows\system32\nitrolocalui2.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-02-28 740216]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-24 3478336]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-14 17425584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    .
    c:\users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Jobulator.lnk - c:\program files (x86)\Jobulator\Jobulator.exe [2011-12-12 142336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-11 136176]
    R2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\System32\IgrsSvcs.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-14 160944]
    R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [2009-07-16 79376]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-04-09 47616]
    R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-11 136176]
    R3 IGRS;IGRS;c:\program files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]
    R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848]
    R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-08-14 509192]
    R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-09-22 579400]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-18 113120]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
    R3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\System32\IgrsSvcs.exe [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-03-12 242720]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-19 1255736]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
    R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Pat\Downloads\RealTemp_370\WinRing0x64.sys [2008-07-27 14544]
    R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 121840]
    R4 Oasis2Service;Oasis2Service;c:\program files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [2010-06-23 46080]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 LHDmgr;LHDmgr;c:\windows\System32\DRIVERS\LhdX64.sys [2010-01-15 39008]
    S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [2011-12-01 72240]
    S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [2011-12-01 15920]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-08 283200]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-03 13336]
    S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-05-16 216072]
    S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2012-05-16 69640]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
    S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-10-19 28176]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-06-24 167816]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 158976]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-22 347680]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 usbsmi;Lenovo EasyCamera;c:\windows\system32\DRIVERS\SMIksdrv.sys [2010-04-20 200704]
    S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-07-16 11280]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-11 21:34]
    .
    2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-11 21:34]
    .
    2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1893159273-810026186-2473565105-1001Core.job
    - c:\users\Pat\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-17 00:18]
    .
    2012-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1893159273-810026186-2473565105-1001UA.job
    - c:\users\Pat\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-17 00:18]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
    @="{771C7324-DA80-49D3-8017-753B0AF60951}"
    [HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
    2011-06-17 09:25 1502720 ----a-w- c:\windows\System32\IcnOvrly.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://lenovo.msn.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyServer = 201.123.39.103:3128
    uInternet Settings,ProxyOverride = <local>
    TCP: DhcpNameServer = 68.87.64.146 68.87.75.194 68.87.71.226
    FF - ProfilePath - c:\users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\tnlvggfh.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20111019234102544&tb_oid=29-10-2011&tb_mrud=29-10-2011
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - google.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20111019234102544&tb_oid=29-10-2011&tb_mrud=29-10-2011&query=
    FF - user.js: general.useragent.extra.brc -
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    HKLM-Run-ETDWare - c:\program files (x86)\Elantech\ETDCtrl.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-07 21:17:15 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-08 01:17
    .
    Pre-Run: 57,988,710,400 bytes free
    Post-Run: 60,554,141,696 bytes free
    .
    - - End Of File - - 5F87208316737D04C51BD9E25387A90D







    *****Computer's up and running and there's no auto restart in sight. ^_^ I'll leave that up to you to verify 'cause I don't want to get excited to early.

    Also, not that I'm going to right now, but is the option to reformat my computer to factory settings restored or is it possible that the image was forever corrupted?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    In case of like yours where a rootkit is involved restoring to factory settings won't do because it doesn't format hard drive.
    In case of a rootkit only formatting the drive will get rid of it.
    If you want to restore later when your computer is clean it won't be a problem.

    Any current issues?

    ===========================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ======================================

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    OTL logfile created on: 7/7/2012 9:46:10 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Pat\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7601.17514)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.87 Gb Total Physical Memory | 2.19 Gb Available Physical Memory | 56.75% Memory free
    9.72 Gb Paging File | 7.85 Gb Available in Paging File | 80.78% Paging File free
    Paging file location(s): c:\pagefile.sys 6000 6000 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 421.81 Gb Total Space | 56.31 Gb Free Space | 13.35% Space Free | Partition Type: NTFS
    Drive D: | 29.00 Gb Total Space | 25.96 Gb Free Space | 89.54% Space Free | Partition Type: NTFS
    Drive G: | 465.76 Gb Total Space | 11.50 Gb Free Space | 2.47% Space Free | Partition Type: NTFS

    Computer Name: PAT-PC | User Name: Pat | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/07 21:45:32 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Pat\Downloads\OTL.exe
    PRC - [2012/06/18 19:23:10 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    PRC - [2012/05/16 15:33:14 | 000,069,640 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\SysWOW64\NLSSRV32.EXE
    PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2012/02/29 20:02:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    PRC - [2012/02/29 13:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    PRC - [2012/02/27 22:20:33 | 000,740,216 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files (x86)\uTorrent\uTorrent.exe
    PRC - [2011/12/12 00:16:49 | 000,142,336 | ---- | M] () -- C:\Program Files (x86)\Jobulator\Jobulator.exe
    PRC - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    PRC - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    PRC - [2010/03/03 16:16:06 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    PRC - [2009/12/09 04:48:26 | 002,320,920 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    PRC - [2009/12/09 04:48:24 | 000,268,824 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/06/18 19:23:10 | 002,042,848 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
    MOD - [2012/02/29 13:26:28 | 000,360,768 | ---- | M] () -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\Nv3DVStreaming.dll
    MOD - [2011/12/12 00:16:49 | 000,142,336 | ---- | M] () -- C:\Program Files (x86)\Jobulator\Jobulator.exe
    MOD - [2010/04/20 16:40:54 | 000,262,144 | ---- | M] () -- C:\Windows\SysWOW64\370prop.ax


