TechSpot

Live platinum security and sirefef infections

By notforyou
Jul 24, 2012
  1. I got hit by the live platinum security and thought I had that issue cleared up but was then met with sirefef and the shutting down of the system. I've gone ahead and run the Farbar scans, here are the logs. Thanks for any help you can provide.

    FRST log:

    Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01
    Ran by SYSTEM at 24-07-2012 17:15:23
    Running from G:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [PC-Doctor for Windows localizer] C:\Program Files\PC-Doctor for Windows\localizer.exe [95728 2009-09-16] (PC-Doctor, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
    HKLM-x32\...\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [x]
    HKLM-x32\...\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [648032 2010-11-26] (Sony Corporation)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)
    HKU\Joni\...\Run: [Google Update] "C:\Users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-10-17] (Google Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    ==================== Services (Whitelisted) ======

    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

    ========================== Drivers (Whitelisted) =============

    3 NVNET; C:\Windows\System32\DRIVERS\nvmf6264.sys [339744 2009-07-30] (NVIDIA Corporation)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-24 17:15 - 2012-07-24 17:15 - 00000000 ____D C:\FRST
    2012-07-19 09:11 - 2012-07-24 17:03 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-19 09:11 - 2012-07-19 09:11 - 00000000 ____D C:\Users\Joni\AppData\Roaming\Malwarebytes
    2012-07-19 09:11 - 2012-07-19 09:11 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-07-19 09:02 - 2012-07-19 12:30 - 00001238 ____A C:\Users\Joni\Desktop\FixExec.txt
    2012-07-19 06:53 - 2012-07-24 17:03 - 00000000 ____D C:\Users\All Users\7812A1690008CB200009235DF875F002
    2012-07-12 15:50 - 2012-07-12 15:50 - 00000000 ____D C:\Users\Joni\AppData\Roaming\Skunk Studios
    2012-07-12 15:43 - 2012-07-12 15:43 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\grim-tales-the-wishes-collectors-edition_s1_l1_gF7284T1L1_d1800559122.exe
    2012-07-11 23:17 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-11 23:16 - 2012-07-11 23:17 - 00265426 ____A C:\Windows\msxml4-KB2721691-enu.LOG
    2012-07-11 23:02 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-11 23:02 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-11 23:02 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-11 23:02 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-11 23:02 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-11 23:02 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-11 23:02 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-11 23:02 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-07-11 23:02 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-07-11 23:02 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-07-11 23:02 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-07-11 23:02 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-07-11 23:02 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-07-11 23:02 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-07-11 23:02 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-07-11 23:01 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-11 23:01 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-11 23:01 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-11 23:01 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-11 23:01 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-11 23:01 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-11 23:01 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-11 23:01 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-07-11 23:01 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-07-11 23:01 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-07-11 23:01 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-07-11 23:01 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-07-11 23:01 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-07-11 12:25 - 2012-07-11 12:25 - 09822920 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-07-11 00:55 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-11 00:55 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-07-11 00:55 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-11 00:55 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-11 00:55 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-11 00:55 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-07-11 00:55 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-07-11 00:55 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-07-11 00:55 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-11 00:55 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-11 00:55 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-11 00:55 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-11 00:55 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-11 00:55 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-07-11 00:55 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-07-11 00:55 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-07-11 00:55 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-07-11 00:55 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-11 00:55 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
    2012-07-05 03:44 - 2012-07-05 03:45 - 00318904 ____A (Microsoft Corporation) C:\Users\Joni\Downloads\wmpfirefoxplugin.exe
    2012-07-01 17:19 - 2012-07-01 17:19 - 00002297 ____A C:\Users\Joni\Desktop\Slingo Mystery.lnk
    2012-07-01 17:19 - 2012-07-01 17:19 - 00001212 ____A C:\Users\Joni\Desktop\Games of the Month.lnk
    2012-07-01 17:19 - 2012-07-01 17:19 - 00000000 ____D C:\Users\Joni\AppData\Roaming\Oberon Media
    2012-07-01 17:19 - 2012-07-01 17:19 - 00000000 ____D C:\Program Files (x86)\Oberon Media SIDR
    2012-07-01 17:04 - 2012-07-19 04:33 - 00000266 ____A C:\Windows\Tasks\CandyUpdater.job
    2012-07-01 17:04 - 2012-07-01 17:04 - 00000000 ____D C:\Users\Joni\AppData\Local\ArcadeCandy
    2012-07-01 17:01 - 2012-07-01 17:01 - 01272776 ____A C:\Users\Joni\Downloads\ArcadeCandyGames(1).exe
    2012-07-01 05:54 - 2012-07-01 05:54 - 00000000 ____D C:\Users\All Users\McAfee
    2012-06-30 14:33 - 2012-06-30 14:33 - 00002210 ____A C:\Users\Public\Desktop\Play Flux Family Secrets - The Book of Oracles.lnk
    2012-06-30 14:33 - 2012-06-30 14:33 - 00001312 ____A C:\Users\Public\Desktop\More Great Games.lnk
    2012-06-30 14:32 - 2012-06-30 14:33 - 00000000 ____D C:\Program Files (x86)\Flux Family Secrets - The Book of Oracles
    2012-06-25 19:12 - 2012-06-25 20:33 - 00001780 ____A C:\Users\Joni\AppData\Roaming\result.db
    2012-06-25 12:04 - 2012-06-25 12:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll

