TechSpot

Laptop won't boot

Solved
By chrisb39
Mar 2, 2013
  1. Hello,
    I'm working with a Gateway FX laptop 64 bit running Windows Vista Home Premium that won't boot up after an Avast update was installed. I've tried starting it in safe mode (by pressing F8), but safe mode is not an option (only Launch Startup Repair or Start Windows Normally). I think it has been having other issues for a while, which makes me question whether this behavior is due to malware.
    Thanks.
    Chris
     
  2. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  3. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    FRST.txt

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-02-2013
    Ran by SYSTEM at 02-03-2013 18:09:42
    Running from F:\BobComputerCleanup
    Windows Vista (TM) Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1584184 2008-01-20] (Microsoft Corporation)
    HKLM\...\Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [178712 2008-04-15] (Intel Corporation)
    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1220392 2008-01-17] (Synaptics, Inc.)
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16330272 2009-07-03] (NVIDIA Corporation)
    HKLM-x32\...\Run: [eRecoveryService] [x]
    HKLM-x32\...\Run: [NcpRsuGui] "C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe" -gui [850432 2008-12-02] ()
    HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" [x]
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-03-24] (Hewlett-Packard)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software)
    HKU\Bob\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\Bob\...\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [206112 2008-10-24] (Macrovision Corporation)
    HKU\Bob\...\Run: [gStart] C:\Program Files (x86)\Garmin\Training Center\gStart.exe [1891416 2008-08-13] (GARMIN Corp.)
    HKU\Bob\...\Run: [Google Update] "C:\Users\Bob\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-01] (Google Inc.)
    HKU\Bob\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2008-06-11] (Google Inc.)
    HKU\Bob\...\Run: [HP Officejet Pro 8600 (NET)] "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN282BR35W05KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1 [2676584 2011-09-09] (Hewlett-Packard Co.)
    HKU\Bob\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
    HKU\Bob\...\RunOnce: [Shockwave Updater] C:\Windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; BTRS124294; GTB7.4; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET4.0C; InfoPath.3)" -"http://games.yahoo.com/game/wordsense-challenge-shockwave.html" [460216 2009-03-19] (Adobe Systems, Inc.)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [339968 2009-04-10] (Microsoft Corporation)
    HKLM-x32\...\RunOnce: [aswAhAScr.dll] "C:\Program Files\AVAST Software\Avast\aswRegSvr.exe" "C:\Program Files\AVAST Software\Avast\AhAScr.dll" [140104 2012-10-30] (AVAST Software)
    HKLM-x32\...\RunOnce: [aswasOutExt.dll] "C:\Program Files\AVAST Software\Avast\aswRegSvr.exe" "C:\Program Files\AVAST Software\Avast\asOutExt.dll" [317264 2012-10-30] (AVAST Software)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    ==================== Services (Whitelisted) ===================

    2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-10-30] (AVAST Software)
    2 ETService; C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [24576 2008-06-11] ()
    2 FlipShare Service; "C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe" [460144 2011-05-06] ()
    2 FlipShareServer; "C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe" [1085440 2011-05-06] ()
    2 gupdate1c9c68ff59435cd; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [133104 2009-04-26] (Google Inc.)
    2 ncpclcfg; C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe [86016 2008-06-30] (NCP engineering GmbH)
    2 ncprwsnt; C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe [1078792 2008-12-16] (NCP Engineering GmbH)
    2 NcpSec; C:\Program Files (x86)\NCP\SecureClient\ncpsec.exe [32768 2008-10-06] ()
    2 rwsrsu; C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe [850432 2008-12-02] ()
    3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

    ==================== Drivers (Whitelisted) =====================

    2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33472 2013-02-28] (AVAST Software)
    2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [80888 2013-02-28] (AVAST Software)
    1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [59216 2013-02-28] (AVAST Software)
    0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65408 2013-02-28] ()
    1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1025880 2013-02-28] (AVAST Software)
    1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [377992 2013-02-28] (AVAST Software)
    1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [68992 2013-02-28] (AVAST Software)
    0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [177672 2013-02-28] ()
    2 int15; C:\Windows\SysWow64\Drivers\int15.sys [15392 2008-06-11] (Acer, Inc.)
    3 ncpfilt; C:\Windows\System32\DRIVERS\ncplelhp.sys [143496 2008-11-10] (NCP Engineering GmbH)
    3 ncplelhp; C:\Windows\System32\Drivers\ncplelhp.sys [143496 2008-11-10] (NCP Engineering GmbH)
    3 O2MDRDR; C:\Windows\System32\DRIVERS\o2mdx64.sys [62040 2008-04-14] (O2Micro )
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 motccgp; C:\Windows\System32\DRIVERS\motccgp.sys [x]
    3 motccgpfl; C:\Windows\System32\DRIVERS\motccgpfl.sys [x]
    3 MotoSwitchService; C:\Windows\System32\DRIVERS\motswch.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [x]
    3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2013-03-02 18:09 - 2013-03-02 18:09 - 00000000 ___DC C:\FRST
    2013-03-02 15:25 - 2013-02-28 00:36 - 00177672 ____A C:\Windows\System32\Drivers\aswVmm.sys
    2013-03-02 15:25 - 2013-02-28 00:36 - 00065408 ____A C:\Windows\System32\Drivers\aswRvrt.sys
    2013-02-17 11:57 - 2013-02-17 11:58 - 11390192 ____A C:\Users\Bob\Downloads\WebUpdater_WindowsXPSP3andnewer__256 (1).exe
    2013-02-17 11:55 - 2013-02-17 11:56 - 11390192 ____A C:\Users\Bob\Downloads\WebUpdater_WindowsXPSP3andnewer__256.exe
    2013-02-13 06:22 - 2013-01-05 05:48 - 01489408 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-02-13 06:22 - 2013-01-05 05:48 - 01147392 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-02-13 06:22 - 2013-01-05 05:48 - 00108032 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2013-02-13 06:22 - 2013-01-05 05:46 - 00243712 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
    2013-02-13 06:22 - 2013-01-05 05:44 - 09331200 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-02-13 06:22 - 2013-01-05 05:44 - 01062912 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
    2013-02-13 06:22 - 2013-01-05 05:44 - 00743424 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2013-02-13 06:22 - 2013-01-05 05:44 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2013-02-13 06:22 - 2013-01-05 05:44 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
    2013-02-13 06:22 - 2013-01-05 05:43 - 01538560 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2013-02-13 06:22 - 2013-01-05 05:43 - 00056832 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
    2013-02-13 06:22 - 2013-01-05 05:43 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-02-13 06:22 - 2013-01-05 05:42 - 12509184 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-02-13 06:22 - 2013-01-05 05:42 - 02356736 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-02-13 06:22 - 2013-01-05 05:42 - 00459776 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
    2013-02-13 06:22 - 2013-01-05 05:42 - 00252416 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
    2013-02-13 06:22 - 2013-01-05 05:42 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-02-13 06:22 - 2013-01-05 05:42 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
    2013-02-13 06:22 - 2013-01-05 05:42 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
    2013-02-13 06:22 - 2013-01-05 05:42 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
    2013-02-13 06:22 - 2013-01-05 03:59 - 01212928 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2013-02-13 06:22 - 2013-01-05 03:59 - 00916480 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2013-02-13 06:22 - 2013-01-05 03:59 - 00105984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2013-02-13 06:22 - 2013-01-05 03:57 - 00479232 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
    2013-02-13 06:22 - 2013-01-05 03:57 - 00206848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
    2013-02-13 06:22 - 2013-01-05 03:55 - 06010368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2013-02-13 06:22 - 2013-01-05 03:55 - 00630272 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2013-02-13 06:22 - 2013-01-05 03:55 - 00611840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
    2013-02-13 06:22 - 2013-01-05 03:55 - 00067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2013-02-13 06:22 - 2013-01-05 03:55 - 00055296 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 11111424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 02004992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 01469440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2013-02-13 06:22 - 2013-01-05 03:54 - 00184320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 00164352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 00055808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 00043520 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
    2013-02-13 06:22 - 2013-01-05 03:54 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2013-02-13 06:22 - 2013-01-05 03:53 - 00387584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
    2013-02-13 06:22 - 2013-01-05 02:33 - 00162816 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2013-02-13 06:22 - 2013-01-05 02:33 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
    2013-02-13 06:22 - 2013-01-05 02:32 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-02-13 06:22 - 2013-01-05 02:32 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
    2013-02-13 06:22 - 2013-01-05 02:23 - 00385024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
    2013-02-13 06:22 - 2013-01-05 00:47 - 00133632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2013-02-13 06:22 - 2013-01-05 00:46 - 00174080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
    2013-02-13 06:22 - 2013-01-05 00:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
    2013-02-13 06:22 - 2013-01-05 00:44 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2013-02-13 06:22 - 2013-01-04 21:37 - 04695400 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2013-02-13 06:22 - 2013-01-04 03:31 - 01423720 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2013-02-13 06:22 - 2013-01-03 17:59 - 02773504 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2013-02-13 06:22 - 2012-11-07 20:26 - 01570816 ____A (Microsoft Corporation) C:\Windows\System32\quartz.dll
    2013-02-13 06:22 - 2012-11-07 19:48 - 01314816 ____A (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
    2013-02-09 14:35 - 2013-02-28 00:36 - 00377992 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2013-02-09 14:35 - 2013-02-28 00:36 - 00068992 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2013-02-09 14:35 - 2013-02-28 00:36 - 00041664 ____A (AVAST Software) C:\Windows\avastSS.scr
    2013-02-09 14:35 - 2013-02-28 00:36 - 00033472 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2013-02-09 14:35 - 2013-02-09 14:35 - 00360190 ___AC C:\Users\Bob\AppData\Local\dd_vcredistMSI097E.txt
    2013-02-09 14:35 - 2013-02-09 14:35 - 00011350 ___AC C:\Users\Bob\AppData\Local\dd_vcredistUI097E.txt
    2013-02-09 14:35 - 2013-02-09 14:35 - 00001787 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    2013-02-09 14:35 - 2012-10-30 15:50 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
    2013-02-09 14:34 - 2013-02-09 14:34 - 00000000 ___DC C:\Program Files\AVAST Software
    2013-02-03 14:06 - 2013-02-04 17:35 - 00000000 ___DC C:\Program Files (x86)\WildTangent Games
    2013-02-03 14:06 - 2013-02-03 14:06 - 00002346 ____N C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk
    2013-02-03 14:06 - 2013-02-03 14:06 - 00000000 ___DC C:\Users\Bob\AppData\Roaming\WildTangent