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2012/05/16 15:33:08 | 000,216,072 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe -- (NitroDriverReadSpool2)
    SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2010/09/22 14:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
    SRV:64bit: - [2009/09/22 14:16:32 | 000,579,400 | ---- | M] (Lenovo Group Limited) [On_Demand | Stopped] -- C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe -- (Lenovo ReadyComm ConnSvc)
    SRV:64bit: - [2009/08/14 10:22:48 | 000,509,192 | ---- | M] (Lenovo Group Limited) [On_Demand | Stopped] -- C:\Program Files\Lenovo\ReadyComm\AppSvc.exe -- (Lenovo ReadyComm AppSvc)
    SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2012/06/27 23:25:34 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2012/06/18 19:23:10 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/06/14 11:37:10 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2012/05/16 15:33:14 | 000,069,640 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\SysWOW64\NLSSRV32.EXE -- (nlsX86cc)
    SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/02/29 20:02:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
    SRV - [2012/02/29 13:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
    SRV - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
    SRV - [2010/06/23 05:39:54 | 000,046,080 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe -- (Oasis2Service)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/03/03 16:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
    SRV - [2009/12/09 04:48:26 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
    SRV - [2009/12/09 04:48:24 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
    SRV - [2009/07/15 23:12:42 | 000,276,296 | ---- | M] (Lenovo Group Limited) [On_Demand | Stopped] -- C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll -- (PS_MDP)
    SRV - [2009/07/14 10:27:26 | 000,038,152 | ---- | M] (Lenovo Group Limited) [On_Demand | Stopped] -- C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe -- (IGRS)
    SRV - [2009/07/14 10:27:20 | 000,103,688 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll -- (ReadyComm.DirectRouter)
    SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/04/04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
    DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2012/02/08 19:06:35 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
    DRV:64bit: - [2012/01/17 08:45:56 | 000,188,224 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
    DRV:64bit: - [2011/12/01 11:42:44 | 000,072,240 | ---- | M] (Nero AG) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\NBVol.sys -- (NBVol)
    DRV:64bit: - [2011/12/01 11:42:44 | 000,015,920 | ---- | M] (Nero AG) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\NBVolUp.sys -- (NBVolUp)
    DRV:64bit: - [2011/10/01 09:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
    DRV:64bit: - [2011/10/01 09:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
    DRV:64bit: - [2011/10/01 09:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
    DRV:64bit: - [2011/10/01 09:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
    DRV:64bit: - [2011/04/13 15:04:38 | 000,045,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
    DRV:64bit: - [2011/04/13 15:04:38 | 000,023,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nuidfltr.sys -- (NuidFltr)
    DRV:64bit: - [2011/04/08 23:00:20 | 000,047,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/06/23 22:43:58 | 000,167,816 | ---- | M] (ELAN Microelectronics Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ETD.sys -- (ETD)
    DRV:64bit: - [2010/06/18 09:34:58 | 004,170,304 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
    DRV:64bit: - [2010/04/20 16:14:16 | 000,200,704 | ---- | M] (SMI) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SMIksdrv.sys -- (usbsmi)
    DRV:64bit: - [2010/03/22 05:57:20 | 000,347,680 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2010/03/11 23:23:16 | 000,242,720 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
    DRV:64bit: - [2010/03/03 15:51:40 | 000,540,696 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
    DRV:64bit: - [2010/02/26 04:32:12 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
    DRV:64bit: - [2010/01/18 05:45:50 | 000,717,368 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
    DRV:64bit: - [2010/01/15 14:08:34 | 000,039,008 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LhdX64.sys -- (LHDmgr)
    DRV:64bit: - [2009/10/18 20:40:50 | 000,028,176 | ---- | M] (Lenovo Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AcpiVpc.sys -- (ACPIVPC)
    DRV:64bit: - [2009/09/17 00:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel(R)
    DRV:64bit: - [2009/07/21 10:20:06 | 000,121,840 | ---- | M] (CyberLink) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wsvd.sys -- (wsvd)
    DRV:64bit: - [2009/07/16 07:55:34 | 000,011,280 | ---- | M] (Lenovo) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WDMirror.sys -- (wdmirror)
    DRV:64bit: - [2009/07/15 23:38:20 | 000,079,376 | ---- | M] (Lenovo) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WDBridge.sys -- (Bridge0)
    DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 16:37:05 | 006,108,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
    DRV:64bit: - [2009/06/10 16:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64) Intel(R)
    DRV:64bit: - [2009/06/10 16:34:36 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a) Broadcom NetLink (TM)
    DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2008/08/06 08:32:16 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
    DRV:64bit: - [2008/05/06 16:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
    DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
    DRV - [2008/07/26 22:30:36 | 000,014,544 | ---- | M] (OpenLibSys.org) [Kernel | On_Demand | Stopped] -- C:\Users\Pat\Downloads\RealTemp_370\WinRing0x64.sys -- (WinRing0_1_2_0)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
    IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    IE - HKLM\..\SearchScopes,DefaultScope = {0B4A10D1-FBD6-451d-BFDA-F03252B05984}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
    IE - HKLM\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect.search.aol.com...34102544&tb_oid=19-10-2011&tb_mrud=19-10-2011