    ============ 3 Months Modified Files ========================

    2012-07-24 13:10 - 2011-08-03 17:47 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-24 13:10 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-24 13:10 - 2009-07-13 20:51 - 00039191 ____A C:\Windows\setupact.log
    2012-07-24 13:05 - 2011-08-03 15:02 - 01061060 ____A C:\Windows\WindowsUpdate.log
    2012-07-19 12:30 - 2012-07-19 09:02 - 00001238 ____A C:\Users\Joni\Desktop\FixExec.txt
    2012-07-19 04:43 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-19 04:43 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-19 04:34 - 2012-06-09 16:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-19 04:34 - 2011-10-17 05:14 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001Core.job
    2012-07-19 04:34 - 2011-08-03 17:47 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-19 04:33 - 2012-07-01 17:04 - 00000266 ____A C:\Windows\Tasks\CandyUpdater.job
    2012-07-19 04:33 - 2011-10-17 05:14 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001UA.job
    2012-07-12 15:43 - 2012-07-12 15:43 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\grim-tales-the-wishes-collectors-edition_s1_l1_gF7284T1L1_d1800559122.exe
    2012-07-11 23:35 - 2011-08-11 05:00 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForJoni.job
    2012-07-11 23:35 - 2009-07-13 20:45 - 00329176 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-11 23:34 - 2009-11-25 12:10 - 00186056 ____A C:\Windows\PFRO.log
    2012-07-11 23:17 - 2012-07-11 23:16 - 00265426 ____A C:\Windows\msxml4-KB2721691-enu.LOG
    2012-07-11 23:03 - 2011-08-03 15:41 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-11 12:25 - 2012-07-11 12:25 - 09822920 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-07-11 12:25 - 2012-06-09 16:00 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-11 12:25 - 2011-08-03 16:36 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-11 11:08 - 2011-10-17 05:15 - 00002397 ____A C:\Users\Joni\Desktop\Google Chrome.lnk
    2012-07-08 09:52 - 2009-07-13 21:13 - 00729880 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-05 03:45 - 2012-07-05 03:44 - 00318904 ____A (Microsoft Corporation) C:\Users\Joni\Downloads\wmpfirefoxplugin.exe
    2012-07-01 17:19 - 2012-07-01 17:19 - 00002297 ____A C:\Users\Joni\Desktop\Slingo Mystery.lnk
    2012-07-01 17:19 - 2012-07-01 17:19 - 00001212 ____A C:\Users\Joni\Desktop\Games of the Month.lnk
    2012-07-01 17:01 - 2012-07-01 17:01 - 01272776 ____A C:\Users\Joni\Downloads\ArcadeCandyGames(1).exe
    2012-06-30 14:33 - 2012-06-30 14:33 - 00002210 ____A C:\Users\Public\Desktop\Play Flux Family Secrets - The Book of Oracles.lnk
    2012-06-30 14:33 - 2012-06-30 14:33 - 00001312 ____A C:\Users\Public\Desktop\More Great Games.lnk
    2012-06-30 06:25 - 2011-08-03 15:09 - 00000544 ____A C:\Windows\Tasks\PCDRScheduledMaintenance.job
    2012-06-25 20:33 - 2012-06-25 19:12 - 00001780 ____A C:\Users\Joni\AppData\Roaming\result.db
    2012-06-25 12:04 - 2012-06-25 12:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll
    2012-06-19 16:27 - 2012-06-19 16:27 - 00002135 ____A C:\Users\Public\Desktop\Play Dark Strokes - Sins of the Fathers.lnk
    2012-06-19 16:25 - 2012-06-19 16:25 - 00002232 ____A C:\Users\Public\Desktop\Play Nightmares from the Deep - The Cursed Heart.lnk
    2012-06-19 15:48 - 2012-06-19 15:48 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p146088874_s1_l1.exe
    2012-06-11 19:08 - 2012-07-11 23:17 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-10 13:18 - 2012-06-10 13:18 - 00002361 ____A C:\Users\Public\Desktop\Play Final Cut - Death on the Silver Screen Collector's Edition.lnk
    2012-06-09 17:24 - 2012-06-09 17:24 - 01307080 ____A C:\Users\Joni\Downloads\ArcadeCandyGames.exe
    2012-06-08 21:43 - 2012-07-11 00:55 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 20:41 - 2012-07-11 00:55 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-06 09:42 - 2012-06-06 09:42 - 00988888 ____A (Solid State Networks) C:\Users\Joni\Downloads\install_flashplayer11x64_mssa_aih.exe
    2012-06-05 22:06 - 2012-07-11 00:55 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 22:06 - 2012-07-11 00:55 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 22:02 - 2012-07-11 00:55 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-05 21:05 - 2012-07-11 00:55 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-05 21:05 - 2012-07-11 00:55 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-05 21:03 - 2012-07-11 00:55 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-06-02 14:19 - 2012-06-21 05:47 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 05:47 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 05:47 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 05:46 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 05:46 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 05:47 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 05:46 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 05:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-21 05:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 04:49 - 2012-07-11 23:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 04:17 - 2012-07-11 23:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 