    ==================== One Month Modified Files and Folders =======

    2013-03-02 17:10 - 2006-11-02 05:34 - 00000000 ____D C:\Windows\System32\spool
    2013-03-02 17:10 - 2006-11-02 05:34 - 00000000 ____D C:\Windows\System32\Msdtc
    2013-03-02 15:25 - 2009-04-29 06:53 - 00000000 ____A C:\Windows\SysWOW64\config.nt
    2013-03-02 15:25 - 2009-01-12 18:59 - 01089968 ____A C:\Windows\WindowsUpdate.log
    2013-03-02 15:25 - 2006-11-02 07:42 - 00032572 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-03-02 15:25 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-03-02 15:23 - 2009-01-12 19:09 - 00160716 ___AC C:\ProgramData\nvModes.001
    2013-03-02 15:22 - 2009-06-29 17:45 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-03-02 15:22 - 2009-01-12 19:12 - 00000000 ____A C:\Windows\System32\LogConfigTemp.xml
    2013-03-02 15:22 - 2009-01-12 19:09 - 00160716 ___AC C:\ProgramData\nvModes.dat
    2013-03-02 15:22 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2013-03-02 15:22 - 2006-11-02 07:22 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2013-03-02 15:06 - 2009-06-29 17:45 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-03-02 15:01 - 2012-03-02 13:36 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1843488475-1253667702-3664568970-1000UA.job
    2013-03-02 08:15 - 2012-03-30 14:30 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-03-02 08:15 - 2011-05-18 16:35 - 00071024 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-03-01 17:01 - 2012-03-02 13:36 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1843488475-1253667702-3664568970-1000Core.job
    2013-02-28 00:36 - 2013-03-02 15:25 - 00177672 ____A C:\Windows\System32\Drivers\aswVmm.sys
    2013-02-28 00:36 - 2013-03-02 15:25 - 00065408 ____A C:\Windows\System32\Drivers\aswRvrt.sys
    2013-02-28 00:36 - 2013-02-09 14:35 - 00377992 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
    2013-02-28 00:36 - 2013-02-09 14:35 - 00068992 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
    2013-02-28 00:36 - 2013-02-09 14:35 - 00041664 ____A (AVAST Software) C:\Windows\avastSS.scr
    2013-02-28 00:36 - 2013-02-09 14:35 - 00033472 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
    2013-02-28 00:36 - 2011-04-21 15:05 - 01025880 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
    2013-02-28 00:36 - 2009-04-29 06:53 - 00080888 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
    2013-02-28 00:36 - 2009-04-29 06:53 - 00059216 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
    2013-02-28 00:35 - 2011-01-21 16:09 - 00287840 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
    2013-02-25 17:05 - 2009-10-10 12:29 - 00000000 ___DC C:\Users\Bob\AppData\Roaming\Mozilla
    2013-02-25 17:04 - 2012-06-27 11:21 - 00002034 ____A C:\Users\Bob\Desktop\Google Chrome.lnk
    2013-02-17 11:58 - 2013-02-17 11:57 - 11390192 ____A C:\Users\Bob\Downloads\WebUpdater_WindowsXPSP3andnewer__256 (1).exe
    2013-02-17 11:56 - 2013-02-17 11:55 - 11390192 ____A C:\Users\Bob\Downloads\WebUpdater_WindowsXPSP3andnewer__256.exe
    2013-02-17 11:56 - 2011-04-28 07:54 - 00000000 ___DC C:\Program Files (x86)\Garmin
    2013-02-17 11:56 - 2009-03-20 11:52 - 00000000 ___DC C:\users\Bob
    2013-02-15 06:25 - 2008-06-11 12:54 - 00000000 ___DC C:\ProgramData\Adobe
    2013-02-14 06:34 - 2006-11-02 07:21 - 00389968 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-02-13 19:03 - 2008-06-11 12:55 - 00000000 ___DC C:\ProgramData\Microsoft Help
    2013-02-13 18:58 - 2006-11-02 04:35 - 70004024 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2013-02-13 18:56 - 2006-11-02 04:46 - 00732678 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-02-13 18:05 - 2009-04-22 16:44 - 00001726 ___AH C:\Users\Bob\Documents\Default.rdp
    2013-02-09 14:35 - 2013-02-09 14:35 - 00360190 ___AC C:\Users\Bob\AppData\Local\dd_vcredistMSI097E.txt
    2013-02-09 14:35 - 2013-02-09 14:35 - 00011350 ___AC C:\Users\Bob\AppData\Local\dd_vcredistUI097E.txt
    2013-02-09 14:35 - 2013-02-09 14:35 - 00001787 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    2013-02-09 14:34 - 2013-02-09 14:34 - 00000000 ___DC C:\Program Files\AVAST Software
    2013-02-09 14:34 - 2010-06-08 18:00 - 00000000 ___DC C:\ProgramData\Alwil Software
    2013-02-09 14:30 - 2008-01-20 19:26 - 00177144 ____A C:\Windows\PFRO.log
    2013-02-04 17:35 - 2013-02-03 14:06 - 00000000 ___DC C:\Program Files (x86)\WildTangent Games
    2013-02-03 14:11 - 2008-06-11 12:49 - 00000000 ___DC C:\ProgramData\WildTangent
    2013-02-03 14:06 - 2013-02-03 14:06 - 00002346 ____N C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk
    2013-02-03 14:06 - 2013-02-03 14:06 - 00000000 ___DC C:\Users\Bob\AppData\Roaming\WildTangent
    2013-01-31 19:21 - 2013-01-24 18:17 - 00000000 ___DC C:\Users\Bob\AppData\Roaming\HpUpdate


    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys
    [2012-12-12 06:34] - [2012-08-21 03:50] - 0267648 ____A (Microsoft Corporation) 582F710097B46140F5A89A19A6573D4B


    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-03-02 10:07:02

    ==================== Memory info ===========================

    Percentage of memory in use: 10%
    Total physical RAM: 4090.09 MB
    Available physical RAM: 3645.68 MB
    Total Pagefile: 3957.99 MB
    Available Pagefile: 3743.54 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ==================== Partitions =============================

    1 Drive c: (OS) (Fixed) (Total:88.29 GB) (Free:21.87 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (DATA) (Fixed) (Total:88.02 GB) (Free:87.55 GB) NTFS
    4 Drive f: (USB DISK) (Removable) (Total:0.93 GB) (Free:0.88 GB) FAT
    5 Drive x: (PQSERVICE) (Fixed) (Total:10 GB) (Free:2.91 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 186 GB 1209 KB
    Disk 1 Online 952 MB 0 B

    Partitions of Disk 0:
    ===============

    ACTIVE - Mark the selected basic partition as active.
    ADD - Add a mirror to a simple volume.
    ASSIGN - Assign a drive letter or mount point to the selected volume.
    ATTRIBUTES - Manipulate volume attributes.
    AUTOMOUNT - Enable and disable automatic mounting of basic volumes.
    BREAK - Break a mirror set.
    CLEAN - Clear the configuration information, or all information, off the
    disk.
    CONVERT - Convert between different disk formats.
    CREATE - Create a volume or partition.
    DELETE - Delete an object.
    DETAIL - Provide details about an object.
    EXIT - Exit DiskPart.
    EXTEND - Extend a volume.
    FILESYSTEMS - Display current and supported file systems on the volume.
    FORMAT - Format the volume or partition.
    GPT - Assign attributes to the selected GPT partition.
    HELP - Display a list of commands.
    IMPORT - Import a disk group.
    INACTIVE - Mark the selected basic partition as inactive.
    LIST - Display a list of objects.
    ONLINE - Online a disk that is currently marked as offline.
    REM - Does nothing. This is used to comment scripts.
    REMOVE - Remove a drive letter or mount point assignment.
    REPAIR - Repair a RAID-5 volume with a failed member.
    RESCAN - Rescan the computer looking for disks and volumes.
    RETAIN - Place a retained partition under a simple volume.
    SELECT - Shift the focus to an object.
    SETID - Change the partition type.
    SHRINK - Reduce the size of the selected volume.

    ==================================================================================

    Partitions of Disk 1:
    ===============

    ACTIVE - Mark the selected basic partition as active.
    ADD - Add a mirror to a simple volume.
    ASSIGN - Assign a drive letter or mount point to the selected volume.
    ATTRIBUTES - Manipulate volume attributes.
    AUTOMOUNT - Enable and disable automatic mounting of basic volumes.
    BREAK - Break a mirror set.
    CLEAN - Clear the configuration information, or all information, off the
    disk.
    CONVERT - Convert between different disk formats.
    CREATE - Create a volume or partition.
    DELETE - Delete an object.
    DETAIL - Provide details about an object.
    EXIT - Exit DiskPart.
    EXTEND - Extend a volume.
    FILESYSTEMS - Display current and supported file systems on the volume.
    FORMAT - Format the volume or partition.
    GPT - Assign attributes to the selected GPT partition.
    HELP - Display a list of commands.
    IMPORT - Import a disk group.
    INACTIVE - Mark the selected basic partition as inactive.
    LIST - Display a list of objects.
    ONLINE - Online a disk that is currently marked as offline.
    REM - Does nothing. This is used to comment scripts.
    REMOVE - Remove a drive letter or mount point assignment.
    REPAIR - Repair a RAID-5 volume with a failed member.
    RESCAN - Rescan the computer looking for disks and volumes.
    RETAIN - Place a retained partition under a simple volume.
    SELECT - Shift the focus to an object.
    SETID - Change the partition type.
    SHRINK - Reduce the size of the selected volume.

    ==================================================================================

    Last Boot: 2013-03-02 07:49

    ==================== End Of Log =============================
     
  4. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    There is nothing malicious there but let's see if we can fix boot problem.

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
    See if you can boot normally.
     

    Attached Files:

  5. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    Laptop boots normally now.