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 201.123.39.103:3128

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 201.123.39.103:3128



    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\..\SearchScopes,DefaultScope = {FB48B168-84BB-CCE3-D32D-94102F37C5B0}
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\..\SearchScopes\{7fafb956-6a18-40a1-9db9-4859ad301442}: "URL" = http://slirsredirect.search.aol.com...34102544&tb_oid=19-10-2011&tb_mrud=19-10-2011
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\..\SearchScopes\{FB48B168-84BB-CCE3-D32D-94102F37C5B0}: "URL" = http://apl.startnow.com/s/?q={searc...s_version=6.1-x64-SP0&iesrc={referrer:source}
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 201.123.39.103:3128

    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "AOL Search"
    FF - prefs.js..browser.search.defaulturl: "http://aim.search.aol.com/aol/searc...34102544&tb_oid=29-10-2011&tb_mrud=29-10-2011"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "google.com"
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}:6.0.27
    FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.96.10.7194
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
    FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com...4&tb_oid=29-10-2011&tb_mrud=29-10-2011&query="
    FF - prefs.js..network.proxy.backup.ftp: "109.111.236.114"
    FF - prefs.js..network.proxy.backup.ftp_port: 8080
    FF - prefs.js..network.proxy.backup.socks: "109.111.236.114"
    FF - prefs.js..network.proxy.backup.socks_port: 8080
    FF - prefs.js..network.proxy.backup.ssl: "109.111.236.114"
    FF - prefs.js..network.proxy.backup.ssl_port: 8080
    FF - prefs.js..network.proxy.ftp: "61.63.24.72"
    FF - prefs.js..network.proxy.ftp_port: 3128
    FF - prefs.js..network.proxy.http: "61.63.24.72"
    FF - prefs.js..network.proxy.http_port: 3128
    FF - prefs.js..network.proxy.share_proxy_settings: true
    FF - prefs.js..network.proxy.socks: "61.63.24.72"
    FF - prefs.js..network.proxy.socks_port: 3128
    FF - prefs.js..network.proxy.ssl: "61.63.24.72"
    FF - prefs.js..network.proxy.ssl_port: 3128


    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
    FF - HKLM\Software\MozillaPlugins\@nitropdf.com/NitroPDF: C:\Program Files (x86)\Nitro PDF\Professional 7\npnitromozilla.dll ( )
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@onlive.com/OnLiveGameClientDetector,version=1.0.0: C:\Program Files (x86)\OnLive\Plugin\npolgdet.dll (OnLive)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Pat\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Pat\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/06/18 19:23:11 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/03/17 22:55:48 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/06/18 19:23:11 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/03/17 22:55:48 | 000,000,000 | ---D | M]

    [2011/07/16 20:13:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Pat\AppData\Roaming\Mozilla\Extensions
    [2012/07/03 20:22:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\tnlvggfh.default\extensions
    [2012/06/13 15:34:29 | 000,000,000 | ---D | M] (AOL Messaging Toolbar) -- C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\tnlvggfh.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
    [2012/03/19 20:14:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2012/03/20 07:59:33 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    [2012/07/03 20:22:16 | 000,743,290 | ---- | M] () (No name found) -- C:\USERS\PAT\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TNLVGGFH.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
    [2012/06/18 19:23:11 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/03/10 19:49:10 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
    [2011/10/19 19:40:43 | 000,002,242 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\AOL Search.xml
    [2012/06/18 19:23:08 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/06/18 19:23:08 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Pat\AppData\Local\Google\Chrome\Application\19.0.1084.56\gcswf32.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
    CHR - plugin: Chrome NaCl (Enabled) = C:\Users\Pat\AppData\Local\Google\Chrome\Application\19.0.1084.56\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Pat\AppData\Local\Google\Chrome\Application\19.0.1084.56\pdf.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    CHR - plugin: Google Update (Enabled) = C:\Users\Pat\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: YouTube = C:\Users\Pat\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
    CHR - Extension: Google Search = C:\Users\Pat\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
    CHR - Extension: AdBlock = C:\Users\Pat\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.32_0\
    CHR - Extension: Skype Click to Call = C:\Users\Pat\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\
    CHR - Extension: Gmail = C:\Users\Pat\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

