Google redirect "gethotresults" virus

Solved
By person15
Aug 31, 2012
  1. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    O1 HOSTS File: ([2012/09/02 23:42:48 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111010195856.dll (McAfee, Inc.)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111010195856.dll (McAfee, Inc.)
    O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files (x86)\Google\Chrome Frame\Application\21.0.1180.89\npchrome_frame.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-816525379-3359804378-3665389369-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  2. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    O4:64bit: - HKLM..\Run: [AcWin7Hlpr] C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe ()
    O4:64bit: - HKLM..\Run: [FingerPrintSoftware] C:\Program Files\Lenovo Fingerprint Software\fpapp.exe (AuthenTec)
    O4:64bit: - HKLM..\Run: [FingerPrintSoftwareSplashScreen] C:\Program Files\Lenovo Fingerprint Software\SplashScreen.exe (AuthenTec, Inc.)
    O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [IaNvSrv] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
    O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [picon] C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
    O4:64bit: - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
    O4:64bit: - HKLM..\Run: [TpShocks] C:\Windows\SysNative\TpShocks.exe (Lenovo.)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [Message Center Plus] C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe ()
    O4 - HKLM..\Run: [PWMTRV] C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL (Lenovo Group Limited)
    O4 - HKLM..\Run: [RotateImage] C:\Program Files (x86)\RotateImage\RCIMGDIR.exe (Ricoh co.,Ltd.)
    O4 - HKLM..\Run: [ShStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
    O4 - HKLM..\Run: [TkBellExe] c:\program files (x86)\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
    O4 - HKU\S-1-5-21-816525379-3359804378-3665389369-1003..\Run: [F.lux] C:\Users\Vivek\Local Settings\Apps\F.lux\flux.exe ()
    O4 - HKU\S-1-5-21-816525379-3359804378-3665389369-1003..\Run: [GoogleDriveSync] C:\Program Files (x86)\Google\Drive\googledrivesync.exe (Google)
    O4 - Startup: C:\Users\Vivek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Vivek\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-816525379-3359804378-3665389369-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-816525379-3359804378-3665389369-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowCpl = 1
    O7 - HKU\S-1-5-21-816525379-3359804378-3665389369-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
  3. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    The forum keeps preventing me from posting. Is there a reason for this? (I'll try again a bit later.)
  4. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    I've seen this issue before.
    If nothing else attach both logs.
  5. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    Here are both logs as attachments. I appreciate you being so accomodating.

    Attached Files:

  6. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    And, in case this bit of information got lost in the logs I tried to post, the issue started August 31 around 5 pm. I don't know if that's of any help when reading these files.
  7. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Let's see if I can post the rest.