    Fixlog.txt follows

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-02-2013
    Ran by SYSTEM at 2013-03-02 18:25:47 Run:1
    Running from F:\BobComputerCleanup

    ==============================================

    DEFAULT hive was successfully copied to System32\config\HiveBackup
    DEFAULT hive was successfully restored from registry back up.
    SAM hive was successfully copied to System32\config\HiveBackup
    SAM hive was successfully restored from registry back up.
    SECURITY hive was successfully copied to System32\config\HiveBackup
    SECURITY hive was successfully restored from registry back up.
    SOFTWARE hive was successfully copied to System32\config\HiveBackup
    SOFTWARE hive was successfully restored from registry back up.
    SYSTEM hive was successfully copied to System32\config\HiveBackup
    SYSTEM hive was successfully restored from registry back up.

    ==== End of Fixlog ====
     
  6. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Very good :)

    If you wish to run some more checks...

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  7. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    Thank you! I would like to make sure no malware is present.

    MBAM log:
    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.03.03.01

    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 8.0.6001.19400
    Bob :: FXLAPTOP [administrator]

    3/2/2013 6:52:17 PM
    mbam-log-2013-03-02 (18-52-17).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 212241
    Time elapsed: 4 minute(s), 24 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 5
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0B4A07CF-45EB-4B10-B6BB-35568A2F89BE} (Adware.DealCabby) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0B4A07CF-45EB-4B10-B6BB-35568A2F89BE} (Adware.DealCabby) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    DDS.txt
    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 8.0.6001.19400 BrowserJavaVersion: 1.6.0_39
    Run by Bob at 18:59:35 on 2013-03-02
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4090.2611 [GMT -7:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
    C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
    C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
    C:\Program Files (x86)\NCP\SecureClient\ncpsec.exe
    C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
    C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio64.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files (x86)\Garmin\Training Center\gStart.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
    C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\WUDFHost.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-7811FX
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-7811FX
    mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-7811FX
    mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-7811FX
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    uRun: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    uRun: [gStart] C:\Program Files (x86)\Garmin\Training Center\gStart.exe
    uRun: [Google Update] "C:\Users\Bob\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [HP Officejet Pro 8600 (NET)] "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN282BR35W05KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
    uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    uRunOnce: [Shockwave Updater] C:\Windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; BTRS124294; GTB7.4; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET4.0C; InfoPath.3)" -"http://games.yahoo.com/game/wordsense-challenge-shockwave.html"
    mRun: [eRecoveryService] <no file>
    mRunOnce: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files (x86)\PokerStars.NET\PokerStarsUpdate.exe
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_32.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{7BE2F466-7B19-4D62-8C1E-D0BEA57514E3} : DHCPNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
    TCP: Interfaces\{C9B6A1B4-5E29-4103-BB55-13C479A15456} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{F0A54FA5-DC49-4CC3-B97A-97BCC839D415} : DHCPNameServer = 10.22.60.11 10.22.60.12
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    AppInit_DLLs= c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    x64-mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-7811FX
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
    x64-Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
    x64-Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
    x64-mPolicies-Explorer: NoActiveDesktop = dword:1
    x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    x64-mPolicies-System: EnableUIADesktopToggle = dword:0
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\17ts3mnb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=110803&tt=4712_1&babsrc=HP_ss&mntrId=8c7a6a4200000000000002004e435049
    FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll
    FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: C:\Users\Bob\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll
    FF - plugin: C:\Users\Bob\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: C:\Users\Bob\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.claro.tlbrSrchUrl -
    FF - user.js: extensions.claro.id - 8c7a6a4200000000000002004e435049
    FF - user.js: extensions.claro.appId - {C3110516-8EFC-49D6-8B72-69354F332062}
    FF - user.js: extensions.claro.instlDay - 15658
    FF - user.js: extensions.claro.vrsn - 1.8.3.10
    FF - user.js: extensions.claro.vrsni - 1.8.3.10
    FF - user.js: extensions.claro_i.vrsnTs - 1.8.3.1018:02:26
    FF - user.js: extensions.claro.prtnrId - claro
    FF - user.js: extensions.claro.prdct - claro
    FF - user.js: extensions.claro.aflt - babsst
    FF - user.js: extensions.claro_i.smplGrp - none
    FF - user.js: extensions.claro.tlbrId - claro
    FF - user.js: extensions.claro.instlRef - sst
    FF - user.js: extensions.claro.dfltLng - en
    FF - user.js: extensions.claro.excTlbr - false
    FF - user.js: extensions.claro.admin - false
    FF - user.js: extensions.autoDisableScopes - 14
    FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=8c7a6a4200000000000002004e435049&q=
    FF - user.js: extensions.BabylonToolbar.id - 8c7a6a4200000000000002004e435049
    FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
    FF - user.js: extensions.BabylonToolbar.instlDay - 15669
    FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.3.8
    FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.3.8
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.3.813:23:58
    FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar.tlbrId - irhnew
    FF - user.js: extensions.BabylonToolbar.instlRef - sst
    FF - user.js: extensions.BabylonToolbar.dfltLng - en
    FF - user.js: extensions.BabylonToolbar.excTlbr - false
    FF - user.js: extensions.BabylonToolbar.admin - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-10-16 55856]
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-4-21 1025880]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-2-9 377992]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-2-9 33472]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2009-4-29 80888]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-2-9 45248]
    R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2009-1-12 24576]
    R2 FlipShareServer;FlipShare Server;C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe [2011-5-6 1085440]
    R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
    R2 ncpclcfg;ncpclcfg;C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe [2009-4-22 86016]
    R2 ncprwsnt;ncprwsnt;C:\Program Files (x86)\NCP\SecureClient\NCPRWSNT.EXE [2009-4-22 1078792]
    R2 NcpSec;NcpSec;C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE [2009-4-22 32768]
    R2 rwsrsu;RwsRsu;C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe [2009-4-22 850432]
    R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2008-6-11 294400]
    R3 ncplelhp;NCP Secure Client NDIS6 Driver;C:\Windows\System32\drivers\ncplelhp.sys [2009-4-22 143496]
    R3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2008-11-17 4751360]
    R3 O2MDRDR;O2MDRDR;C:\Windows\System32\drivers\o2mdx64.sys [2008-4-14 62040]
    R3 O2SDRDR;O2SDRDR;C:\Windows\System32\drivers\o2sdx64.sys [2008-4-7 51928]
    R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2008-6-11 392192]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate1c9c68ff59435cd;Google Update Service (gupdate1c9c68ff59435cd);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-26 133104]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    S3 ncpfilt;NCP Filter;C:\Windows\System32\drivers\ncplelhp.sys [2009-4-22 143496]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-18 89920]
    .
    =============== File Associations ===============
    .
    FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    .
    ==================== Find3M ====================
    .
    2013-03-03 01:48:02477616----a-w-C:\Windows\SysWow64\npdeployJava1.dll
    2013-03-03 01:48:02473520----a-w-C:\Windows\SysWow64\deployJava1.dll
    2013-03-03 01:48:02158128----a-w-C:\Windows\SysWow64\javaws.exe
    2013-03-03 01:48:02149936----a-w-C:\Windows\SysWow64\javaw.exe
    2013-03-03 01:48:02149936----a-w-C:\Windows\SysWow64\java.exe
    2013-03-02 16:15:24691568----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-03-02 16:15:2371024----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-28 08:36:3468992----a-w-C:\Windows\System32\drivers\aswTdi.sys
    2013-02-28 08:36:34177672----a-w-C:\Windows\System32\drivers\aswVmm.sys
    2013-02-28 08:36:3365408----a-w-C:\Windows\System32\drivers\aswRvrt.sys
    2013-02-28 08:36:33377992----a-w-C:\Windows\System32\drivers\aswSP.sys
    2013-02-28 08:36:331025880----a-w-C:\Windows\System32\drivers\aswSnx.sys
    2013-02-28 08:36:3280888----a-w-C:\Windows\System32\drivers\aswMonFlt.sys
    2013-02-28 08:36:3259216----a-w-C:\Windows\System32\drivers\aswRdr.sys
    2013-02-28 08:36:3133472----a-w-C:\Windows\System32\drivers\aswFsBlk.sys
    2013-02-28 08:36:0741664----a-w-C:\Windows\avastSS.scr
    2013-02-28 08:35:43287840----a-w-C:\Windows\System32\aswBoot.exe
    2013-02-14 02:58:2770004024----a-w-C:\Windows\System32\mrt.exe
    2013-01-17 08:28:58273840------w-C:\Windows\System32\MpSigStub.exe
    2013-01-05 13:48:441147392----a-w-C:\Windows\System32\wininet.dll
    2013-01-05 13:48:271489408----a-w-C:\Windows\System32\urlmon.dll
    2013-01-05 13:48:27108032----a-w-C:\Windows\System32\url.dll
    2013-01-05 13:46:30243712----a-w-C:\Windows\System32\occache.dll
    2013-01-05 13:44:421062912----a-w-C:\Windows\System32\mstime.dll
    2013-01-05 13:44:2098304----a-w-C:\Windows\System32\mshtmled.dll
    2013-01-05 13:44:209331200----a-w-C:\Windows\System32\mshtml.dll
    2013-01-05 13:44:18743424----a-w-C:\Windows\System32\msfeeds.dll
    2013-01-05 13:44:1871680----a-w-C:\Windows\System32\msfeedsbs.dll
    2013-01-05 13:43:2656832----a-w-C:\Windows\System32\licmgr10.dll
    2013-01-05 13:43:1131744----a-w-C:\Windows\System32\jsproxy.dll
    2013-01-05 13:43:001538560----a-w-C:\Windows\System32\inetcpl.cpl
    2013-01-05 13:42:28219136----a-w-C:\Windows\System32\ieui.dll
    2013-01-05 13:42:28132096----a-w-C:\Windows\System32\iesysprep.dll
    2013-01-05 13:42:2777312----a-w-C:\Windows\System32\iesetup.dll
    2013-01-05 13:42:272356736----a-w-C:\Windows\System32\iertutil.dll
    2013-01-05 13:42:2272192----a-w-C:\Windows\System32\iernonce.dll
    2013-01-05 13:42:20252416----a-w-C:\Windows\System32\iepeers.dll
    2013-01-05 13:42:2012509184----a-w-C:\Windows\System32\ieframe.dll
    2013-01-05 13:42:11459776----a-w-C:\Windows\System32\iedkcs32.dll
    2013-01-05 11:59:52916480----a-w-C:\Windows\SysWow64\wininet.dll
    2013-01-05 11:59:331212928----a-w-C:\Windows\SysWow64\urlmon.dll
    2013-01-05 11:59:32105984----a-w-C:\Windows\SysWow64\url.dll
    2013-01-05 11:57:59479232----a-w-C:\Windows\System32\html.iec
    2013-01-05 11:57:43206848----a-w-C:\Windows\SysWow64\occache.dll
    2013-01-05 11:55:52611840----a-w-C:\Windows\SysWow64\mstime.dll
    2013-01-05 11:55:2567072----a-w-C:\Windows\SysWow64\mshtmled.dll
    2013-01-05 11:55:256010368----a-w-C:\Windows\SysWow64\mshtml.dll
    2013-01-05 11:55:21630272----a-w-C:\Windows\SysWow64\msfeeds.dll
    2013-01-05 11:55:2155296----a-w-C:\Windows\SysWow64\msfeedsbs.dll
    2013-01-05 11:54:4743520----a-w-C:\Windows\SysWow64\licmgr10.dll
    2013-01-05 11:54:3425600----a-w-C:\Windows\SysWow64\jsproxy.dll
    2013-01-05 11:54:231469440----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2013-01-05 11:54:07164352----a-w-C:\Windows\SysWow64\ieui.dll
    2013-01-05 11:54:07109056----a-w-C:\Windows\SysWow64\iesysprep.dll
    2013-01-05 11:54:0671680----a-w-C:\Windows\SysWow64\iesetup.dll
    2013-01-05 11:54:062004992----a-w-C:\Windows\SysWow64\iertutil.dll
    2013-01-05 11:54:0555808----a-w-C:\Windows\SysWow64\iernonce.dll
    2013-01-05 11:54:05184320----a-w-C:\Windows\SysWow64\iepeers.dll
    2013-01-05 11:54:0511111424----a-w-C:\Windows\SysWow64\ieframe.dll
    2013-01-05 11:53:59387584----a-w-C:\Windows\SysWow64\iedkcs32.dll
    2013-01-05 10:33:42162816----a-w-C:\Windows\System32\ieUnatt.exe
    2013-01-05 10:33:2970656----a-w-C:\Windows\System32\ie4uinit.exe
    2013-01-05 10:32:2012288----a-w-C:\Windows\System32\msfeedssync.exe
    2013-01-05 10:32:001638912----a-w-C:\Windows\System32\mshtml.tlb
    2013-01-05 10:23:06385024----a-w-C:\Windows\SysWow64\html.iec
    2013-01-05 08:47:17133632----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2013-01-05 08:46:53174080----a-w-C:\Windows\SysWow64\ie4uinit.exe
    2013-01-05 08:45:4313312----a-w-C:\Windows\SysWow64\msfeedssync.exe
    2013-01-05 08:44:461638912----a-w-C:\Windows\SysWow64\mshtml.tlb
    2013-01-05 05:37:504695400----a-w-C:\Windows\System32\ntoskrnl.exe
    2013-01-04 11:31:101423720----a-w-C:\Windows\System32\drivers\tcpip.sys
    2013-01-04 01:59:242773504----a-w-C:\Windows\System32\win32k.sys
    2012-12-16 13:31:2048128----a-w-C:\Windows\System32\atmlib.dll
    2012-12-16 13:12:5434304----a-w-C:\Windows\SysWow64\atmlib.dll
    2012-12-16 11:08:21368128----a-w-C:\Windows\System32\atmfd.dll
    2012-12-16 10:50:29293376----a-w-C:\Windows\SysWow64\atmfd.dll
    2012-12-14 23:49:2824176----a-w-C:\Windows\System32\drivers\mbam.sys
    .
    ============= FINISH: 19:00:00.04 ===============