    O1 HOSTS File: ([2012/07/07 21:10:31 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (AOL Messaging Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    O3 - HKLM\..\Toolbar: (AOL Messaging Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\..\Toolbar\WebBrowser: (AOL Messaging Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    O4:64bit: - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronics Corp.)
    O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKU\S-1-5-21-1893159273-810026186-2473565105-1001..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
    O4 - HKU\S-1-5-21-1893159273-810026186-2473565105-1001..\Run: [uTorrent] C:\Program Files (x86)\uTorrent\uTorrent.exe (BitTorrent, Inc.)
    O4 - HKU\S-1-5-21-1893159273-810026186-2473565105-1003..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKU\S-1-5-21-1893159273-810026186-2473565105-1003..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - Startup: C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jobulator.lnk = C:\Program Files (x86)\Jobulator\Jobulator.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-1893159273-810026186-2473565105-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.64.146 68.87.75.194 68.87.71.226
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{86718067-3EC3-47B3-A663-E889FC39C5AE}: DhcpNameServer = 68.87.64.146 68.87.75.194 68.87.71.226
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E23C087F-97A9-4B60-88D1-7B74767EA563}: DhcpNameServer = 68.87.64.146 68.87.75.194 68.87.71.226
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
    O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
    O18 - Protocol\Handler\gopher - No CLSID value found
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/03/07 22:29:13 | 000,000,062 | ---- | M] () - G:\Autorun.inf -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/07 21:39:05 | 000,000,000 | ---D | C] -- C:\Users\Pat\AppData\Roaming\Malwarebytes
    [2012/07/07 21:38:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/07 21:38:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/07/07 21:38:50 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
    [2012/07/07 21:38:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/07/07 21:17:17 | 000,000,000 | ---D | C] -- C:\windows\temp
    [2012/07/07 21:10:45 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/07/07 20:58:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
    [2012/07/07 20:58:23 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
    [2012/07/07 20:58:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
    [2012/07/07 20:58:11 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/07 20:57:05 | 000,000,000 | ---D | C] -- C:\windows\erdnt
    [2012/07/07 20:53:41 | 004,574,136 | R--- | C] (Swearware) -- C:\Users\Pat\Desktop\ComboFix.exe
    [2012/07/07 05:49:20 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/07/07 00:06:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
    [2012/07/07 00:06:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/07/07 00:03:50 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2012/07/07 00:01:30 | 000,000,000 | ---D | C] -- C:\Users\Pat\AppData\Local\ElevatedDiagnostics
    [2012/07/05 17:46:26 | 000,000,000 | -HSD | C] -- C:\windows\SysNative\%APPDATA%
    [2012/07/04 19:49:01 | 000,000,000 | ---D | C] -- C:\Users\Pat\Documents\Thief - Deadly Shadows
    [2012/07/04 17:47:44 | 000,000,000 | ---D | C] -- C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Eidos
    [2012/07/04 17:41:56 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Thief - Deadly Shadows
    [2012/07/04 17:38:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eidos
    [2012/07/04 17:32:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Thief - Deadly Shadows
    [2012/06/29 00:46:14 | 000,000,000 | ---D | C] -- C:\Users\Pat\Desktop\Recettear_patch_1108
    [2012/06/29 00:45:40 | 000,000,000 | ---D | C] -- C:\Users\Pat\Desktop\Recettear - An Item Shop's Tale
    [2012/06/28 00:55:11 | 000,000,000 | ---D | C] -- C:\Users\Pat\AppData\Roaming\NVIDIA
    [2012/06/28 00:55:09 | 000,000,000 | ---D | C] -- C:\Users\Pat\AppData\Roaming\RenPy
    [2012/06/20 21:50:35 | 000,000,000 | ---D | C] -- C:\Users\Pat\Desktop\__rpg
    [2012/06/15 14:34:49 | 000,000,000 | ---D | C] -- C:\Users\Pat\Desktop\Tor Browser

    ========== Files - Modified Within 30 Days ==========

    [2012/07/07 21:38:55 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/07 21:28:41 | 000,013,632 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/07 21:28:41 | 000,013,632 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/07 21:28:02 | 000,000,892 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/07/07 21:25:17 | 000,730,572 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
    [2012/07/07 21:25:17 | 000,626,984 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
    [2012/07/07 21:25:17 | 000,107,970 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
    [2012/07/07 21:21:35 | 000,000,989 | ---- | M] () -- C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jobulator.lnk
    [2012/07/07 21:21:09 | 000,000,888 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/07/07 21:20:03 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
    [2012/07/07 21:19:57 | 3113,365,504 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/07 21:10:31 | 000,000,027 | ---- | M] () -- C:\windows\SysNative\drivers\etc\hosts
    [2012/07/07 21:10:00 | 000,000,900 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-1893159273-810026186-2473565105-1001UA.job
    [2012/07/07 20:54:03 | 004,574,136 | R--- | M] (Swearware) -- C:\Users\Pat\Desktop\ComboFix.exe
    [2012/07/07 00:10:04 | 000,000,848 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-1893159273-810026186-2473565105-1001Core.job
    [2012/07/07 00:06:29 | 000,001,945 | ---- | M] () -- C:\windows\epplauncher.mif
    [2012/07/07 00:06:19 | 000,744,722 | ---- | M] () -- C:\windows\SysWow64\PerfStringBackup.INI
    [2012/07/04 19:46:02 | 000,001,671 | ---- | M] () -- C:\Users\Pat\Desktop\t3 - Shortcut.lnk
    [2012/07/02 17:52:33 | 000,002,385 | ---- | M] () -- C:\Users\Pat\Desktop\Google Chrome.lnk
    [2012/06/28 02:01:59 | 000,000,241 | ---- | M] () -- C:\Users\Pat\Desktop\Team Fortress 2.url
    [2012/06/17 19:31:42 | 1141,644,924 | ---- | M] () -- C:\Users\Pat\Desktop\3sUnKnOwN.avi
    [2012/06/17 17:36:35 | 254,943,789 | ---- | M] () -- C:\Users\Pat\Desktop\the three stooges - 3 dumb clucks (1937).mp4
    [2012/06/14 19:36:35 | 000,291,384 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
    [2012/06/13 11:33:06 | 000,001,107 | -H-- | M] () -- C:\IPH.PH