    O9:64bit: - Extra Button: C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
  8. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    O9:64bit: - Extra 'Tools' menuitem : C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
  9. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
    O16:64bit: - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
    O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab (DLM Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.59.247.45 208.59.247.46 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2D6B2DAD-6A3D-4D3B-BE1D-C8117EE66090}: DhcpNameServer = 208.59.247.45 208.59.247.46 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{41095C22-33CE-46D2-896E-7C6B845BF651}: DhcpNameServer = 152.3.182.5 152.3.182.3 152.3.189.18
    O18:64bit: - Protocol\Handler\cf - No CLSID value found
    O18:64bit: - Protocol\Handler\gcf - No CLSID value found
    O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O18 - Protocol\Handler\cf - No CLSID value found
    O18 - Protocol\Handler\gcf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files (x86)\Google\Chrome Frame\Application\21.0.1180.89\npchrome_frame.dll (Google Inc.)
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20:64bit: - Winlogon\Notify\ATFUS: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
    O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/09/03 21:06:24 | 000,599,040 | ---- | C] (OldTimer Tools) -- C:\Users\Vivek\Desktop\OTL.exe
    [2012/09/03 20:37:47 | 000,000,000 | ---D | C] -- C:\Users\Vivek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
    [2012/09/02 23:42:56 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2012/09/01 00:10:59 | 000,000,000 | ---D | C] -- C:\Users\Vivek\AppData\Local\Macromedia
    [2012/08/31 23:54:52 | 000,000,000 | ---D | C] -- C:\Users\Vivek\Desktop\RK_Quarantine
    [2012/08/31 19:43:19 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Vivek\Desktop\dds.com
    [2012/08/31 19:01:13 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/08/31 19:01:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/08/31 19:00:53 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Vivek\Desktop\mbam-setup-1.62.0.1300.exe
    [2012/08/31 17:12:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/08/22 20:33:51 | 038,685,384 | ---- | C] (VMware, Inc.) -- C:\Users\Vivek\Desktop\VMware-viewclient-x86_64-5.1.0-704644.exe
    [2012/08/16 10:09:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Adobe
    [1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/09/03 21:06:28 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Users\Vivek\Desktop\OTL.exe
    [2012/09/03 21:05:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-816525379-3359804378-3665389369-1003UA.job
    [2012/09/03 20:37:49 | 000,002,377 | ---- | M] () -- C:\Users\Vivek\Desktop\Google Chrome.lnk
    [2012/09/03 20:31:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/09/03 20:20:00 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/09/03 20:17:30 | 000,077,520 | ---- | M] () -- C:\Users\Vivek\Desktop\bookmarks_9_3_12.html
    [2012/09/03 18:30:21 | 000,020,704 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/09/03 18:30:21 | 000,020,704 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/09/03 18:26:11 | 000,792,128 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/09/03 18:26:11 | 000,671,120 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/09/03 18:26:11 | 000,124,278 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/09/03 18:21:13 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/09/03 18:20:33 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-816525379-3359804378-3665389369-1003Core.job
    [2012/09/03 18:20:33 | 000,000,466 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
    [2012/09/03 18:20:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/09/03 18:20:20 | 3139,444,736 | -HS- | M] () -- C:\hiberfil.sys
    [2012/09/02 23:42:48 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/09/02 00:04:37 | 000,000,512 | ---- | M] () -- C:\Users\Vivek\Desktop\MBR.dat
    [2012/09/01 01:09:36 | 880,245,280 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/08/31 19:43:17 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Vivek\Desktop\dds.com
    [2012/08/31 19:11:07 | 000,302,592 | ---- | M] () -- C:\Users\Vivek\Desktop\9grlctx0.exe
    [2012/08/31 19:00:51 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Vivek\Desktop\mbam-setup-1.62.0.1300.exe
    [2012/08/31 18:36:04 | 000,000,328 | ---- | M] () -- C:\Windows\SysNative\drivers\kgpcpy.cfg
    [2012/08/31 17:18:50 | 000,000,600 | ---- | M] () -- C:\Users\Vivek\AppData\Roaming\winscp.rnd
    [2012/08/29 09:32:18 | 000,647,413 | ---- | M] () -- C:\Users\Vivek\Desktop\Docusign_Lease_50_Cherry_St_1_Somervillepd.zip
    [2012/08/27 21:51:00 | 000,000,600 | ---- | M] () -- C:\Users\Vivek\AppData\Local\PUTTY.RND
    [2012/08/22 20:34:14 | 038,685,384 | ---- | M] (VMware, Inc.) -- C:\Users\Vivek\Desktop\VMware-viewclient-x86_64-5.1.0-704644.exe
    [2012/08/22 12:46:18 | 000,000,528 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
    [2012/08/22 12:38:03 | 008,864,168 | ---- | M] (SurfRight B.V.) -- C:\Users\Vivek\Desktop\HitmanPro36_x64.exe
    [2012/08/21 00:30:00 | 000,000,528 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask-Delay.job
    [2012/08/16 10:10:12 | 000,002,025 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
    [2012/08/16 03:29:21 | 000,497,584 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2012/08/12 00:52:06 | 000,075,864 | ---- | M] () -- C:\Users\Vivek\Desktop\checks.pdf
    [1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/09/03 20:37:49 | 000,002,377 | ---- | C] () -- C:\Users\Vivek\Desktop\Google Chrome.lnk
    [2012/09/03 20:17:30 | 000,077,520 | ---- | C] () -- C:\Users\Vivek\Desktop\bookmarks_9_3_12.html
    [2012/09/01 01:09:36 | 880,245,280 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2012/09/01 00:40:46 | 000,000,512 | ---- | C] () -- C:\Users\Vivek\Desktop\MBR.dat
    [2012/08/31 19:11:08 | 000,302,592 | ---- | C] () -- C:\Users\Vivek\Desktop\9grlctx0.exe
    [2012/08/31 18:36:04 | 000,000,328 | ---- | C] () -- C:\Windows\SysNative\drivers\kgpcpy.cfg
    [2012/08/29 09:32:19 | 000,647,413 | ---- | C] () -- C:\Users\Vivek\Desktop\Docusign_Lease_50_Cherry_St_1_Somervillepd.zip
    [2012/08/22 12:53:36 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/08/21 00:00:18 | 000,000,528 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask-Delay.job
    [2012/08/16 10:09:36 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
    [2012/08/16 10:09:36 | 000,002,025 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
    [2012/08/12 00:52:06 | 000,075,864 | ---- | C] () -- C:\Users\Vivek\Desktop\checks.pdf
    [2011/12/18 14:32:40 | 000,010,486 | -HS- | C] () -- C:\Users\Vivek\AppData\Local\774335p0e210t008t785a0hmt7c3
    [2011/11/17 17:59:33 | 000,000,222 | ---- | C] () -- C:\Users\Vivek\contestapplet.conf.bak
    [2011/11/17 17:59:33 | 000,000,222 | ---- | C] () -- C:\Users\Vivek\contestapplet.conf
    [2011/09/29 20:51:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/09/29 20:51:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/09/29 20:51:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/09/29 20:51:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/09/29 20:51:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/09/05 15:56:06 | 000,000,401 | ---- | C] () -- C:\Windows\crackpdf.INI
    [2011/05/18 12:59:58 | 000,000,011 | ---- | C] () -- C:\Windows\OSA.INI
    [2011/03/26 17:36:48 | 000,007,611 | ---- | C] () -- C:\Users\Vivek\AppData\Local\Resmon.ResmonCfg
    [2010/11/08 21:31:00 | 000,001,006 | ---- | C] () -- C:\Users\Vivek\.zir.cfg
    [2010/10/11 11:29:27 | 000,002,108 | ---- | C] () -- C:\Users\Vivek\.root_hist
    [2010/02/13 22:44:12 | 000,011,287 | ---- | C] () -- C:\Users\Vivek\gsview64.ini
    [2010/01/20 10:24:10 | 000,000,600 | ---- | C] () -- C:\Users\Vivek\AppData\Local\PUTTY.RND
    [2010/01/06 17:30:33 | 000,000,600 | ---- | C] () -- C:\Users\Vivek\AppData\Roaming\winscp.rnd

    ========== LOP Check ==========

    [2011/11/17 19:38:44 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\3D3D9
    [2010/06/11 18:11:14 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\avidemux
    [2012/02/18 21:58:44 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\B403D
    [2010/03/09 15:11:27 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\CachedFiles
    [2011/11/13 20:40:19 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\d88ffR9hTXqj
    [2011/11/13 18:08:58 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\DeeelIIBrzNyxuS
    [2012/09/03 18:22:18 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\Dropbox
    [2010/01/06 16:08:47 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\Echo Software
    [2010/08/23 12:35:24 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\Foxit Software
    [2011/11/13 18:40:58 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\fpnG4aQH6W7E9Tq
    [2011/11/13 18:45:24 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\G1uvS2obFpGaJ
    [2011/11/13 18:45:22 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\gYXwkUVelBz
    [2010/06/24 11:26:42 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\InterVideo
    [2010/08/23 17:56:10 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\IrfanView
    [2011/11/13 18:09:00 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\kS2iDp4HsKf9TqY
    [2011/07/04 19:35:34 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\Leadertech
    [2011/11/13 20:40:19 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\OdEK8gRZ9YwUeIt
    [2011/11/13 18:41:00 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\OYCwkIVrlNx0c
    [2010/11/17 16:31:01 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\ParaView
    [2011/05/26 10:58:43 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\PCDr
    [2011/04/24 22:47:16 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\PDF Writer
    [2011/11/13 18:09:07 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\PWJJJdEE8RZqhXk
    [2010/10/14 12:29:27 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\StarNet
    [2010/02/20 12:31:22 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\Subversion
    [2011/05/05 15:04:36 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\Update
    [2012/08/22 12:44:31 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\uTorrent
    [2011/11/13 18:45:29 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\VjekIBrzOyA2b3n
    [2011/11/13 18:45:29 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\X5aQH6dWKfLgXjC
    [2011/11/13 18:45:18 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\yD2onF4pm5Q7E8R
    [2011/11/13 18:09:08 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\ZVVVellOBz0cAiv
    [2012/08/21 00:30:00 | 000,000,528 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask-Delay.job
    [2012/08/22 12:46:18 | 000,000,528 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    [2011/11/23 14:59:18 | 000,032,574 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2012/09/03 18:20:33 | 000,000,466 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job