    Attach.txt
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 1/12/2009 8:03:19 PM
    System Uptime: 3/2/2013 6:33:53 PM (1 hours ago)
    .
    Motherboard: Gateway | |
    Processor: Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz | U2E1 | 2266/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 88 GiB total, 21.058 GiB free.
    D: is FIXED (NTFS) - 88 GiB total, 87.554 GiB free.
    E: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0001
    Manufacturer: Microsoft
    Name: Microsoft Tun Miniport Adapter #2
    PNP Device ID: ROOT\*TUNMP\0001
    Service: tunmp
    .
    ==== System Restore Points ===================
    .
    RP1318: 3/2/2013 11:06:45 AM - Scheduled Checkpoint
    RP1318: 3/2/2013 6:46:45 PM - Installed Java(TM) 6 Update 39
    .
    ==== Installed Programs ======================
    .
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.6)
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    avast! Free Antivirus
    BigFix
    Bonjour
    Camera Assistant Software for Gateway
    Catan - The Computer Game
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    CyberLink Power2Go
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    DivX Version Checker
    ESET Online Scanner v3
    EverQuest II
    FlipShare
    Garmin Communicator Plugin
    Garmin Communicator Plugin x64
    Garmin Training Center
    Garmin USB Drivers
    Garmin WebUpdater
    Gateway Games
    Gateway Recovery Management
    Google Chrome
    Google Talk Plugin
    Google Toolbar for Internet Explorer
    Google Update Helper
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Officejet Pro 8600 Basic Device Software
    HP Officejet Pro 8600 Help
    HP Update
    I.R.I.S. OCR
    Intel® Matrix Storage Manager
    iSEEK AnswerWorks English Runtime
    Java Auto Updater
    Java(TM) 6 Update 39
    LabelPrint
    Malwarebytes Anti-Malware version 1.70.0.1100
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2698023)
    Microsoft .NET Framework 1.1 Security Update (KB2742597)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Age of Empires II
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Office 64-bit Components 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 64-bit MUI (English) 2010
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable (x64)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Works
    MotoHelper MergeModules
    Mozilla Firefox 12.0 (x86 en-US)
    Mozilla Maintenance Service
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NCP Secure Entry Client
    NVIDIA Drivers
    O2Micro Flash Memory Card Reader Driver (x64)
    Pando Media Booster
    Quicken 2012
    QuickTime
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
    Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
    Security Update for Microsoft Visio 2010 (KB2687508) 32-Bit Edition
    Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
    Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
    Star Sword
    Synaptics Pointing Device Driver
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
    Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
    Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
    Update Installer for WildTangent Games App
    WildTangent Games App
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (04/19/2012 2.3.1.0)
    Windows Live Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/2/2013 6:36:12 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    2/28/2013 5:19:19 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    2/27/2013 9:21:06 AM, Error: EventLog [6008] - The previous system shutdown at 9:19:40 AM on 2/27/2013 was unexpected.
    2/26/2013 3:01:12 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user FXLaptop\Bob SID (S-1-5-21-1843488475-1253667702-3664568970-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    .
    ==== End Of File ===========================
     
  8. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    [​IMG] Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
  9. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    RKreport(1)_S log
    RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User : Bob [Admin arights]
    Mode : Scan -- Date : 03/02/2013 20:24:59
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 5 ¤¤¤
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [SCREENSV][SUSP PATH] HKCU\[...]\Desktop (C:\Windows\ANCIEN~1.SCR) [x] -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST9200420AS +++++
    --- User ---
    [MBR] 15a9845145431c7f77567f81a7d63749
    [BSP] b072f018ab581448ace19806bcd8e7bd : Acer MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10240 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20973568 | Size: 90410 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206133248 | Size: 90130 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1]_S_03022013_02d2024.txt >>
    RKreport[1]_S_03022013_02d2024.txt



    RKreport(2)_D log
    RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User : Bob [Admin rights]
    Mode : Remove -- Date : 03/02/2013 20:26:24
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 5 ¤¤¤
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [SCREENSV][SUSP PATH] HKCU\[...]\Desktop (C:\Windows\ANCIEN~1.SCR) [x] -> REPLACED (C:\Windows\system32\logon.scr)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST9200420AS +++++
    --- User ---
    [MBR] 15a9845145431c7f77567f81a7d63749
    [BSP] b072f018ab581448ace19806bcd8e7bd : Acer MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10240 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20973568 | Size: 90410 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206133248 | Size: 90130 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2]_D_03022013_02d2026.txt >>
    RKreport[1]_S_03022013_02d2024.txt ; RKreport[2]_D_03022013_02d2026.txt


    mbar - log
    Malwarebytes Anti-Rootkit BETA 1.01.0.1021
    www.malwarebytes.org

    Database version: v2013.03.03.01

    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 8.0.6001.19400
    Bob :: FXLAPTOP [administrator]

    3/2/2013 8:47:19 PM
    mbar-log-2013-03-02 (20-47-19).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 30092
    Time elapsed: 11 minute(s), 44 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  10. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    Part 2 of 3 (too long)

    system-log
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1021

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.0.6002 Windows Vista Service Pack 2 x64

    Account is Administrative

    Internet Explorer version: 8.0.6001.19400

    Java version: 1.6.0_39

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.261000 GHz
    Memory total: 4288634880, free: 2641416192

    ------------ Kernel report ------------
    03/02/2013 20:35:01
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\acpi.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\PxHlpa64.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\msrpc.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\ecache.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\system32\drivers\crcdisk.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\tunmp.sys
    \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    \SystemRoot\system32\DRIVERS\nvBridge.kmd
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\yk60x64.sys
    \SystemRoot\system32\DRIVERS\NETw5v64.sys
    \SystemRoot\system32\DRIVERS\ohci1394.sys
    \SystemRoot\system32\DRIVERS\1394BUS.SYS
    \SystemRoot\system32\DRIVERS\o2sdx64.sys
    \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    \SystemRoot\system32\DRIVERS\o2mdx64.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\msiscsi.sys
    \SystemRoot\system32\DRIVERS\storport.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\ncplelhp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\serscan.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\CHDRT64.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\DRIVERS\CAXHWAZL.sys
    \SystemRoot\system32\DRIVERS\CAX_DPV.sys
    \SystemRoot\system32\DRIVERS\CAX_CNXT.sys
    \SystemRoot\system32\drivers\modem.sys
    \SystemRoot\system32\drivers\nvhda64v.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\UVCFTR_S.SYS
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\System32\Drivers\aswSnx.SYS
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\System32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\System32\Drivers\aswTdi.SYS
    \SystemRoot\system32\DRIVERS\smb.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\Drivers\aswRdr.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\System32\Drivers\aswSP.SYS
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \??\C:\Windows\system32\drivers\aswMonFlt.sys
    \SystemRoot\System32\Drivers\aswFsBlk.SYS
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\drivers\spsys.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\drivers\mrxdav.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \??\C:\Windows\SysWOW64\drivers\int15_64.sys
    \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\DRIVERS\xaudio64.sys
    \SystemRoot\system32\DRIVERS\cdfs.sys
    \SystemRoot\system32\DRIVERS\WSDPrint.sys
    \SystemRoot\System32\Drivers\fastfat.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80067d0790
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa8004beb050
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    Initialization returned 0x0
    Load Function returned 0x0
    Downloaded database version: v2013.03.03.01
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80067d0790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80067d01a0, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80067d0790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
    DevicePointer: 0xfffffa8004beb050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
    Upper DeviceData: 0xfffff88011847ce0, 0xfffffa80067d0790, 0xfffffa8006406790
    Lower DeviceData: 0xfffff880116acb90, 0xfffffa8004beb050, 0xfffffa800a380280
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: BFA4073F

    Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 20971520

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 20973568 Numsec = 185159680
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206133248 Numsec = 184586240

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 200049647616 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-390701968-390721968)...
    Done!
     