    ========== Files Created - No Company Name ==========

    [2012/07/07 21:38:55 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/07 20:58:23 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe
    [2012/07/07 20:58:23 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
    [2012/07/07 20:58:23 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
    [2012/07/07 20:58:23 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
    [2012/07/07 20:58:23 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
    [2012/07/07 00:06:20 | 000,001,915 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/07/04 19:46:02 | 000,001,671 | ---- | C] () -- C:\Users\Pat\Desktop\t3 - Shortcut.lnk
    [2012/06/20 21:50:57 | 000,376,896 | ---- | C] () -- C:\Users\Pat\Desktop\_DS_MENU.DAT
    [2012/06/17 18:58:44 | 1141,644,924 | ---- | C] () -- C:\Users\Pat\Desktop\3sUnKnOwN.avi
    [2012/06/17 17:03:33 | 254,943,789 | ---- | C] () -- C:\Users\Pat\Desktop\the three stooges - 3 dumb clucks (1937).mp4
    [2012/02/29 13:26:56 | 000,416,064 | ---- | C] () -- C:\windows\SysWow64\nvStreaming.exe
    [2011/08/22 21:47:09 | 000,744,722 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
    [2011/08/09 20:56:04 | 000,001,025 | ---- | C] () -- C:\windows\SysWow64\ig9bpsk.dll
    [2011/08/09 20:56:04 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\grcauth2.dll
    [2011/08/09 20:56:04 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\grcauth1.dll
    [2011/08/09 20:56:04 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\clauth2.dll
    [2011/08/09 20:56:04 | 000,001,024 | ---- | C] () -- C:\windows\SysWow64\clauth1.dll
    [2011/08/09 20:56:04 | 000,000,335 | ---- | C] () -- C:\windows\SysWow64\el8w909.dll
    [2011/08/09 20:56:04 | 000,000,101 | ---- | C] () -- C:\windows\SysWow64\prsgrc.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\zzppqel.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\zbxqvja.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\w13rp5c.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\qn76h6o.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\nvupwfs.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\nd4nejy.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\n1mnnrk.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\n08ff0k.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\ibq3h48.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\h8ghqs4.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\cmci8zx.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\cgm011a.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\b027w5p.dll
    [2011/08/09 20:56:04 | 000,000,016 | -H-- | C] () -- C:\windows\SysWow64\a2dvk59.dll
    [2011/08/09 20:56:04 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\ssprs.dll
    [2011/08/07 04:21:47 | 000,761,856 | ---- | C] () -- C:\windows\SysWow64\RGSS104J.dll
    [2011/08/07 04:21:47 | 000,758,272 | ---- | C] () -- C:\windows\SysWow64\RGSS104E.dll
    [2011/08/07 04:21:47 | 000,685,056 | ---- | C] () -- C:\windows\SysWow64\RGSS103J.dll
    [2011/07/18 23:10:58 | 000,007,598 | ---- | C] () -- C:\Users\Pat\AppData\Local\Resmon.ResmonCfg
    [2011/06/17 05:40:39 | 000,000,512 | ---- | C] () -- C:\windows\previous.bin
    [2011/06/17 05:40:39 | 000,000,512 | ---- | C] () -- C:\windows\current.bin
    [2011/06/17 05:32:41 | 000,016,648 | R--- | C] () -- C:\windows\SysWow64\LogAPI.dll
    [2011/06/17 05:25:56 | 002,110,816 | ---- | C] () -- C:\windows\SysWow64\Apblend.dll
    [2011/06/17 05:25:56 | 001,171,456 | ---- | C] () -- C:\windows\SysWow64\PicNotify.dll
    [2011/06/17 05:25:51 | 001,044,480 | ---- | C] () -- C:\windows\SysWow64\3DImageRenderer.dll
    [2011/06/17 05:20:18 | 000,000,235 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc

    ========== LOP Check ==========

    [2011/10/19 19:42:43 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\acccore
    [2012/01/01 18:06:50 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\calibre
    [2012/05/12 18:45:27 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\CDisplayEx
    [2012/01/01 20:05:42 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2012/02/08 19:10:59 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\DAEMON Tools Lite
    [2012/05/25 16:16:31 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\Downloaded Installations
    [2012/05/25 16:19:16 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\FileOpen
    [2011/09/27 16:46:56 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\Jobulator
    [2012/05/25 16:19:51 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\Nitro PDF
    [2011/10/26 17:26:01 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\OnLive App
    [2011/07/21 14:11:09 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\ooVoo Details
    [2011/12/31 17:08:05 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\Origin
    [2012/06/28 00:55:09 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\RenPy
    [2012/06/12 01:07:40 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\SoftGrid Client
    [2011/12/16 19:43:37 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\SystemRequirementsLab
    [2011/08/22 21:48:00 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\TP
    [2012/07/07 21:51:43 | 000,000,000 | ---D | M] -- C:\Users\Pat\AppData\Roaming\uTorrent
    [2012/07/07 01:46:44 | 000,026,856 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 64 bytes -> C:\Users\Pat\Desktop\3sUnKnOwN.avi:TOC.WMV

    < End of report >
     
  10. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    OTL Extras logfile created on: 7/7/2012 9:46:10 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Pat\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7601.17514)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.87 Gb Total Physical Memory | 2.19 Gb Available Physical Memory | 56.75% Memory free
    9.72 Gb Paging File | 7.85 Gb Available in Paging File | 80.78% Paging File free
    Paging file location(s): c:\pagefile.sys 6000 6000 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 421.81 Gb Total Space | 56.31 Gb Free Space | 13.35% Space Free | Partition Type: NTFS
    Drive D: | 29.00 Gb Total Space | 25.96 Gb Free Space | 89.54% Space Free | Partition Type: NTFS
    Drive G: | 465.76 Gb Total Space | 11.50 Gb Free Space | 2.47% Space Free | Partition Type: NTFS