    ========== Purity Check ==========



    < End of report >
  10. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    OTL Extras logfile created on: 9/3/2012 9:07:47 PM - Run 1
    OTL by OldTimer - Version 3.2.60.0 Folder = C:\Users\Vivek\Desktop
    64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.90 Gb Total Physical Memory | 2.25 Gb Available Physical Memory | 57.84% Memory free
    7.80 Gb Paging File | 5.83 Gb Available in Paging File | 74.83% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 287.15 Gb Total Space | 141.20 Gb Free Space | 49.17% Space Free | Partition Type: NTFS
    Drive Q: | 9.77 Gb Total Space | 2.26 Gb Free Space | 23.12% Space Free | Partition Type: NTFS

    Computer Name: VIVEKW500 | User Name: Vivek | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{08074BA9-2E7C-4176-86B4-326A0021D430}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{0F7AD5E4-CE7E-4AC9-B13F-376B7C51FCA0}" = rport=137 | protocol=17 | dir=out | app=system |
    "{117F5DDB-0DF5-46CD-9E44-BA48F4BF3A1C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{26F38EE8-19D6-4AED-ACE4-5D7EDD4CB40C}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{2ECB6543-C6B1-434E-A65E-FEE2AC790381}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{32022E70-4EEB-4CA2-99C7-26401AD16D21}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{38F87FCF-49F7-4BEA-A2E9-597A248FFC8F}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{47832AE4-DED9-48A1-A2EA-8BD955BC6B44}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{51080EB1-5466-4537-ABED-B7A25A7619F9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
    "{5D6FC808-0B6D-4B6C-AC7D-AA93E764FDC2}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{5F0E7A92-FAEF-43BB-A5F9-62E943B49CF1}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{5FC1E77F-4095-4046-847A-823569BA18C8}" = lport=138 | protocol=17 | dir=in | app=system |
    "{61038349-EF47-4F42-9169-7B6276F07D73}" = rport=138 | protocol=17 | dir=out | app=system |
    "{6D4D3565-4E81-4C81-993A-1CFA878ADA9B}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6F98F4ED-7084-4F5F-9CE0-2A11A595ECE5}" = lport=445 | protocol=6 | dir=in | app=system |
    "{8492E43D-24E1-49CB-96C6-6BB792ED7E1A}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{867E97A4-F857-4BE3-AC5D-2B3E5F6C909F}" = lport=137 | protocol=17 | dir=in | app=system |
    "{8AA200E1-3030-430B-A651-D1425BBF05CD}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{97B33A1D-97E5-427D-B4E5-B6BF3536A4F1}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{9C4AAE41-26FA-481C-8418-F69AC30831AC}" = rport=139 | protocol=6 | dir=out | app=system |
    "{ADF0CB34-D8CB-4D50-9454-AAA1F77D42DC}" = rport=445 | protocol=6 | dir=out | app=system |
    "{B5B9C128-3794-4F8E-94BB-4B212180EE1A}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{B61EB61D-105E-4499-A36A-2502936154DA}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
    "{D3065EF8-DAB1-4711-AFA4-A2054079E03D}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{E9864670-1028-4561-8564-6AB87616B6C3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{FA4333F3-B61C-48B3-9724-A935087DE1FC}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{00500156-D747-47AD-9B9B-D377CDB790AF}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
    "{09702EDD-7731-4DEA-9CF0-8FF91DA044F8}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
    "{09F52759-2BD9-4ACF-9176-B6B3B1D0BB54}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
    "{1016A785-3129-40D2-B58F-FC253E44C3DD}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{11534DD7-202E-45AF-B5DA-E216164461AA}" = protocol=6 | dir=out | app=system |
    "{3238F919-A906-439C-9CF3-3010085F47BA}" = protocol=6 | dir=in | app=c:\program files\wolfram research\mathematica\8.0\mathematica.exe |
    "{3406EAA7-23C2-45D1-A716-98F500B83F97}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
    "{3A535E57-BC72-4A1D-A2B5-26BFDABBBBD1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{453D13EB-4447-458B-9C8E-C0DAE47D9067}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{45EE46A0-E7BF-4FBD-9C76-F9B3D0604196}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{4691BF43-EB80-4780-A7EF-DEA4EABAE93C}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{49F5EA67-A4FA-4B39-BCB4-CEE4C3E9ADB6}" = protocol=6 | dir=in | app=c:\users\vivek\appdata\roaming\dropbox\bin\dropbox.exe |
    "{5E177F8C-ACC8-431A-A9E2-6E04F536245C}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
    "{62389BFE-EE52-43F1-8A56-8B08CEC6681D}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{635DE577-7628-4C19-8689-E43CF05ECAF8}" = dir=in | app=c:\program files (x86)\windows live\sync\windowslivesync.exe |
    "{679019B8-B040-477D-975A-869B23D6FEE5}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{67E60BAD-18DD-4FA0-8B28-91C8E38F2E5F}" = protocol=6 | dir=in | app=c:\program files\wolfram research\mathematica\8.0\mathkernel.exe |
    "{67F5A1D2-FCF4-47A5-AC2C-A7A1801C6E25}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
    "{6C8C669A-E4F7-4F77-A27B-4EC90EBFC384}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{6FD5C71D-44CB-4CA6-BF08-193677419BA1}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{7D3B986D-E80B-4FE9-8EFF-E9551E9A81DB}" = protocol=17 | dir=in | app=c:\program files\wolfram research\mathematica\8.0\math.exe |
    "{802B8561-E51C-48B5-9427-5EA23ADD4041}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{850D1779-4618-4277-B4FE-7ADC114C7BF0}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
    "{8BE4619B-349D-4E2D-89F6-BDD08ECA675A}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
    "{981BAA54-83F9-4C8C-9B35-FDA3227F6823}" = protocol=17 | dir=in | app=c:\program files\wolfram research\mathematica\8.0\mathkernel.exe |
    "{9AD2116A-93CB-4DDF-A305-BF235FB3A4CB}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{9AE2521C-AAE6-4911-8F73-94E3C526EE25}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
    "{9D45AFEC-C0EE-4615-A10B-39DACF7F97CA}" = protocol=17 | dir=in | app=c:\users\vivek\appdata\roaming\dropbox\bin\dropbox.exe |
    "{A1E386BE-85EC-4F69-9792-F2ED93BBA152}" = dir=in | app=c:\program files (x86)\pharossystems\core\ctskmstr.exe |
    "{A1E694ED-86D1-4531-AEE5-2BF7149901E7}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