  11. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    I was unable to post the entire system-log file in several posts. I uploaded it instead. Hope that's ok.
     

    Attached Files:

     
  12. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    [​IMG] Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  13. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    ComboFix.txt

    ComboFix 13-03-02.01 - Bob 03/02/2013 21:58:16.1.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4090.2360 [GMT -7:00]
    Running from: c:\users\Bob\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\FunWebProducts
    c:\program files (x86)\MyWebSearch
    c:\program files (x86)\MyWebSearch\bar\Settings\s_pid.dat
    c:\programdata\Herofy
    c:\programdata\Herofy\save.aps
    c:\users\Bob\AppData\Roaming\log.txt
    c:\users\Bob\g2mdlhlpx.exe
    c:\windows\SysWow64\URTTemp
    c:\windows\SysWow64\URTTemp\regtlib.exe
    c:\windows\wininit.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_usnjsvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-02-03 to 2013-03-03 )))))))))))))))))))))))))))))))
    .
    .
    2013-03-03 02:09 . 2013-03-03 02:09--------dc----w-C:\FRST
    2013-03-03 01:51 . 2013-03-03 01:51--------dc----w-c:\users\Bob\AppData\Roaming\Malwarebytes
    2013-03-03 01:51 . 2013-03-03 01:51--------dc----w-c:\programdata\Malwarebytes
    2013-03-03 01:51 . 2012-12-14 23:4924176----a-w-c:\windows\system32\drivers\mbam.sys
    2013-03-03 01:51 . 2013-03-03 01:51--------dc----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2013-03-02 23:25 . 2013-02-28 08:36177672----a-w-c:\windows\system32\drivers\aswVmm.sys
    2013-03-02 23:25 . 2013-02-28 08:3665408----a-w-c:\windows\system32\drivers\aswRvrt.sys
    2013-03-01 14:08 . 2013-02-08 00:289162192----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{B506F19E-434D-42DE-AA13-D4F0467198FD}\mpengine.dll
    2013-02-15 22:31 . 2013-02-15 22:31186432-c--a-w-c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2013-02-09 22:35 . 2013-02-28 08:3668992----a-w-c:\windows\system32\drivers\aswTdi.sys
    2013-02-09 22:35 . 2013-02-28 08:36377992----a-w-c:\windows\system32\drivers\aswSP.sys
    2013-02-09 22:35 . 2013-02-28 08:3633472----a-w-c:\windows\system32\drivers\aswFsBlk.sys
    2013-02-09 22:35 . 2013-02-28 08:3641664----a-w-c:\windows\avastSS.scr
    2013-02-09 22:35 . 2012-10-30 23:50227648----a-w-c:\windows\SysWow64\aswBoot.exe
    2013-02-09 22:34 . 2013-02-09 22:34--------dc----w-c:\program files\AVAST Software
    2013-02-03 22:06 . 2013-02-05 01:35--------dc----w-c:\program files (x86)\WildTangent Games
    2013-02-03 22:06 . 2013-02-03 22:06--------dc----w-c:\users\Bob\AppData\Roaming\WildTangent
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-03 01:48 . 2012-07-11 23:24477616----a-w-c:\windows\SysWow64\npdeployJava1.dll
    2013-03-03 01:48 . 2010-06-11 18:09473520----a-w-c:\windows\SysWow64\deployJava1.dll
    2013-03-02 16:15 . 2012-03-30 22:30691568----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2013-03-02 16:15 . 2011-05-19 00:3571024----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-28 08:36 . 2011-04-21 23:051025880----a-w-c:\windows\system32\drivers\aswSnx.sys
    2013-02-28 08:36 . 2009-04-29 14:5380888----a-w-c:\windows\system32\drivers\aswMonFlt.sys
    2013-02-28 08:36 . 2009-04-29 14:5359216----a-w-c:\windows\system32\drivers\aswRdr.sys
    2013-02-28 08:35 . 2011-01-22 00:09287840----a-w-c:\windows\system32\aswBoot.exe
    2013-02-14 02:58 . 2006-11-02 12:3570004024----a-w-c:\windows\system32\mrt.exe
    2013-01-17 08:28 . 2009-10-03 18:12273840------w-c:\windows\system32\MpSigStub.exe
    2012-12-16 13:31 . 2012-12-22 04:4148128----a-w-c:\windows\system32\atmlib.dll
    2012-12-16 13:12 . 2012-12-22 04:4134304----a-w-c:\windows\SysWow64\atmlib.dll
    2012-12-16 11:08 . 2012-12-22 04:41368128----a-w-c:\windows\system32\atmfd.dll
    2012-12-16 10:50 . 2012-12-22 04:41293376----a-w-c:\windows\SysWow64\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "ISUSPM"="c:\program files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    "gStart"="c:\program files (x86)\Garmin\Training Center\gStart.exe" [2008-08-13 1891416]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]
    "HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 2676584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "NcpRsuGui"="c:\program files (x86)\NCP\SecureClient\rwsrsu.exe" [2008-12-02 850432]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-02-28 4767304]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
    "205.144.147.4,255.255.255.255,192.168.1.1,1"=""
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-26 16:56]
    .
    2013-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-26 16:56]
    .
    2013-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1843488475-1253667702-3664568970-1000Core.job
    - c:\users\Bob\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-02 00:41]
    .
    2013-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1843488475-1253667702-3664568970-1000UA.job
    - c:\users\Bob\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-02 00:41]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2013-02-28 08:35133840-c--a-w-c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1220392]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-03 16330272]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
    "205.144.147.4,255.255.255.255,192.168.1.1,1"=""
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-7811FX
    mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-7811FX
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local;192.168.*.*
    mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-7811FX
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.1
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_32.CAB
    DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
    FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\17ts3mnb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=110803&tt=4712_1&babsrc=HP_ss&mntrId=8c7a6a4200000000000002004e435049
    FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: extensions.claro.tlbrSrchUrl -
    FF - user.js: extensions.claro.id - 8c7a6a4200000000000002004e435049
    FF - user.js: extensions.claro.appId - {C3110516-8EFC-49D6-8B72-69354F332062}
    FF - user.js: extensions.claro.instlDay - 15658
    FF - user.js: extensions.claro.vrsn - 1.8.3.10
    FF - user.js: extensions.claro.vrsni - 1.8.3.10
    FF - user.js: extensions.claro_i.vrsnTs - 1.8.3.1018:02
    FF - user.js: extensions.claro.prtnrId - claro
    FF - user.js: extensions.claro.prdct - claro
    FF - user.js: extensions.claro.aflt - babsst
    FF - user.js: extensions.claro_i.smplGrp - none
    FF - user.js: extensions.claro.tlbrId - claro
    FF - user.js: extensions.claro.instlRef - sst
    FF - user.js: extensions.claro.dfltLng - en
    FF - user.js: extensions.claro.excTlbr - false
    FF - user.js: extensions.claro.admin - false
    FF - user.js: extensions.autoDisableScopes - 14
    FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=8c7a6a4200000000000002004e435049&q=
    FF - user.js: extensions.BabylonToolbar.id - 8c7a6a4200000000000002004e435049
    FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
    FF - user.js: extensions.BabylonToolbar.instlDay - 15669
    FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.3.8
    FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.3.8
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.3.813:23
    FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar.tlbrId - irhnew
    FF - user.js: extensions.BabylonToolbar.instlRef - sst
    FF - user.js: extensions.BabylonToolbar.dfltLng - en
    FF - user.js: extensions.BabylonToolbar.excTlbr - false
    FF - user.js: extensions.BabylonToolbar.admin - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
    Wow6432Node-HKLM-Run-eRecoveryService - (no file)
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    AddRemove-Adobe Flash Player ActiveX - c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\uninstaller.exe
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files (x86)\DivX\DivXCodecUninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Flip Video\FlipShare\FlipShareService.exe
    c:\program files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files (x86)\NCP\SecureClient\ncpclcfg.exe
    c:\program files (x86)\NCP\SecureClient\ncprwsnt.exe
    c:\program files (x86)\NCP\SecureClient\ncpsec.exe
    c:\program files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
    .
    **************************************************************************
    .
    Completion time: 2013-03-02 22:15:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-03-03 05:15
    .
    Pre-Run: 22,148,161,536 bytes free
    Post-Run: 23,951,507,456 bytes free
    .
    - - End Of File - - 7EE695EC95099FD7146C50D0AC51F2A2
     
  14. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Looks good.

    Any current issues?

    ==========================

    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    [​IMG] Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  15. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    Sorry I haven't mentioned this before. There are a couple things I'm wondering about.

    I'm using Chrome for a browser. When I first open the browser, the page that is displayed looks like Google.com (set as home page), however what appears in the title is Babylon Search; the address bar displays searchDOTbabylonDOTcom/... (Google is set as search engine); and there's a small graphic in the upper right portion of the page displayed that looks like some sort of blue circle with the word "babylon" by it. Sometimes ads appear toward the bottom of the page that I don't think belong there. After running Combofix, it seemed like this had gone away, but after shutting down last night and restarting this morning, it's back.

    The other thing that seems odd to me is that I swear three new icons have appeared on the desktop that I didn't put there - one for Computer, Internet Explorer, and Recycle Bin. So now, there are 2 icons for Internet Explorer and Recycle Bin on the desktop.