04:12 - 2012-07-11 23:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 04:05 - 2012-07-11 23:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 04:05 - 2012-07-11 23:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 04:04 - 2012-07-11 23:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 04:04 - 2012-07-11 23:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 04:03 - 2012-07-11 23:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 04:01 - 2012-07-11 23:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 04:00 - 2012-07-11 23:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 03:59 - 2012-07-11 23:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 03:57 - 2012-07-11 23:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 03:57 - 2012-07-11 23:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 03:54 - 2012-07-11 23:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 01:07 - 2012-07-11 23:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 00:43 - 2012-07-11 23:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 00:33 - 2012-07-11 23:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 00:26 - 2012-07-11 23:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 00:25 - 2012-07-11 23:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 00:25 - 2012-07-11 23:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 00:23 - 2012-07-11 23:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 00:21 - 2012-07-11 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 00:20 - 2012-07-11 23:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-11 23:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 00:19 - 2012-07-11 23:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 00:17 - 2012-07-11 23:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 00:16 - 2012-07-11 23:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 00:14 - 2012-07-11 23:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-01 21:50 - 2012-07-11 00:55 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 21:48 - 2012-07-11 00:55 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 21:48 - 2012-07-11 00:55 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 21:45 - 2012-07-11 00:55 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 21:44 - 2012-07-11 00:55 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 20:40 - 2012-07-11 00:55 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-01 20:40 - 2012-07-11 00:55 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-01 20:39 - 2012-07-11 00:55 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-06-01 20:34 - 2012-07-11 00:55 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-06-01 09:56 - 2012-06-01 09:56 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p144501816_s1_l1.exe
    2012-05-30 05:18 - 2012-05-30 05:18 - 00002186 ____A C:\Users\Public\Desktop\Play Spirit Walkers - Curse of the Cypress Witch.lnk
    2012-05-28 06:06 - 2012-05-28 06:06 - 00001945 ____A C:\Users\Public\Desktop\Play Slingo Supreme 2.lnk
    2012-05-28 06:05 - 2012-05-28 06:05 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p143938691_s1_l1(1).exe
    2012-05-27 16:52 - 2012-05-27 16:52 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p143943849_s1_l1.exe
    2012-05-27 08:22 - 2012-05-27 08:22 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p143938691_s1_l1.exe
    2012-05-22 15:44 - 2012-05-22 15:44 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p143427769_s1_l1(2).exe
    2012-05-22 15:42 - 2012-05-22 15:42 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p143427769_s1_l1.exe
    2012-05-22 15:42 - 2012-05-22 15:42 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p143427769_s1_l1(1).exe
    2012-05-22 06:26 - 2012-05-22 06:26 - 00010240 ____A C:\Users\Joni\Documents\OSU checklist.wps
    2012-05-22 06:26 - 2011-12-02 07:25 - 00000180 ____A C:\Users\Joni\AppData\Roaming\wklnhst.dat
    2012-05-21 14:43 - 2012-05-21 14:43 - 00001848 ____A C:\Users\Public\Desktop\Play Clutter.lnk
    2012-05-21 05:38 - 2012-05-21 05:38 - 00002052 ____A C:\Users\Public\Desktop\Play Clutter II - He Said She Said.lnk
    2012-05-05 12:47 - 2012-05-05 12:47 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p141553254_s1_l1(1).exe
    2012-05-05 12:46 - 2012-05-05 12:46 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\bigfishgames_p141553254_s1_l1.exe
    2012-05-05 09:54 - 2012-05-05 09:54 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\house-of-1000-doors-palm-of-zoroaster-ce_s1_l1_gF7105T1L1_d1728737362.exe
    2012-05-05 09:53 - 2012-05-05 09:53 - 00212224 ____A (Big Fish Games) C:\Users\Joni\Downloads\house-of-1000-doors-palm-of-zoroaster-ce_s1_l1_gF7105T1L1_d1728736752.exe
    2012-05-04 03:06 - 2012-06-19 12:33 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 02:03 - 2012-06-19 12:33 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-19 12:33 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-04-30 21:40 - 2012-06-19 12:34 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:55 - 2012-06-19 12:33 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-26 15:49 - 2011-08-03 16:26 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-04-26 15:48 - 2011-08-03 16:25 - 00743538 ____A C:\Windows\SysWOW64\PerfStringBackup.INI