    "{A398177F-92FA-4CEE-9FE8-7B0F20C344F6}" = protocol=17 | dir=in | app=c:\program files\wolfram research\mathematica\8.0\mathematica.exe |
    "{A6D49552-438E-4730-AD20-375FB4246A34}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{ADBC99C0-AF65-47AF-B8EB-572619B8AA73}" = dir=in | app=c:\program files (x86)\windows live\messenger\wlcsdk.exe |
    "{B5A30416-001D-4059-8DA2-8995891FEC53}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
    "{B9970800-D634-451F-B6B6-E469EFC0581B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
    "{BA924F25-EED0-4C31-992F-DE4E5B3BE9B3}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
    "{CC218B11-983B-4D74-87D5-1607092D6918}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
    "{CF83214A-03F1-44D1-B179-55B44C4D34C4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{DBE4B6C0-B8DE-4655-BCAF-CD6A586C1503}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{DF15C8AA-4AE2-448D-A3F4-600E1E8149E9}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{E1E2ABFC-0F3F-45EA-9632-E4DA8497DD80}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
    "{E674FB78-F08A-42EE-8CE3-3970217395C7}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{EB75927B-3C82-4CE0-ADBE-CFD7305F6F3F}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{EF62DC24-F6DE-42AD-9E0F-932D464B5FDA}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{F2258456-7D1E-4145-9EA4-B462823CFE49}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
    "{F3A55DE2-C5A5-416A-ADA1-24A68BF90E0A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{F8D95CE6-C1E1-4B14-AE00-6A068B962FC1}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
    "{FC4CE3F7-D6E4-436B-9C6C-9C763E1E68A3}" = protocol=6 | dir=in | app=c:\program files\wolfram research\mathematica\8.0\math.exe |
    "{FDB8656A-7B9F-457B-A16F-27BD4FA6AE57}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "TCP Query User{015E7EE3-D752-4502-A075-706626D8997B}C:\program files (x86)\starnet\x-win32 9.5\xwin32.exe" = protocol=6 | dir=in | app=c:\program files (x86)\starnet\x-win32 9.5\xwin32.exe |
    "TCP Query User{1333D804-866E-46FB-8676-8EE86CC898D8}C:\users\vivek\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\vivek\appdata\roaming\dropbox\bin\dropbox.exe |
    "TCP Query User{33CA2F5F-228B-40C3-9945-9EA5E60A4E8B}C:\program files (x86)\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\java.exe |
    "TCP Query User{3BECD16E-5E6B-4B96-9818-F8F3E3A67155}C:\program files (x86)\starnet\x-win32 9.5\xwin32.exe" = protocol=6 | dir=in | app=c:\program files (x86)\starnet\x-win32 9.5\xwin32.exe |
    "TCP Query User{3C892E47-C4BA-488C-836F-E8C2D6E6DC7C}C:\program files (x86)\starnet\x-win32 9.5\esd.exe" = protocol=6 | dir=in | app=c:\program files (x86)\starnet\x-win32 9.5\esd.exe |
    "TCP Query User{44AC0DA8-A425-4C2E-9D39-6D54715A27F7}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
    "TCP Query User{76BD17D8-FEC5-4181-A028-F4F3CC63A1C8}C:\users\vivek\appdata\local\google\chrome\application\chrome.exe" = protocol=6 | dir=in | app=c:\users\vivek\appdata\local\google\chrome\application\chrome.exe |
    "TCP Query User{77F78126-030A-4CF3-960A-333C38BE072B}C:\program files (x86)\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "TCP Query User{932A59A7-8A16-440B-8B32-89B0032C60DA}C:\program files (x86)\starnet\x-win32 9.5\esd.exe" = protocol=6 | dir=in | app=c:\program files (x86)\starnet\x-win32 9.5\esd.exe |
    "TCP Query User{B1C99B95-43A4-4353-BAA9-41EC5AA845C9}C:\program files (x86)\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "TCP Query User{B4DD23EE-AC78-4D03-A477-EBF9B3A5F89E}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
    "TCP Query User{F287082C-6E83-405A-ACCF-804F7A3B9297}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
    "TCP Query User{FE499CF9-5DBF-441E-BF89-040D8A9D2936}C:\program files (x86)\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files (x86)\real\realplayer\realplay.exe |
    "UDP Query User{0A46B08C-5071-4FC5-A4F9-F692F31A3686}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
    "UDP Query User{39BEE8A4-7AEF-44F7-9596-B2EA6248A214}C:\program files (x86)\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\java.exe |
    "UDP Query User{4ACFE3FC-9840-4317-9E60-CC4B607AA65A}C:\users\vivek\appdata\local\google\chrome\application\chrome.exe" = protocol=17 | dir=in | app=c:\users\vivek\appdata\local\google\chrome\application\chrome.exe |
    "UDP Query User{4CF9E697-2B83-4365-A3E8-43A30DD9536D}C:\program files (x86)\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files (x86)\real\realplayer\realplay.exe |
    "UDP Query User{4D6CB968-936C-47BD-B609-3FB5E863F743}C:\program files (x86)\starnet\x-win32 9.5\xwin32.exe" = protocol=17 | dir=in | app=c:\program files (x86)\starnet\x-win32 9.5\xwin32.exe |
    "UDP Query User{60166F03-2823-438C-BF77-5F674C0A5E75}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
    "UDP Query User{A43EB9A0-E6E8-41E2-8801-7A666379DAB5}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
    "UDP Query User{B0E8016D-785F-468F-A8F1-12DCF0C232B8}C:\program files (x86)\starnet\x-win32 9.5\esd.exe" = protocol=17 | dir=in | app=c:\program files (x86)\starnet\x-win32 9.5\esd.exe |
    "UDP Query User{B4C63634-7BCF-45CC-9B82-67E8D233F36C}C:\program files (x86)\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "UDP Query User{BE3BFF24-BDAE-474A-8936-F4330A79CC50}C:\program files (x86)\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "UDP Query User{D31E1742-46D5-49A5-86DD-802A0721E93B}C:\users\vivek\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\vivek\appdata\roaming\dropbox\bin\dropbox.exe |
    "UDP Query User{D64EE4F2-34DC-497A-953A-E3F7128B0935}C:\program files (x86)\starnet\x-win32 9.5\esd.exe" = protocol=17 | dir=in | app=c:\program files (x86)\starnet\x-win32 9.5\esd.exe |
    "UDP Query User{DDEE9D86-A085-46AE-AB28-2E92200AC320}C:\program files (x86)\starnet\x-win32 9.5\xwin32.exe" = protocol=17 | dir=in | app=c:\program files (x86)\starnet\x-win32 9.5\xwin32.exe |
  11. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{26A24AE4-039D-4CA4-87B4-2F86416016FF}" = Java(TM) 6 Update 16 (64-bit)
    "{2ED326C9-A4E6-4884-B3F0-9A6CFB0A1141}" = Lenovo Fingerprint Software
    "{31423F74-36B2-4d24-B10D-CD00BFB7C118}" = Intel® Turbo Memory