    I'm going to wait to run the tools you referenced above until I hear from you again, just in case...

    Thanks.
    Chris
     
  16. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    The latest scans will take care of Babylon.

    You can remove one set of those desktop icons. They're just shortcuts.
     
  17. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    The new ones aren't shortcuts. When I right click on Recycle Bin and select Properties, I get a window that has only a General tab with Recycle Bin Location, Space Available and some other settings.

    I'll run the latest scans now.
     
  18. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    You can safely delete duplicates.
     
  19. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    AdwCleaner log

    # AdwCleaner v2.113 - Logfile created 03/03/2013 at 13:54:34
    # Updated 23/02/2013 by Xplode
    # Operating system : Windows (TM) Vista Home Premium Service Pack 2 (64 bits)
    # User : Bob - FXLAPTOP
    # Boot Mode : Normal
    # Running from : C:\Users\Bob\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Deleted on reboot : C:\ProgramData\Babylon
    Deleted on reboot : C:\ProgramData\GameTap Web Player
    Deleted on reboot : C:\ProgramData\Trymedia
    Deleted on reboot : C:\Users\Bob\AppData\LocalLow\BabylonToolbar
    Deleted on reboot : C:\Users\Bob\AppData\LocalLow\Claro LTD
    Deleted on reboot : C:\Users\Bob\AppData\LocalLow\FunWebProducts
    Deleted on reboot : C:\Users\Bob\AppData\LocalLow\MyWebSearch
    Deleted on reboot : C:\Users\Bob\AppData\Roaming\Babylon
    Deleted on reboot : C:\Users\Bob\AppData\Roaming\iWin
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    File Deleted : C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\17ts3mnb.default\extensions\pricepeep@getpricepeep.com.xpi

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
    Key Deleted : HKCU\Software\AppDataLow\Software\Fun Web Products
    Key Deleted : HKCU\Software\AppDataLow\Software\FunWebProducts
    Key Deleted : HKCU\Software\AppDataLow\Software\MyWebSearch
    Key Deleted : HKCU\Software\DataMngr_Toolbar
    Key Deleted : HKCU\Software\InstallCore
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
    Key Deleted : HKCU\Software\5355d988b26de843
    Key Deleted : HKLM\Software\Babylon
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}
    Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
    Key Deleted : HKLM\Software\DataMngr
    Key Deleted : HKLM\Software\FocusInteractive
    Key Deleted : HKLM\Software\Fun Web Products
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll
    Key Deleted : HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
    Key Deleted : HKLM\Software\MyWebSearch
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\5355d988b26de843
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A4730EBE-43A6-443E-9776-36915D323AD3}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pgafcinpmmpklohkojmllohdhomoefph
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45DD-9B68-D6A12C30E5D7}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48DD-9B6D-7A13A3E42127}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40FD-8DAE-FF14757F60C7}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{98889811-442D-49DD-99D7-DC866BE87DBC}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.19400

    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?affID=110803&tt=4712_1&babsrc=NT_ss&mntrId=8c7a6a4200000000000002004e435049 --> hxxp://www.google.com

    -\\ Mozilla Firefox v12.0 (en-US)

    File : C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\17ts3mnb.default\prefs.js

    C:\Users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\17ts3mnb.default\user.js ... Deleted !

    Deleted : user_pref("browser.search.selectedEngine", "Search the web (Babylon)");
    Deleted : user_pref("browser.startup.homepage", "hxxp://search.babylon.com/?affID=110803&tt=4712_1&babsrc=HP_s[...]
    Deleted : user_pref("extensions.BabylonToolbar.admin", false);
    Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
    Deleted : user_pref("extensions.BabylonToolbar.appId", "{BDB69379-802F-4eaf-B541-F8DE92DD98DB}");
    Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");
    Deleted : user_pref("extensions.BabylonToolbar.excTlbr", false);
    Deleted : user_pref("extensions.BabylonToolbar.id", "8c7a6a4200000000000002004e435049");
    Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15669");
    Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
    Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
    Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
    Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "irhnew");
    Deleted : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://search.babylon.com/?babsrc=TB_def&mntrId=[...]
    Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.8.3.8");
    Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.8.3.8");
    Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
    Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=110803&tt=4712_[...]
    Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
    Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.8.3.813:23:58");
    Deleted : user_pref("extensions.claro.admin", false);
    Deleted : user_pref("extensions.claro.aflt", "babsst");
    Deleted : user_pref("extensions.claro.appId", "{C3110516-8EFC-49D6-8B72-69354F332062}");
    Deleted : user_pref("extensions.claro.dfltLng", "en");
    Deleted : user_pref("extensions.claro.excTlbr", false);
    Deleted : user_pref("extensions.claro.id", "8c7a6a4200000000000002004e435049");
    Deleted : user_pref("extensions.claro.instlDay", "15658");
    Deleted : user_pref("extensions.claro.instlRef", "sst");
    Deleted : user_pref("extensions.claro.prdct", "claro");
    Deleted : user_pref("extensions.claro.prtnrId", "claro");
    Deleted : user_pref("extensions.claro.tlbrId", "claro");
    Deleted : user_pref("extensions.claro.tlbrSrchUrl", "");
    Deleted : user_pref("extensions.claro.vrsn", "1.8.3.10");
    Deleted : user_pref("extensions.claro.vrsni", "1.8.3.10");
    Deleted : user_pref("extensions.claro_i.smplGrp", "none");
    Deleted : user_pref("extensions.claro_i.vrsnTs", "1.8.3.1018:02:26");

    -\\ Google Chrome v25.0.1364.97

    File : C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Deleted [l.2302] : urls_to_restore_on_startup = [ "hxxp://search.babylon.com/?affID=110803&tt=4712_1&babsrc=HP_s[...]

    *************************

    AdwCleaner[R1].txt - [7949 octets] - [03/03/2013 13:53:43]
    AdwCleaner[S1].txt - [7895 octets] - [03/03/2013 13:54:34]

    ########## EOF - C:\AdwCleaner[S1].txt - [7955 octets] ##########
     
  20. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    JRT log

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.6.6 (02.27.2013:1)
    OS: Windows (TM) Vista Home Premium x64
    Ran by Bob on Sun 03/03/2013 at 14:00:48.06
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values

    Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1843488475-1253667702-3664568970-1000\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}
    Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}



    ~~~ Files



    ~~~ Folders

    Successfully deleted: [Folder] "C:\ProgramData\babylon"
    Successfully deleted: [Folder] "C:\ProgramData\gametap web player"
    Successfully deleted: [Folder] "C:\ProgramData\trymedia"



    ~~~ FireFox

    Successfully deleted the following from C:\Users\Bob\AppData\Roaming\mozilla\firefox\profiles\17ts3mnb.default\prefs.js

    user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !impor
    user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
    user_pref("extensions.wrc.SearchRules.baidu.com.style", ".WRCN {display:none} .result .f .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");
    user_pref("extensions.wrc.SearchRules.baidu.com.url", "^hxxp\\:\\/\\/www\\.baidu\\.com\\/.*");
    user_pref("extensions.wrc.SearchRules.excite.com.style", ".WRCN {display:none} .listing .resultsLink + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-re
    user_pref("extensions.wrc.SearchRules.excite.com.url", "^hxxp\\:\\/\\/msxml\\.excite\\.com\\/excite\\/ws\\/.+");
    user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-r



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Sun 03/03/2013 at 14:09:21.95
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     
  21. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    OTL.txt too large to copy and paste here.
     

    Attached Files:

    • OTL.Txt
      File size:
      109.4 KB
      Views:
      0
  22. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    Extras.txt

    OTL Extras logfile created on: 3/3/2013 2:15:16 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Bob\Desktop
    64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.19400)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.99 Gb Total Physical Memory | 2.67 Gb Available Physical Memory | 66.81% Memory free
    8.16 Gb Paging File | 6.76 Gb Available in Paging File | 82.83% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 88.29 Gb Total Space | 22.02 Gb Free Space | 24.94% Space Free | Partition Type: NTFS
    Drive D: | 88.02 Gb Total Space | 87.55 Gb Free Space | 99.47% Space Free | Partition Type: NTFS

    Computer Name: FXLAPTOP | User Name: Bob | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]
    "VistaSp2" = B2 83 90 5F 51 3E CA 01 [binary data]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "oobe_av" = 1