    Computer Name: PAT-PC | User Name: Pat | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-1893159273-810026186-2473565105-1001\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{A65567B8-353B-43FB-BFD8-45641D21E16E}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{DD46B1C1-2079-4A2B-99D7-D5576F64AFF8}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{CF562A87-4BF5-4609-94C3-A482E6E14CF7}C:\program files (x86)\skype\phone\skype.exe" = protocol=6 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
    "TCP Query User{F551ADAE-3738-4FC5-AAA4-B8A16A8AC019}C:\program files (x86)\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "UDP Query User{7076BB0D-23B1-4721-9A9C-A9B6629F5DD6}C:\program files (x86)\skype\phone\skype.exe" = protocol=17 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
    "UDP Query User{A72C53EF-2347-4439-9833-FC86F7687F45}C:\program files (x86)\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
    "{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    "{3ED4AD02-F631-4A4C-AAC8-2325996E5A56}" = Microsoft IntelliPoint 8.1
    "{46F4D124-20E5-4D12-BE52-EC177A7A4B42}" = Lenovo OneKey Recovery
    "{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector
    "{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
    "{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90126F8D-58D9-456F-B2D5-03FBE6408650}" = Nitro Pro 7
    "{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
    "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 296.10
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 296.10
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 296.10
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.0213
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.7.11
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD Audio Driver 1.3.12.0
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
    "{D600D357-5CB9-4DE9-8FD4-14E208BD1970}" = Nero Backup Drivers
    "{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
    "{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
    "{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "0A4175B489A1B4A6E07E11B063A6263480C51D71" = Windows Driver Package - Lenovo (ACPIVPC) System (10/19/2009 5.4.0.1)
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
    "CNXT_AUDIO_HDA" = Conexant HD Audio
    "Elantech" = ETDWare PS/2-x64 7.0.4.18_WHQL
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft IntelliPoint 8.1" = Microsoft IntelliPoint 8.1
    "Microsoft Security Client" = Microsoft Security Essentials

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0CE226F3-EB27-4ECD-BBF5-F088716779FD}" = Energy Management
    "{10F755FD-ED31-4ABF-8720-49A399C52297}" = calibre
    "{17542DBF-E17C-4562-BC4D-FA3EF3076C45}" = Lenovo ReadyComm 5
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{2A235715-A8CD-CC21-F709-824B005A40CA}" = Jobulator
    "{2DDC4E4E-D5D9-477C-9C1D-7E214B5E44B4}" = Bentley IEG License Service
    "{33286280-8617-11E1-8FF6-B8AC6F97B88E}" = Google Earth Plug-in
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Star Wars: The Old Republic
    "{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "{47FA2C44-D148-4DBC-AF60-B91934AA4842}" = Adobe AIR
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
    "{553C904F-57A2-4113-888E-BA0C3D1C69C0}" = Microsoft VC9 runtime libraries
    "{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}" = RGSS-RTP Standard
    "{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{76C66170-C538-4E77-B54D-48E136B5B533}" = Lenovo ReadyComm 5.0 Service
    "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
    "{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows 7
    "{8991E763-21F5-4DEA-A938-5D9D77DCB488}" = Broadcom 802.11 Wireless Driver
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{943A8D28-80D6-41DC-AE94-81FEB42041BF}" = System Requirements Lab CYRI
    "{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
    "{95140000-00AF-0409-0000-0000000FF1CE}" = Microsoft PowerPoint Viewer
    "{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
    "{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{9FFC4E8E-2E8F-4030-A5E4-27EC4A269F32}" = Lenovo Smile Dock
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
    "{B2164CCB-C002-4B80-8550-7535D80DF237}" = Lenovo DirectShare
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{CC870764-5AB2-4801-9F16-8E577AD0EE27}" = RedShark 4.10
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{D6C630BF-8DBB-4042-8562-DC9A52CB6E7E}" = Intel(R) Turbo Boost Technology Driver
    "{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{DFB19121-0609-49C1-92B1-546E5A940FE8}" = Onekey Theater
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E50FC5DB-7CBD-407D-A46E-0C13E45BC386}" = Oasis2Service 1.0
    "{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}" = Nexon Game Manager
    "{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
    "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel(R) Control Center
    "{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}" = ooVoo
    "{FC123EEA-330A-4685-911C-95B8F5E9DE68}" = Thief - Deadly Shadows
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "{FE7AD27A-62B1-44F6-B69C-25D1ECA94F5D}" = Lenovo EasyCamera
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "AIM Toolbar" = AOL Messaging Toolbar
    "AIM_7" = AIM 7
    "CDisplayEx_is1" = CDisplayEx 1.8
    "Collective Thief: DS Texture Pack by John P. 1.03" = Thief - Deadly Shadows Collective Texture Pack by John P., ver. 1.0.3
    "DAEMON Tools Lite" = DAEMON Tools Lite
    "Diablo III" = Diablo III
    "DragonNest" = DragonNest
    "InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
    "InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}" = Lenovo OneKey Recovery
    "InstallShield_{B2164CCB-C002-4B80-8550-7535D80DF237}" = Lenovo DirectShare
    "Jobulator" = Jobulator
    "Kingdoms of Amalur Reckoning_is1" = Kingdoms of Amalur Reckoning
    "Lenovo Games Console" = Lenovo Games Console
    "Lenovo Smile Dock" = Lenovo Smile Dock
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
    "Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
    "Office14.Click2Run" = Microsoft Office Click-to-Run 2010
    "OnLive" = OnLive
    "Origin" = Origin
    "Rayman Origins_is1" = Rayman Origins
    "RGSS-RTP Standard_is1" = RGSS-RTP Standard
    "RPGVXAce_RTP_is1" = RPG MAKER VX Ace RTP
    "SoftwareUpdUtility" = Download Updater (AOL LLC)
    "StarCraft II" = StarCraft II
    "Steam App 102600" = Orcs Must Die!
    "Steam App 440" = Team Fortress 2
    "uTorrent" = µTorrent
    "VeriFace" = VeriFace
    "VLC media player" = VLC media player 1.1.11
    "WinLiveSuite" = Windows Live Essentials
    "WinRAR archiver" = WinRAR 4.01 (32-bit)
    "World of Warcraft" = World of Warcraft
    "World of Warcraft Public Test" = World of Warcraft Public Test