    "{377672F0-6B8A-467D-8DDC-79338BCCD531}" = 64 Bit HP CIO Components Installer
    "{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
    "{4723f199-fa64-4233-8e6e-9fccc95a18ef}" = Python 2.6.5 (64-bit)
    "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    "{5E11C972-1E76-45FE-8F92-14E0D1140B1B}" = iTunes
    "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    "{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
    "{75104836-CAC7-444E-A39E-3F54151942F5}" = Apple Mobile Device Support
    "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    "{8338783A-0968-3B85-AFC7-BAAE0A63DC50}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
    "{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
    "{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    "{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
    "{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
    "{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager and Intel® Turbo Memory
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9ACF3FDB-C8E6-444C-8C64-13A221F7BFFD}" = Microsoft SQL Server Native Client
    "{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}" = ThinkPad Bluetooth with Enhanced Data Rate Software
    "{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
    "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{B1BD0923-7351-EBCE-B478-33B2DCE45AC2}" = ATI Catalyst Install Manager
    "{B636C9B9-A3F2-4DCE-ADCC-72E095018385}" = Microsoft SQL Server VSS Writer
    "{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
    "{CCAFF072-4DDB-4846-963D-15F02A8E9472}" = Intel(R) PROSet/Wireless WiFi Software
    "{DB9C43F7-0B0F-4E43-9E6B-F945C71C469E}" = VD64Inst
    "{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
    "{EEA01EDB-02A0-43E6-9C32-253D165EC818}" = Slik Subversion 1.6.9 (x64)
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "{F7E3FCA4-30BC-11DD-1510-90DA60EC0410}" = ccc-utility64
    "112AA64E0C8CC704E307FE914F7DEC1C0035598E" = Windows Driver Package - Lenovo 1.55 (08/18/2009 1.55)
    "1FBDB507F002A372EB195A0ACF6E2A2F9D34689E" = Windows Driver Package - Ricoh Company (rismxdp) hdc (09/03/2009 6.10.01.05)
    "5F72B7FA1792CB768F6A46E18A9DAD0E1FE1C863" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (09/03/2009 6.10.01.05)
    "8E6CE26AD682E6D46DCCDD39CD93277A2EAF2449" = Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (07/07/2009 8.1.2.56)
    "ATI Uninstaller" = ATI Uninstaller
    "A-WIN-Extras 8.0.1 2063897_is1" = Mathematica Extras 8.0 (2063897)
    "Bullzip PDF Printer_is1" = Bullzip PDF Printer 7.2.0.1304
    "CNXT_AUDIO_HDA" = Conexant 20561 SmartAudio HD
    "CNXT_MODEM_HDA_HSF" = ThinkPad Modem Adapter
    "D50474ACAF488895A3CE5D30373288EA6AD46EAA" = Windows Driver Package - Ricoh Company MMC Host Controller (09/03/2009 6.10.01.05)
    "E59560E2F5B162D40255FCD327ACA5E989D995D2" = Windows Driver Package - Ricoh (5U875UVC) Image (07/08/2009 1.27.500.0)
    "E7B58217635B8F723D4744A328A4B3237DB35FA9" = Windows Driver Package - Intel System (06/04/2009 1.0.0.0002)
    "EnablePS" = Registry Patch to Enable Maximum Power Saving on WiFi Adapters for Windows 7
    "GPL Ghostscript 8.64" = GPL Ghostscript 8.64
    "GSview 4.9" = GSview 4.9
    "HECI" = Intel(R) Management Engine Interface
    "LENOVO.SMIIF" = Lenovo System Interface Driver
    "Maple 15" = Maple 15
    "MESOL" = Intel® Active Management Technology
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "M-WIN-G 8.0.1 2063988_is1" = Wolfram Mathematica 8 for Students (M-WIN-G 8.0.1 2063988)
    "OnScreenDisplay" = On Screen Display
    "PC-Doctor for Windows" = Lenovo ThinkVantage Toolbox
    "Power Management Driver" = ThinkPad Power Management Driver
    "ProInst" = Intel PROSet Wireless
    "PROSet" = Intel(R) Network Connections Drivers
    "SynTPDeinstKey" = ThinkPad UltraNav Driver
    "ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
    "W7DevOR" = Registry Patch to arrange icons in Device and Printers folder of Windows 7
    "WinDjView" = WinDjView 2.0.1
    "WinRAR archiver" = WinRAR 4.01 (64-bit)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00C6F231-1B18-C448-323A-56D1A0DB9C46}" = Catalyst Control Center Graphics Full New
    "{026C3D27-9BE1-46BE-BEAE-6DE38A0F4FBE}" = RealNetworks - Microsoft Visual C++ 2005 Runtime
    "{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
    "{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
    "{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
    "{17FB7811-87DD-53C4-3A56-7F7F37DCD802}" = Catalyst Control Center Graphics Previews Vista
    "{192359F3-D455-0C89-3161-766008BD6D10}" = CCC Help French
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
    "{1F8DA253-3C27-4B01-A63A-BA3533120833}" = Microsoft Research AutoCollage Touch 2009
    "{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{25668C6A-4ECB-3842-B85F-6F663B4E3A38}" = Strawberry Perl
    "{25C64847-B900-48AD-A164-1B4F9B774650}" = System Update
    "{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 30
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
    "{2AAB21C2-4CDA-4189-A0EC-5ED666113F84}" = McAfee Agent
    "{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    "{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
    "{3502E451-CBBA-4DD0-924D-BDD816761AA5}" = X-Win32 9.5
    "{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
    "{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
    "{446B2807-CF65-6D50-2BC8-141E235CD1CD}" = ccc-core-static
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
    "{50DC5136-21E8-48BC-97E5-1AD055F6B0B6}" = Create Recovery Media
    "{52CF142B-7B0E-41E7-98F5-B834122523E7}_is1" = Programmer's Notepad
    "{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Creator Business Edition
    "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
    "{57257606-31DA-46A5-BD2F-5235955A7D41}" = Civilization III - Gold Edition
    "{57FA0525-01F9-4051-8DE9-CBF43CAC68D9}" = Catalyst Control Center - Branding
    "{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5U8xx Media Driver ver.3.64.02
    "{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
    "{73ED3EA3-F96F-D098-7EE4-146FBD30113E}" = PX Profile Update
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{7C6DD158-A31F-5F0B-82A0-C28258CBB31F}" = CCC Help Japanese