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0737D49F-07EF-458F-AB88-A89CCDBE7898}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{16A4A2BA-DAF5-4B25-BC62-18D62BCC390D}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{185F6B1C-89A7-48CD-B325-CD1C1B9A073E}" = rport=138 | protocol=17 | dir=out | app=system |
    "{2A56496F-FF98-43AB-880F-B319B9D3E917}" = lport=24727 | protocol=6 | dir=in | name=flipshareserver |
    "{2A5B89F1-8A14-4E4D-A908-70A60B2891C1}" = lport=137 | protocol=17 | dir=in | app=system |
    "{34E05718-A262-44C5-B6A0-3C6C64845078}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{49555F8C-D3FA-4BBB-A471-973DA57FFF92}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{548AF6D1-54C0-458C-8ED3-7AD699332079}" = lport=138 | protocol=17 | dir=in | app=system |
    "{5CFC5B5D-8616-49F9-80EC-EF2160FF5E80}" = lport=445 | protocol=6 | dir=in | app=system |
    "{5EB59D61-0DF4-40E3-98B1-482CFF643A4B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{704767B2-1682-4571-8BD9-86BAF73873E1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{8C9A38E7-F2C6-4F4A-B08C-A3EFC37D332C}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{937B569A-470F-47AD-A4BD-2CA1E1ABE60F}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe |
    "{96340FA8-B30D-4CDB-82DE-16635FD732D6}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{A9592E16-08E0-4CBC-8806-F673BBD3CC20}" = rport=139 | protocol=6 | dir=out | app=system |
    "{ABE536E1-7845-483E-BCF8-D83817F1D533}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{C38F2A96-5C6A-49AF-9DF9-C1A5D7D7F468}" = rport=137 | protocol=17 | dir=out | app=system |
    "{D430C77A-FB11-423A-98DE-8E5A7EF34DF0}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 |
    "{D8B53AC5-608F-4129-AF76-421DEB365006}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
    "{DA40D955-548D-4FC9-B8B1-205059F7EAA8}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{DEB54241-5EE6-425A-BE4D-C73DE2506DCA}" = lport=24726 | protocol=6 | dir=in | name=flipshareserver |
    "{EAB691CB-0D13-4EF2-878C-BF4AC67DD6FB}" = rport=445 | protocol=6 | dir=out | app=system |
    "{F8D8BB93-52CA-4074-92C5-2C324D34F7BA}" = lport=139 | protocol=6 | dir=in | app=system |
    "{FB63C8BF-0C07-49FE-BF39-DCBEFDDD0C45}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{FC5E5AB2-8F4D-4FCA-BA8B-E544B29D8878}" = lport=10243 | protocol=6 | dir=in | app=system |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{02F4F6D8-5B41-4FDD-A178-2C561F1C7C58}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{224DF280-FE57-41A3-B512-719320448E3D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{22AF4FE8-A315-47F4-8598-579A484CC9C9}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{22E8B7F0-93A7-4C3A-B8C1-DBBE48CAD8C0}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{23941BEF-C161-4FCC-BA99-AB3B02714E11}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{2B065AE7-5CE5-489D-AA12-1FB4D7CE8F0F}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
    "{2B1426C2-98F2-4D14-87E7-84909B30769A}" = protocol=6 | dir=out | app=system |
    "{331B5642-4FF9-47AF-AC98-B6B396354AF6}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{3630B414-A30B-451A-B350-53341A02B658}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
    "{3B59FBD0-C4E2-4EFE-B00D-675CBDA7CCD9}" = dir=in | app=c:\program files\hp\hp officejet pro 8600\bin\devicesetup.exe |
    "{3BF6DCEE-2EEF-486C-AC5A-A136C5B451BA}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\groove.exe |
    "{3F8CFD46-D2F3-4C38-A122-D04C62DBBA81}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{4043E03D-3036-40A1-9FA3-F3AD3ABEF46F}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.0.9.9551-to-3.1.0.9767-enus-downloader.exe |
    "{4414AFEB-83FC-43D9-AB6F-930BC82A12FE}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\groove.exe |
    "{462793E4-4506-4BBE-8B7B-06F19BE31462}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{513C25EF-A339-4C2B-9BAC-E2E278AA5EE6}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-enus-downloader.exe |
    "{58A2BA2C-66C5-4DE3-94A0-22166EA1F52D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{64AA37D5-51AA-4C20-AC44-39C0AE7D9E05}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-enus-downloader.exe |
    "{78D60862-1927-451F-B409-D0305BBC144A}" = dir=in | app=c:\program files (x86)\msn messenger\msnmsgr.exe |
    "{8E97AA8F-875C-4A15-A0EC-B8F2D3529E1D}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
    "{906C3554-E1FE-469A-A94F-BFD2CB917544}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-enus-downloader.exe |
    "{94D5296B-A367-4204-843E-5AF6A77C99F9}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{9A0F7BF9-978E-48DA-B6F3-A0388B6584B1}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{9CB3C05D-43C7-4721-BA1D-66A63A8269C3}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A57337B8-21B8-4ED0-B930-A54DDBA4B4D8}" = dir=in | app=c:\program files (x86)\msn messenger\livecall.exe |
    "{A5BC9F63-0BC5-41B3-84B3-ADAC824CE529}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
    "{B0EE68E9-6008-490B-890D-A2D74E8DC9E7}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{BA4236BD-72D5-4976-AF3F-8314E0AB7F1A}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
    "{BF7ABF77-E5D6-4E77-862D-E9E119E8FA1E}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
    "{C369DB48-5DE2-453A-84EC-781618E78C6F}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe |
    "{C7060552-9CC5-4B54-9845-72FA43ACD370}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{C7185F13-9E59-42B7-988D-BE1EF6F2FE90}" = dir=in | app=c:\program files\hp\hp officejet pro 8600\bin\hpnetworkcommunicator.exe |
    "{CA797DE4-C665-4F9A-AFC6-67F15AA0A5AF}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-enus-downloader.exe |
    "{CA8D6ABB-6C85-41A3-BC73-59D80E7402FF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{CA99A65E-BF38-456B-96CE-C965FE6587C0}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
    "{CAB7ACC5-4DE4-455F-AF49-8B0EB2B7094D}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
    "{CEACD922-AAA2-4B19-A6CD-C9515EE52B49}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
    "{CF74ACA2-98B6-4FA7-BF45-9E2231685103}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe |
    "{D0BCF2ED-D4B4-46DC-92CD-ED46050D79D0}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{E417F28A-F3EE-4CC6-B0E1-71E13681504A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E4B27F62-2F1C-4B90-B914-836911AF5AE8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{E8EF0B28-BF0E-41C1-8F0D-C1B5EC0780FB}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-enus-downloader.exe |
    "{EE1D740B-371D-40ED-89EE-090BBC7CC039}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{F143BD21-7CA0-41A6-88DF-C545684126AE}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-enus-downloader.exe |
    "{F28CEE4C-A3B8-4A3B-959E-518DE72BB1B0}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{F92D4EFE-9A89-48E0-9548-232378949941}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{FA639ADF-A001-474B-8960-677C78634585}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.0.9.9551-to-3.1.0.9767-enus-downloader.exe |
    "TCP Query User{0732C7DF-0B33-431D-B942-F5FE8D3D22F1}C:\users\public\sony online entertainment\installed games\everquest ii extended\eq2voiceservice.exe" = protocol=6 | dir=in | app=c:\users\public\sony online entertainment\installed games\everquest ii extended\eq2voiceservice.exe |
    "TCP Query User{0A0471CE-AD73-4043-BD2E-52E431EB07DF}C:\program files (x86)\turbine\ddo unlimited\dndclient.exe" = protocol=6 | dir=in | app=c:\program files (x86)\turbine\ddo unlimited\dndclient.exe |
    "TCP Query User{14866A67-8FA5-48BD-AAE3-8E0016B22A49}C:\program files (x86)\ncp\secureclient\ncpmon.exe" = protocol=6 | dir=in | app=c:\program files (x86)\ncp\secureclient\ncpmon.exe |
    "TCP Query User{4AA35BEB-6765-4207-A374-885C265E0203}C:\program files (x86)\microsoft games\age of empires ii\empires2.icd" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft games\age of empires ii\empires2.icd |
    "TCP Query User{577C0B24-8F2A-4249-9581-6E6C819880B7}C:\program files (x86)\ncp\secureclient\ncpmon.exe" = protocol=6 | dir=in | app=c:\program files (x86)\ncp\secureclient\ncpmon.exe |
    "TCP Query User{890FCF8E-64F7-46EB-96A2-41CED476813C}C:\program files (x86)\yahoo! games\rock and roll jeopardy!\rock & roll jeopardy!.exe" = protocol=6 | dir=in | app=c:\program files (x86)\yahoo! games\rock and roll jeopardy!\rock & roll jeopardy!.exe |
    "TCP Query User{C09F8E77-45A8-4B72-8DD2-8DC60BC563B2}C:\users\bob\appdata\local\microsoft\windows\temporary internet files\content.ie5\vmepg41j\anarchyonline_18.0.4-large[1].exe" = protocol=6 | dir=in | app=c:\users\bob\appdata\local\microsoft\windows\temporary internet files\content.ie5\vmepg41j\anarchyonline_18.0.4-large[1].exe |
    "TCP Query User{D2AC6507-4D01-4DEA-BA71-D8A2FC7A0B72}C:\program files (x86)\gametap web player\bin\release\gametapplayer.exe" = protocol=6 | dir=in | app=c:\program files (x86)\gametap web player\bin\release\gametapplayer.exe |
    "TCP Query User{FE7F4A23-0A18-4172-8873-78ADBD2C749B}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
    "UDP Query User{1CB3AEC2-D153-47F4-8F33-4CBD65A3D997}C:\users\bob\appdata\local\microsoft\windows\temporary internet files\content.ie5\vmepg41j\anarchyonline_18.0.4-large[1].exe" = protocol=17 | dir=in | app=c:\users\bob\appdata\local\microsoft\windows\temporary internet files\content.ie5\vmepg41j\anarchyonline_18.0.4-large[1].exe |
    "UDP Query User{2603C9F2-3B51-4017-A870-FC2C208F59C1}C:\program files (x86)\turbine\ddo unlimited\dndclient.exe" = protocol=17 | dir=in | app=c:\program files (x86)\turbine\ddo unlimited\dndclient.exe |
    "UDP Query User{503CAD49-D275-4144-85B5-BD71CC33D07C}C:\program files (x86)\ncp\secureclient\ncpmon.exe" = protocol=17 | dir=in | app=c:\program files (x86)\ncp\secureclient\ncpmon.exe |
    "UDP Query User{8508A937-257B-4D31-96ED-181D591DFA1E}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
    "UDP Query User{96A25C9F-4E8C-45B3-833A-19B268CE123D}C:\program files (x86)\ncp\secureclient\ncpmon.exe" = protocol=17 | dir=in | app=c:\program files (x86)\ncp\secureclient\ncpmon.exe |
    "UDP Query User{A1A37A32-88C7-456F-B73D-16036A484796}C:\program files (x86)\yahoo! games\rock and roll jeopardy!\rock & roll jeopardy!.exe" = protocol=17 | dir=in | app=c:\program files (x86)\yahoo! games\rock and roll jeopardy!\rock & roll jeopardy!.exe |
    "UDP Query User{DC126AB0-BBEB-4C9A-AEF7-8B42F57C618C}C:\program files (x86)\microsoft games\age of empires ii\empires2.icd" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft games\age of empires ii\empires2.icd |
    "UDP Query User{E8AB155D-10DA-4376-809F-1A804F64E8EE}C:\program files (x86)\gametap web player\bin\release\gametapplayer.exe" = protocol=17 | dir=in | app=c:\program files (x86)\gametap web player\bin\release\gametapplayer.exe |
    "UDP Query User{F6BFE118-3205-4AA0-A086-1580E8A18A3C}C:\users\public\sony online entertainment\installed games\everquest ii extended\eq2voiceservice.exe" = protocol=17 | dir=in | app=c:\users\public\sony online entertainment\installed games\everquest ii extended\eq2voiceservice.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{237D687E-9E50-4A30-B810-262764CC491B}" = Garmin Communicator Plugin x64
    "{2D5E3D2B-919F-407C-8757-E64827518BB6}" = HP Officejet Pro 8600 Basic Device Software
    "{82B3C254-537C-4C6D-9C79-7671A011536A}" = O2Micro Flash Memory Card Reader Driver (x64)
    "{877924AA-E044-4266-B37D-E974CD799934}" = Bonjour
    "{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
    "{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
    "{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
    "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "98157A226B40B173301B0F53C8E98C47805D5152" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (04/19/2012 2.3.1.0)
    "CNXT_AUDIO_HDA" = Conexant HD Audio
    "CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "NVIDIA Drivers" = NVIDIA Drivers
    "SynTPDeinstKey" = Synaptics Pointing Device Driver