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1893159273-810026186-2473565105-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "AOL Messaging Toolbar" = AOL Messaging Toolbar
    "Google Chrome" = Google Chrome

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 6/6/2012 5:21:06 PM | Computer Name = Pat-PC | Source = CVHSVC | ID = 100
    Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
    DownloadLatest Failed: There are currently no active network connections. Background
    Intelligent Transfer Service (BITS) will try again when an adapter is connected.


    Error - 6/8/2012 4:41:00 AM | Computer Name = Pat-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    Error - 6/10/2012 2:56:41 AM | Computer Name = Pat-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    Error - 6/12/2012 1:07:18 AM | Computer Name = Pat-PC | Source = Application Virtualization Client | ID = 5009
    Description = {hap=12:app=Microsoft Word Starter 2010 9014006604090000:tid=135C:usr=Pat}
    The
    Application Virtualization Client could not connect to stream URL 'http://c2r.microsoft.com/ConsumerC2R/en-us/14.0.4763.1000/ConsumerC2R.en-us_14.0.6117.5005.sft'
    (rc 16001E0A-000001D1, original rc 16001E0A-000001D1).

    Error - 6/12/2012 1:07:18 AM | Computer Name = Pat-PC | Source = Application Virtualization Client | ID = 3008
    Description = {hap=12:app=Microsoft Word Starter 2010 9014006604090000:tid=135C:usr=Pat}
    The
    client was unable to connect to an Application Virtualization Server (rc 16001E0A-000001D1)

    Error - 6/12/2012 1:07:38 AM | Computer Name = Pat-PC | Source = Application Virtualization Client | ID = 5009
    Description = {hap=13:app=Microsoft Word Starter 2010 9014006604090000:tid=1BAC:usr=Pat}
    The
    Application Virtualization Client could not connect to stream URL 'http://c2r.microsoft.com/ConsumerC2R/en-us/14.0.4763.1000/ConsumerC2R.en-us_14.0.6117.5005.sft'
    (rc 16001E0A-000001D1, original rc 16001E0A-000001D1).

    Error - 6/12/2012 1:07:38 AM | Computer Name = Pat-PC | Source = Application Virtualization Client | ID = 3008
    Description = {hap=13:app=Microsoft Word Starter 2010 9014006604090000:tid=1BAC:usr=Pat}
    The
    client was unable to connect to an Application Virtualization Server (rc 16001E0A-000001D1)

    Error - 6/12/2012 1:58:35 AM | Computer Name = Pat-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    Error - 6/13/2012 4:50:11 PM | Computer Name = Pat-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    Error - 6/14/2012 5:01:43 PM | Computer Name = Pat-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    [ Media Center Events ]
    Error - 7/5/2012 9:57:56 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 9:57:56 PM - Failed to retrieve SportsSchedule.enc (Error: BITS 0x80070424)


    Error - 7/5/2012 9:58:09 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 9:57:57 PM - Failed to retrieve Broadband.enc (Error: BITS 0x80070424)


    Error - 7/5/2012 10:58:24 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 10:58:23 PM - Failed to retrieve SportsSchedule.enc (Error: BITS 0x80070424)


    Error - 7/5/2012 10:58:25 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 10:58:24 PM - Failed to retrieve Broadband.enc (Error: BITS 0x80070424)


    Error - 7/5/2012 11:58:41 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 11:58:40 PM - Failed to retrieve SportsSchedule.enc (Error: BITS 0x80070424)


    Error - 7/5/2012 11:58:42 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 11:58:42 PM - Failed to retrieve Broadband.enc (Error: BITS 0x80070424)


    Error - 7/6/2012 4:24:29 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 4:24:28 PM - Failed to retrieve SportsSchedule.enc (Error: BITS 0x80070424)


    Error - 7/6/2012 4:24:43 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 4:24:30 PM - Failed to retrieve Broadband.enc (Error: BITS 0x80070424)


    Error - 7/7/2012 8:56:09 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 8:56:09 PM - Failed to retrieve SportsSchedule.enc (Error: BITS 0x80070424)


    Error - 7/7/2012 8:56:10 PM | Computer Name = Pat-PC | Source = MCUpdate | ID = 0
    Description = 8:56:10 PM - Failed to retrieve Broadband.enc (Error: BITS 0x80070424)


    [ System Events ]
    Error - 6/17/2012 6:12:29 PM | Computer Name = Pat-PC | Source = volsnap | ID = 393252
    Description = The shadow copies of volume C: were aborted because the shadow copy
    storage could not grow due to a user imposed limit.