    "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
    "{82EB6CEA-749A-410F-8AD2-372A286BA3BE}" = Integrated Camera Driver Installer Package Ver.1.32.500.0
    "{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
    "{872D8B75-1B00-E5AD-22DD-DA74CA237C7C}" = CCC Help Chinese Standard
    "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
    "{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
    "{8E537894-A559-4D60-B3CB-F4485E3D24E3}" = ThinkVantage Access Connections
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-002A-0000-1000-0000000FF1CE}_PROHYBRIDR_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-002A-0409-1000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-002A-0409-1000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0116-0409-1000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0116-0409-1000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
    "{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
    "{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
    "{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
    "{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
    "{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
    "{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
    "{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
    "{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
    "{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002A-0409-1000-0000000FF1CE}_Office14.SingleImage_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
    "{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
    "{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
    "{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
    "{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
    "{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0116-0409-1000-0000000FF1CE}_Office14.SingleImage_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
    "{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
    "{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
    "{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{91B7B957-0F45-4BDC-85BA-08F80D49B9BC}" = Mobile Broadband Connect
    "{96334581-5554-3E5F-8BC9-924C3C3AC5BE}" = Google Talk Plugin
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A34D0CB7-38BC-2C6D-270E-84BF07DB7CCB}" = Catalyst Control Center Graphics Light
    "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
    "{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.2
    "{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
    "{B05B22B8-72AE-4DC3-8D6F-FBC2233CAF41}" = Roxio Creator Business Edition
    "{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
    "{B334D9AE-1393-423E-97C0-3BDC3360E692}" = Sonic Icons for Lenovo
    "{B383F243-0ABC-4E56-AA30-923B8D85076E}" = Rescue and Recovery
    "{B4089055-D468-45A4-A6BA-5A138DD715FC}" = Bing Bar
    "{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
    "{B99D0112-5508-59BD-B80E-4049E907845C}" = CCC Help Chinese Traditional
    "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
    "{C64A877E-DF8D-4017-AA82-000A77C6D809}" = Verizon Wireless Mobile Broadband Self Activation
    "{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
    "{CB5B4945-AA4C-5A32-D6EC-0365F6DC0C41}" = Catalyst Control Center Core Implementation
    "{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}" = McAfee VirusScan Enterprise
    "{D00A26B4-CFAD-373C-8A62-4408AA382451}" = CCC Help Dutch
    "{D4001570-E33E-5B45-7BB6-B0AD9E08788C}" = CCC Help German
    "{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
    "{D81486A1-2371-4059-AC70-1AB894AC96E6}" = AT&T Service Activation
    "{D984A74E-DFB9-B6A2-C863-732A551F8FB2}" = Catalyst Control Center Localization All
    "{DAA3DC12-2A82-0866-B3E1-8BCFF6EC5715}" = CCC Help Korean
    "{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}" = ThinkPad Power Manager
    "{E1EA855E-9187-4AFB-E7A9-FE655B48386B}" = CCC Help English
    "{E276D6EE-9FB5-8456-633A-603893C8F539}" = CCC Help Portuguese
    "{E2773E0C-BD2A-D110-F209-0C3E1118009E}" = CCC Help Spanish
    "{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
    "{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
    "{E77A53A2-4623-4635-AE7F-702152168EE5}" = Google Drive
    "{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
    "{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F1B03D1F-29B4-86D7-DCF5-8C2DCE13B05E}" = CCC Help Italian
    "{F570A3D8-BC0D-408E-BBE3-57E6DEEE5AAA}" = ROOT
    "{F65525AB-4B63-AC34-BE4A-08CA24FC1414}" = Catalyst Control Center Graphics Full Existing
    "{F67714D1-6842-EACA-C159-D25B947FA380}" = Catalyst Control Center InstallProxy
    "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
    "{F932659E-6B83-1BF6-C10D-5F722F33C175}" = CCC Help Swedish
    "{FD331A3B-F7A5-4C31-B8D4-DF413C85AF7A}" = Message Center Plus
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
    "C.a.R._is1" = C.a.R. Version 9.3
    "CCleaner" = CCleaner
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "File Shredder_is1" = File Shredder 2.0
    "Foxit Reader" = Foxit Reader
    "GeoGebra" = GeoGebra
    "Google Chrome Frame" = Google Chrome Frame
    "InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
    "IrfanView" = IrfanView (remove only)
    "Lenovo Welcome_is1" = Lenovo Welcome
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Maple 15" = Maple 15
    "MatlabR14SP3" = MATLAB 7.1
    "Microsoft SQL Server 2005" = Microsoft SQL Server 2005
    "MiKTeX 2.8" = MiKTeX 2.8
    "MinGW" = MinGW 5.1.6
    "Mozilla Sunbird (0.9)" = Mozilla Sunbird (0.9)
    "MSYS-1.0_is1" = "Minimal SYStem 1.0.10"
    "Office14.SingleImage" = Microsoft Office Home and Student 2010
    "ParaView" = ParaView-3.8.1 a cross-platform, open-source visualization system
    "Pharos" = Pharos
    "PROHYBRIDR" = 2007 Microsoft Office system
    "PuTTY_is1" = PuTTY version 0.60
    "RealPlayer 15.0" = RealPlayer
    "SystemRequirementsLab" = System Requirements Lab
    "TUGZip_is1" = TUGZip 3.5
    "uTorrent" = µTorrent
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinMerge_is1" = WinMerge 2.12.4
    "WinPcapInst" = WinPcap 4.1.1
    "winscp3_is1" = WinSCP 4.2.5
    "xyscan_is1" = xyscan 3.3.0