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0A1E0BDA-5E8F-436d-8BE5-7E97C5CB899D}" = Quicken 2012
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}" = iSEEK AnswerWorks English Runtime
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216039FF}" = Java(TM) 6 Update 39
    "{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App" = Update Installer for WildTangent Games App
    "{34FF0741-EC67-4C05-AC2A-6D257123DF2E}" = BigFix
    "{39098402-3F7A-4257-A4AE-FC1181D1B40B}" = Camera Assistant Software for Gateway
    "{3D5D6CFC-3097-425A-8D8F-7EAF5D57641D}" = Garmin USB Drivers
    "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
    "{5BEBD7F0-5544-3B4C-8D15-7154AA35BEA2}" = Google Talk Plugin
    "{647BB978-2876-487B-9B0E-FDB73F0EA4A2}" = Garmin Communicator Plugin
    "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
    "{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-gateway" = WildTangent Games App
    "{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-wildgames" = WildTangent Games App
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7B63B2922B174135AFC0E1377DD81EC2}" =
    "{7D542452-84EB-47C0-97BA-735C523AB555}" = Garmin Training Center
    "{7F811A54-5A09-4579-90E1-C93498E230D9}" = Gateway Recovery Management
    "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110246513}" = Catan - The Computer Game
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{85DF2EED-08BC-46FB-90DA-28B0D0A8E8A8}" = HP Update
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    "{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
    "{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
    "{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
    "{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
    "{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
    "{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
    "{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
    "{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
    "{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
    "{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002A-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
    "{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
    "{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
    "{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
    "{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
    "{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
    "{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0116-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
    "{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
    "{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}" = MotoHelper MergeModules
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{97C658D2-61FB-027F-0D76-E9CDC84AFEC7}" = FlipShare
    "{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.6)
    "{AE1EC58E-B2AC-4959-A4C2-C38202A25239}" = Garmin WebUpdater
    "{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
    "{B6F5C6D8-C443-4B55-932F-AE11B5743FC4}" = HP Officejet Pro 8600 Help
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "{CA6BCA2F-EDEB-408F-850B-31404BE16A61}" = I.R.I.S. OCR
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F5266D28-E0B2-4130-BFC5-EE155AD514DC}" = Apple Application Support
    "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "Age of Empires 2.0" = Microsoft Age of Empires II
    "avast" = avast! Free Antivirus
    "ESET Online Scanner" = ESET Online Scanner v3
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "NCP RWS/GA" = NCP Secure Entry Client
    "Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
    "Star Sword_is1" = Star Sword
    "WildTangent gateway Master Uninstall" = Gateway Games

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1843488475-1253667702-3664568970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome
    "SOE-EverQuest II" = EverQuest II
    "SOE-EverQuest II Extended" = EverQuest II

    < End of report >
     
  23. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    All logs have to be pasted.

     
  24. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    OTL log, part 1

    PRC - [2013/02/28 01:36:01 | 000,045,248 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2011/05/06 12:07:18 | 000,460,144 | ---- | M] () -- C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
    PRC - [2011/05/06 11:58:52 | 001,085,440 | ---- | M] () -- C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe
    PRC - [2008/12/16 13:43:10 | 001,078,792 | ---- | M] (NCP Engineering GmbH) -- C:\Program Files (x86)\NCP\SecureClient\NCPRWSNT.EXE
    PRC - [2008/12/02 07:33:54 | 000,850,432 | ---- | M] () -- C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
    PRC - [2008/10/06 09:58:18 | 000,032,768 | ---- | M] () -- C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
    PRC - [2008/08/13 14:34:08 | 001,891,416 | ---- | M] (GARMIN Corp.) -- C:\Program Files (x86)\Garmin\Training Center\gStart.exe
    PRC - [2008/06/30 11:22:40 | 000,086,016 | ---- | M] (NCP engineering GmbH) -- C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
    PRC - [2008/04/15 17:54:42 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    PRC - [2008/04/15 17:54:40 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    PRC - [2007/02/12 01:43:44 | 000,065,536 | ---- | M] (O2Micro International) -- C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe


    ========== Modules (No Company Name) ==========

    MOD - [2008/12/02 07:33:54 | 000,850,432 | ---- | M] () -- C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
    MOD - [2008/12/02 07:33:16 | 000,978,944 | ---- | M] () -- C:\Program Files (x86)\NCP\SecureClient\rsussl.dll


    ========== Services (SafeList) ==========

    SRV:64bit: - [2013/02/28 01:36:01 | 000,045,248 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV:64bit: - [2008/06/11 12:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe -- (ETService)
    SRV:64bit: - [2008/01/20 19:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2007/10/18 15:37:22 | 000,412,672 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysNative\DRIVERS\xaudio64.exe -- (XAudioService)
    SRV - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2012/04/20 18:19:00 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2011/05/06 12:07:18 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
    SRV - [2011/05/06 11:58:52 | 001,085,440 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Flip Video\FlipShareServer\FlipShareServer.exe -- (FlipShareServer)
    SRV - [2010/10/12 10:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
    SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/03/29 21:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2008/12/16 13:43:10 | 001,078,792 | ---- | M] (NCP Engineering GmbH) [Auto | Running] -- C:\Program Files (x86)\NCP\SecureClient\NCPRWSNT.EXE -- (ncprwsnt)
    SRV - [2008/12/02 07:33:54 | 000,850,432 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe -- (rwsrsu)
    SRV - [2008/10/06 09:58:18 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE -- (NcpSec)
    SRV - [2008/06/30 11:22:40 | 000,086,016 | ---- | M] (NCP engineering GmbH) [Auto | Running] -- C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe -- (ncpclcfg)
    SRV - [2008/04/15 17:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
    SRV - [2008/01/29 10:09:58 | 000,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe -- (GameConsoleService)
    SRV - [2007/02/12 01:43:44 | 000,065,536 | ---- | M] (O2Micro International) [Auto | Running] -- C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe -- (o2flash)
     
  25. chrisb39

    chrisb39 TS Rookie Topic Starter Posts: 38

    OTL log, part 2

    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2013/02/28 01:36:34 | 000,068,992 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
    DRV:64bit: - [2013/02/28 01:36:33 | 001,025,880 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
    DRV:64bit: - [2013/02/28 01:36:33 | 000,377,992 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
    DRV:64bit: - [2013/02/28 01:36:32 | 000,080,888 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV:64bit: - [2013/02/28 01:36:32 | 000,059,216 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (aswRdr)
    DRV:64bit: - [2013/02/28 01:36:31 | 000,033,472 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV:64bit: - [2012/04/18 10:05:16 | 000,019,304 | ---- | M] (GARMIN Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\grmnusb.sys -- (grmnusb)
    DRV:64bit: - [2012/02/29 06:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2010/07/12 11:36:10 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
    DRV:64bit: - [2009/09/30 17:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
    DRV:64bit: - [2009/01/09 14:02:08 | 000,031,744 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\RimSerial_AMD64.sys -- (RimVSerPort)
    DRV:64bit: - [2008/11/17 14:50:30 | 004,751,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\NETw5v64.sys -- (NETw5v64)
    DRV:64bit: - [2008/11/10 14:43:52 | 000,143,496 | ---- | M] (NCP Engineering GmbH) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ncplelhp.sys -- (ncplelhp)
    DRV:64bit: - [2008/11/10 14:43:52 | 000,143,496 | ---- | M] (NCP Engineering GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ncplelhp.sys -- (ncpfilt)
    DRV:64bit: - [2008/06/10 20:13:00 | 000,264,192 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
    DRV:64bit: - [2008/05/13 18:43:00 | 000,055,328 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
    DRV:64bit: - [2008/04/28 19:00:00 | 000,392,192 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64)
    DRV:64bit: - [2008/04/15 17:54:16 | 000,388,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\iaStor.sys -- (iaStor)
    DRV:64bit: - [2008/04/14 19:14:40 | 000,062,040 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\o2mdx64.sys -- (O2MDRDR)
    DRV:64bit: - [2008/04/07 19:46:44 | 000,051,928 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\o2sdx64.sys -- (O2SDRDR)
    DRV:64bit: - [2008/03/25 16:51:16 | 001,487,872 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAX_DPV.sys -- (HSF_DPV)
    DRV:64bit: - [2008/03/25 16:47:06 | 000,294,400 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAXHWAZL.sys -- (CAXHWAZL)
    DRV:64bit: - [2008/03/25 16:45:44 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAX_CNXT.sys -- (winachsf)
    DRV:64bit: - [2008/01/30 03:46:24 | 000,062,480 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\tcusb.sys -- (TcUsb)
    DRV:64bit: - [2008/01/20 19:49:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\RootMdm.sys -- (ROOTMODEM)
    DRV:64bit: - [2008/01/20 19:47:25 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\serscan.sys -- (StillCam)
    DRV:64bit: - [2008/01/20 19:46:57 | 000,286,720 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VSTAZL6.SYS -- (HSFHWAZL)
    DRV:64bit: - [2008/01/20 19:46:57 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\WSDPrint.sys -- (WSDPrintDevice)
    DRV:64bit: - [2008/01/20 19:46:55 | 000,111,104 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
    DRV:64bit: - [2008/01/17 20:31:30 | 000,320,560 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
    DRV:64bit: - [2007/10/18 15:37:10 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\xaudio64.sys -- (XAudio)
    DRV:64bit: - [2007/05/23 17:47:28 | 000,020,784 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\UVCFTR_S.SYS -- (UVCFTR)
    DRV:64bit: - [2006/06/18 22:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
    DRV - [2008/06/11 12:13:24 | 000,017,952 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysWOW64\drivers\int15_64.sys -- (int15)


    ========== Standard Registry (SafeList) ==========
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.