    Error - 6/17/2012 7:32:18 PM | Computer Name = Pat-PC | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 6/17/2012 7:32:18 PM | Computer Name = Pat-PC | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 6/17/2012 7:32:19 PM | Computer Name = Pat-PC | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 6/17/2012 7:32:19 PM | Computer Name = Pat-PC | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 6/17/2012 7:32:20 PM | Computer Name = Pat-PC | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 6/18/2012 2:31:21 AM | Computer Name = Pat-PC | Source = volsnap | ID = 393252
    Description = The shadow copies of volume C: were aborted because the shadow copy
    storage could not grow due to a user imposed limit.

    Error - 6/18/2012 6:04:37 AM | Computer Name = Pat-PC | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR2.

    Error - 6/19/2012 3:53:34 PM | Computer Name = Pat-PC | Source = volsnap | ID = 393252
    Description = The shadow copies of volume C: were aborted because the shadow copy
    storage could not grow due to a user imposed limit.

    Error - 6/21/2012 9:04:55 PM | Computer Name = Pat-PC | Source = Tcpip | ID = 4199
    Description = The system detected an address conflict for IP address 192.168.1.141
    with the system having network hardware address 00-0C-F1-A4-3A-3D. Network operations
    on this system may be disrupted as a result.


    < End of report >
     
  11. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    You didn't answer my question:
    I still need MBAM log.
     
  12. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    2012/07/07 21:39:48 -0400 PAT-PC Pat MESSAGE Executing scheduled update: Daily
    2012/07/07 21:39:48 -0400 PAT-PC Pat MESSAGE Starting protection
    2012/07/07 21:39:49 -0400 PAT-PC Pat MESSAGE Database already up-to-date
    2012/07/07 21:39:50 -0400 PAT-PC Pat MESSAGE Protection started successfully
    2012/07/07 21:39:53 -0400 PAT-PC Pat MESSAGE Starting IP protection
    2012/07/07 21:39:56 -0400 PAT-PC Pat MESSAGE IP Protection started successfully



    *****It might be too early to call, but I'm calling this a success. No more issues and it's running smoothly. ^_^

    As soon as I'm sure this thing is clean, I'd love to send you a tip through paypal. You really saved my butt today!
     
  13. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    Oopsie. I think this was what you wanted:

    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.07.07.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    Pat :: PAT-PC [administrator]

    Protection: Enabled

    7/7/2012 9:39:58 PM
    mbam-log-2012-07-07 (21-39-58).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 228948
    Time elapsed: 4 minute(s), 4 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  14. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    :)

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 201.123.39.103:3128
      IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 201.123.39.103:3128
      IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\S-1-5-21-1893159273-810026186-2473565105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 201.123.39.103:3128
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O4 - HKU\S-1-5-21-1893159273-810026186-2473565105-1003..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
      @Alternate Data Stream - 64 bytes -> C:\Users\Pat\Desktop\3sUnKnOwN.avi:TOC.WMV
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =========================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  15. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    Results of screen317's Security Check version 0.99.24
    Windows 7 x64 (UAC is enabled)
    Internet Explorer 8 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Spybot - Search & Destroy
    Java(TM) 6 Update 31
    Out of date Java installed!
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Malwarebytes' Anti-Malware mbamservice.exe
    Malwarebytes' Anti-Malware mbamgui.exe
    Spybot Teatimer.exe is disabled!
    Microsoft Security Essentials msseces.exe
    ``````````End of Log````````````








    Farbar Service Scanner Version: 02-07-2012
    Ran by Pat (administrator) on 07-07-2012 at 22:25:33
    Running from "C:\Users\Pat\Downloads"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****






    C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan deleted - quarantined
    C:\FRST\Quarantine\{09829da7-7670-ac83-78c4-af55cbaa0f03}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{09829da7-7670-ac83-78c4-af55cbaa0f03}\U\80000000.@ Win64/Sirefef.AL trojan cleaned by deleting - quarantined




    ****So everything is still running fine, but ESET scanner found the three threats above. Were those just quarantined files, because I've seen enough of FRST over this whole thing to remember it for a while...
     
  16. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    =========================================

    We have one registry key corrupted affecting Windows updates.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on bits.reg file and confirm the prompt.
    Restart computer.
    Post new FSS log.
     
  17. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    Farbar Service Scanner Version: 02-07-2012
    Ran by Pat (administrator) on 08-07-2012 at 00:42:21
    Running from "C:\Users\Pat\Downloads"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****



    Thanks for sticking with me on this.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    See if you can access Windows updates now.
     
  19. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    I can access windows updates but it says "No important updates available"

    4 optional updates are available. Should I install those. Pretty sure it goes without saying that I should, but I just wanted to make sure.
     
  20. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

  21. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    You can install those as well.

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    =========================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  22. Mr. Bucket

    Mr. Bucket TS Rookie Topic Starter

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Pat
    ->Java cache emptied: 0 bytes

    User: Public

    User: UpdatusUser

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.53.1 log created on 07082012_172805

    Files\Folders moved on Reboot...
    File\Folder C:\Users\Pat\AppData\Local\Temp\hsperfdata_Pat\3516 not found!
    C:\Users\Pat\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...
    File C:\Users\Pat\AppData\Local\Temp\hsperfdata_Pat\3516 not found!
    File C:\Users\Pat\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

    Registry entries deleted on Reboot...









    ****Broni... you're the best! ^_^ Everything is working without a problem and nothing is showing up on any malware scans.

    As soon as I give it some time to be positive that everything is perfect, I'll send you some tipage.
     
  23. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...