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-816525379-3359804378-3665389369-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Dropbox" = Dropbox
    "Flux" = F.lux
    "Google Chrome" = Google Chrome
    "Move Media Player" = Move Media Player

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 9/3/2012 6:18:01 PM | Computer Name = VivekW500 | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 63029693

    Error - 9/3/2012 6:18:01 PM | Computer Name = VivekW500 | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 63029693

    Error - 9/3/2012 6:18:02 PM | Computer Name = VivekW500 | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 9/3/2012 6:18:02 PM | Computer Name = VivekW500 | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 63030754

    Error - 9/3/2012 6:18:02 PM | Computer Name = VivekW500 | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 63030754

    Error - 9/3/2012 6:18:04 PM | Computer Name = VivekW500 | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 9/3/2012 6:18:04 PM | Computer Name = VivekW500 | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 63031846

    Error - 9/3/2012 6:18:04 PM | Computer Name = VivekW500 | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 63031846

    Error - 9/3/2012 6:22:40 PM | Computer Name = VivekW500 | Source = matlabserver | ID = 0
    Description =

    Error - 9/3/2012 6:23:43 PM | Computer Name = VivekW500 | Source = matlabserver | ID = 0
    Description =

    [ Lenovo-Message Center Plus/Admin Events ]
    Error - 11/6/2010 2:50:16 PM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 4
    Description = The file C:\ProgramData\Lenovo\MessageCenterPlus\ServerRepository\temp\TOC.cab
    does not have a Lenovo Digital Signature. The file will be deleted

    Error - 12/20/2011 9:09:30 PM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 4
    Description = The file size of the downloaded file /TOC.cab is not the same as the
    file size of the file on the server

    Error - 12/20/2011 9:09:30 PM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 4
    Description = The file C:\ProgramData\Lenovo\MessageCenterPlus\ServerRepository\temp\loginerror.php
    does not have a Lenovo Digital Signature. The file will be deleted

    Error - 12/24/2011 12:26:00 AM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 4
    Description = The file size of the downloaded file /TOC.cab is not the same as the
    file size of the file on the server

    Error - 12/24/2011 12:26:01 AM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 4
    Description = The file C:\ProgramData\Lenovo\MessageCenterPlus\ServerRepository\temp\loginerror.php
    does not have a Lenovo Digital Signature. The file will be deleted

    Error - 3/8/2012 5:58:05 PM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 4
    Description = The file C:\ProgramData\Lenovo\MessageCenterPlus\ServerRepository\temp\TOC.cab
    does not have a Lenovo Digital Signature. The file will be deleted

    Error - 3/8/2012 10:26:34 PM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 4
    Description = The file C:\ProgramData\Lenovo\MessageCenterPlus\ServerRepository\temp\TOC.cab
    does not have a Lenovo Digital Signature. The file will be deleted

    Error - 3/9/2012 8:52:32 AM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 2
    Description = Object reference not set to an instance of an object. -> Exception
    message: Object reference not set to an instance of an object.

    Error - 4/3/2012 10:47:19 AM | Computer Name = VivekW500 | Source = Lenovo-Message Center Plus/Admin | ID = 4
    Description = The file C:\ProgramData\Lenovo\MessageCenterPlus\ServerRepository\temp\index.html
    does not have a Lenovo Digital Signature. The file will be deleted

    [ OSession Events ]
    Error - 4/17/2012 10:46:48 PM | Computer Name = VivekW500 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
    Version: 12.0.6600.1000, Microsoft Office Version: 12.0.6612.1000. This session
    lasted 260838 seconds with 33780 seconds of active time. This session ended with
    a crash.

    [ System Events ]
    Error - 9/3/2012 6:20:32 PM | Computer Name = VivekW500 | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 6:18:56 PM on ?9/?3/?2012 was unexpected.

    Error - 9/3/2012 6:20:32 PM | Computer Name = VivekW500 | Source = amdkmdag | ID = 52236
    Description = CPLIB :: General - Invalid Parameter

    Error - 9/3/2012 6:20:32 PM | Computer Name = VivekW500 | Source = amdkmdag | ID = 43029
    Description = Display is not active

    Error - 9/3/2012 6:21:46 PM | Computer Name = VivekW500 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SBRE

    Error - 9/3/2012 6:22:40 PM | Computer Name = VivekW500 | Source = DCOM | ID = 10010
    Description =

    Error - 9/3/2012 6:23:43 PM | Computer Name = VivekW500 | Source = Service Control Manager | ID = 7034
    Description = The MATLAB Server service terminated unexpectedly. It has done this
    1 time(s).

    Error - 9/3/2012 7:02:21 PM | Computer Name = VivekW500 | Source = SCardSvr | ID = 615
    Description =

    Error - 9/3/2012 7:02:21 PM | Computer Name = VivekW500 | Source = SCardSvr | ID = 616
    Description =

    Error - 9/3/2012 8:58:24 PM | Computer Name = VivekW500 | Source = SCardSvr | ID = 615
    Description =

    Error - 9/3/2012 8:58:24 PM | Computer Name = VivekW500 | Source = SCardSvr | ID = 616
    Description =


    < End of report >
     
  12. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O3 - HKU\S-1-5-21-816525379-3359804378-3665389369-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. 
      O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2011/12/18 14:32:40 | 000,010,486 | -HS- | C] () -- C:\Users\Vivek\AppData\Local\774335p0e210t008t785a0hmt7c3
      [2011/11/17 19:38:44 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\3D3D9
      [2012/02/18 21:58:44 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\B403D
      [2011/11/13 20:40:19 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\d88ffR9hTXqj
      [2011/11/13 18:08:58 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\DeeelIIBrzNyxuS
      [2011/11/13 18:40:58 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\fpnG4aQH6W7E9Tq
      [2011/11/13 18:45:24 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\G1uvS2obFpGaJ
      [2011/11/13 18:45:22 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\gYXwkUVelBz
      [2011/11/13 18:09:00 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\kS2iDp4HsKf9TqY
      [2011/11/13 20:40:19 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\OdEK8gRZ9YwUeIt
      [2011/11/13 18:41:00 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\OYCwkIVrlNx0c
      [2011/11/13 18:09:07 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\PWJJJdEE8RZqhXk
      [2011/11/13 18:45:29 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\VjekIBrzOyA2b3n
      [2011/11/13 18:45:29 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\X5aQH6dWKfLgXjC
      [2011/11/13 18:45:18 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\yD2onF4pm5Q7E8R
      [2011/11/13 18:09:08 | 000,000,000 | ---D | M] -- C:\Users\Vivek\AppData\Roaming\ZVVVellOBz0cAiv
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.


    ===========================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  13. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry value HKEY_USERS\S-1-5-21-816525379-3359804378-3665389369-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\Users\Vivek\AppData\Local\774335p0e210t008t785a0hmt7c3 moved successfully.
    C:\Users\Vivek\AppData\Roaming\3D3D9 folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\B403D folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\d88ffR9hTXqj folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\DeeelIIBrzNyxuS folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\fpnG4aQH6W7E9Tq folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\G1uvS2obFpGaJ folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\gYXwkUVelBz folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\kS2iDp4HsKf9TqY folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\OdEK8gRZ9YwUeIt folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\OYCwkIVrlNx0c folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\PWJJJdEE8RZqhXk folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\VjekIBrzOyA2b3n folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\X5aQH6dWKfLgXjC folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\yD2onF4pm5Q7E8R folder moved successfully.
    C:\Users\Vivek\AppData\Roaming\ZVVVellOBz0cAiv folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Vivek
    ->Temp folder emptied: 57030330 bytes
    ->Temporary Internet Files folder emptied: 22156717 bytes
    ->Java cache emptied: 1783873 bytes
    ->Google Chrome cache emptied: 25479269 bytes
    ->Flash cache emptied: 615 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 525792 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4990450 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 105060 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33237 bytes
    RecycleBin emptied: 1000408690 bytes

    Total Files Cleaned = 1,061.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Vivek
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Vivek
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.60.0 log created on 09032012_224505

    Files\Folders moved on Reboot...
    C:\Users\Vivek\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\temp\Pharos\UpdaterLog.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  14. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    Security Check:

    Results of screen317's Security Check version 0.99.50
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    McAfee VirusScan Enterprise
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    CCleaner
    Java(TM) 6 Update 30
    Java version out of Date!
    Adobe Flash Player 11.3.300.271 Flash Player out of Date!
    Adobe Reader 9 Adobe Reader out of Date!
    Google Chrome 21.0.1180.89
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    McAfee VirusScan Enterprise vstskmgr.exe
    McAfee VirusScan Enterprise mfeann.exe
    McAfee VirusScan Enterprise SHSTAT.EXE
    Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
  15. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    FSS Scan:

    Farbar Service Scanner Version: 06-08-2012
    Ran by Vivek (administrator) on 03-09-2012 at 22:56:46
    Running from "C:\Users\Vivek\Downloads"
    Microsoft Windows 7 Professional Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
  16. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    And here are the ESET Scan results. Please let me know what I should do next. Thanks again.

    C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe.virWin32/Toolbar.Zugo applicationcleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToOLbar32.dll.vira variant of Win32/Toolbar.Zugo applicationcleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vira variant of Win32/Toolbar.Zugo applicationcleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Users\Vivek\AppData\Roaming\Mozilla\Firefox\Profiles\o4wix96c.default\extensions\{d86f534e-67e7-40fd-bd94-2c9f2af9dbc9}\chrome.manifest.virWin32/TrojanDownloader.Tracur.F trojancleaned by deleting - quarantined
    C:\Users\Vivek\Downloads\registrybooster.exeWin32/RegistryBooster applicationcleaned by deleting - quarantined
  17. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    ==================================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    =================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ======================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
  18. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    Thanks a lot for a info and your help. I'll go through your steps shortly. I had a naive question, however. If we clear all restore points, would I be able to reset my computer to the factory settings at some point in the future, if I want to wipe it clean? Sorry for being uninformed about this stuff.
     
  19. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    System restore is Windows function and it has nothing to do with restoring computer to factory settings.
    For the latter you use either recovery partition or disks provided by your computer manufacturer.
  20. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    Here's the final OTL log:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Vivek
    ->Temp folder emptied: 25845793 bytes
    ->Temporary Internet Files folder emptied: 9965148 bytes
    ->Java cache emptied: 1878 bytes
    ->Google Chrome cache emptied: 63357369 bytes
    ->Flash cache emptied: 492 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4781603 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50132 bytes
    RecycleBin emptied: 27155 bytes

    Total Files Cleaned = 99.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Vivek
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: Vivek
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.60.0 log created on 09042012_201707

    Files\Folders moved on Reboot...
    C:\Users\Vivek\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\temp\Pharos\UpdaterLog.txt scheduled to be moved on reboot.
    File\Folder C:\Windows\temp\hsperfdata_VIVEKW500$\2204 not found!

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  21. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    Hello,

    I went through your list and will do the things you recommended. The symptoms of the infection have gone away (although my computer sometimes still does take a little while to get to webpages -- and things like Wikipedia need to be reloaded from time to time in order for my browser to access them). But, it seems like the problem is likely fixed! If you'd like, I can give you an update on how my computer is doing in a few days.

    Thank you very, very much for all your help.
  22. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Yeah, let me know in couple of days.

    What is your main browser which gives you issues from time to time?
  23. person15

    person15 Newcomer, in training Topic Starter Posts: 55

    Chrome is the main browser. But I don't want to raise any unnecessary alarms. I'll let you know in a couple of days (and will try out an Internet connection in a different location to see if the issue still happens there).
  24. Broni

    Broni Malware Annihilator Posts: 46,164   +251



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.