    ZeroAccess:
    C:\Windows\Installer\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}
    C:\Windows\Installer\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\L

    ZeroAccess:
    C:\Users\Joni\AppData\Local\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}
    C:\Users\Joni\AppData\Local\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\@
    C:\Users\Joni\AppData\Local\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\L
    C:\Users\Joni\AppData\Local\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 33%
    Total physical RAM: 1918.49 MB
    Available physical RAM: 1281.89 MB
    Total Pagefile: 1918.49 MB
    Available Pagefile: 1273.02 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: (COMPAQ) (Fixed) (Total:288.27 GB) (Free:171.77 GB) NTFS
    2 Drive e: (FACTORY_IMAGE) (Fixed) (Total:9.72 GB) (Free:1.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive g: () (Removable) (Total:7.45 GB) (Free:7.4 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
    6 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 7633 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 288 GB 101 MB
    Partition 3 Primary 9 GB 288 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C COMPAQ NTFS Partition 288 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E FACTORY_IMA NTFS Partition 9 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7633 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FAT32 Removable 7633 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-18 02:08

    ======================= End Of Log ==========================


    Search log:

    Farbar Recovery Scan Tool Version: 20-07-2012 01
    Ran by SYSTEM at 2012-07-24 17:17:30
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  3. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    When trying access System Recovery(by pressing F11,) I'm taken to HP recovery manager and have no options to run any programs from there. Am I just in the wrong place?
     
  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    You proceed in the very same way you went to create FRST log but instead of "Scan" button, you click "Fix" button.
     
  5. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    Thanks, got it. Here's the fixlog:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01
    Ran by SYSTEM at 2012-07-24 18:51:50 Run:1
    Running from G:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\Installer\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e} moved successfully.
    C:\Users\Joni\AppData\Local\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
     
  6. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    A couple of issues while running ComboFix. It didn't disconnect me from the internet when it started and while it was in the deleting files stage, I stepped away from the screen for about 20 seconds and when I got back the comp was rebooting. It booted up to ComboFix preparing a log report.

    ComboFix just directed me to c:\combofix.txt for the log, but when I try to open the explorer folder I get "Illegal operation attempted on a registry key that has been marked for deletion" message. I was able to open a folder by plugging the thumbdrive back in and opening from autoplay, but when I try to open a new text file to paste the log I got the same message as above.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    That's because you're not paying attention:
     
  8. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    Yes, I missed that part. Here's the ComboFix log:

    ComboFix 12-07-25.04 - Joni 07/24/2012 19:06:34.1.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.771 [GMT -4:00]
    Running from: c:\users\Joni\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Outdated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Enabled/Outdated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\RivalGaming\RiVAlgaming.dll
    c:\users\Joni\AppData\Roaming\result.db
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-24 to 2012-07-24 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-25 01:15 . 2012-07-25 01:15 -------- d-----w- C:\FRST
    2012-07-24 23:23 . 2012-07-24 23:23 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8629855E-E8DF-4E3F-A7AB-DB36EE9F9113}\offreg.dll
    2012-07-24 23:20 . 2012-07-24 23:20 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-24 23:03 . 2012-06-29 07:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8629855E-E8DF-4E3F-A7AB-DB36EE9F9113}\mpengine.dll
    2012-07-19 19:51 . 2012-02-11 05:59 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-07-19 17:11 . 2012-07-19 17:11 -------- d-----w- c:\users\Joni\AppData\Roaming\Malwarebytes
    2012-07-19 17:11 . 2012-07-19 17:11 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-19 17:11 . 2012-07-25 01:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-19 14:53 . 2012-07-25 01:03 -------- d-----w- c:\programdata\7812A1690008CB200009235DF875F002
    2012-07-17 23:30 . 2012-06-29 10:04 9133488 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-12 23:50 . 2012-07-12 23:50 -------- d-----w- c:\users\Joni\AppData\Roaming\Skunk Studios
    2012-07-12 07:17 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-07-12 07:01 . 2012-06-02 12:05 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-07-11 20:25 . 2012-07-11 20:25 9822920 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-07-08 15:12 . 2012-07-08 15:12 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-07-08 15:12 . 2012-07-08 15:12 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-07-04 13:16 . 2012-02-11 05:59 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3B683106-9709-4C16-8E2A-6074D6C71B6A}\gapaengine.dll
    2012-07-02 01:19 . 2012-07-02 01:19 -------- d-----w- c:\users\Joni\AppData\Roaming\Oberon Media
    2012-07-02 01:19 . 2012-07-02 01:19 -------- d-----w- c:\program files (x86)\Oberon Media SIDR
    2012-07-02 01:18 . 2012-07-02 01:18 -------- d-----w- c:\program files (x86)\Common Files\Oberon Media
    2012-07-02 01:04 . 2012-07-02 01:04 -------- d-----w- c:\users\Joni\AppData\Local\ArcadeCandy
    2012-07-01 13:54 . 2012-07-01 13:54 -------- d-----w- c:\programdata\McAfee
    2012-06-30 22:32 . 2012-06-30 22:33 -------- d-----w- c:\program files (x86)\Flux Family Secrets - The Book of Oracles
    2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 07:03 . 2011-08-03 23:41 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-07-11 20:25 . 2012-06-10 00:00 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-11 20:25 . 2011-08-04 00:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-02 22:19 . 2012-06-21 13:46 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 13:47 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-21 13:47 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 13:47 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 13:46 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-21 13:47 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-21 13:46 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:19 . 2012-06-21 13:46 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 19:15 . 2012-06-21 13:46 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-04 11:06 . 2012-06-19 20:33 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 10:03 . 2012-06-19 20:33 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03 . 2012-06-19 20:33 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-05-01 05:40 . 2012-06-19 20:34 209920 ----a-w- c:\windows\system32\profsvc.dll
    2012-04-28 03:55 . 2012-06-19 20:33 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-26 05:41 . 2012-06-19 20:34 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-04-26 05:41 . 2012-06-19 20:34 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-04-26 05:34 . 2012-06-19 20:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 136176]
    R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 250056]
    R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 136176]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-08 113120]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-03 1255736]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
    S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-11-27 398176]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-24 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 20:25]
    .
    2012-07-19 c:\windows\Tasks\CandyUpdater.job
    - c:\users\Joni\AppData\Local\ArcadeCandy\candyUpdater.exe [2012-06-25 19:45]
    .
    2012-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:46]
    .
    2012-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:46]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001Core.job
    - c:\users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-17 13:14]
    .
    2012-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001UA.job
    - c:\users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-17 13:14]
    .
    2012-07-12 c:\windows\Tasks\HPCeeScheduleForJoni.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 03:15]
    .
    2012-06-30 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=15901
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT206402&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-24 19:36:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-24 23:36
    .
    Pre-Run: 183,886,794,752 bytes free
    Post-Run: 184,429,215,744 bytes free
    .
    - - End Of File - - 4A5CBD1E075D21280A3E3C343A3227E5
     
  9. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Looks good :)

    Any current issues?

    ================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =====================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  10. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    Comp seems to be running fine, haven't had any shut-down or other critical errors. MBAM and MSE updated without a problem.

    Logs for MBAM, and OTL/Extras:

    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.24.12

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Joni :: SALLY [administrator]

    Protection: Disabled

    7/24/2012 9:30:20 PM
    mbam-log-2012-07-24 (21-30-20).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 190981
    Time elapsed: 7 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 9
    C:\Users\Joni\Downloads\DownloadSetup(1).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
    C:\Users\Joni\Downloads\SetupRG(1).exe (Adware.GameVance) -> Quarantined and deleted successfully.
    C:\Users\Joni\Downloads\SetupRG(2).exe (Adware.GameVance) -> Quarantined and deleted successfully.
    C:\Users\Joni\Downloads\SetupRG(3).exe (Adware.GameVance) -> Quarantined and deleted successfully.
    C:\Users\Joni\Downloads\SetupRG(5).exe (Adware.GameVance) -> Quarantined and deleted successfully.
    C:\Users\Joni\Downloads\SetupRG(6).exe (Adware.GameVance) -> Quarantined and deleted successfully.
    C:\Users\Joni\Downloads\SetupRG(7).exe (Adware.GameVance) -> Quarantined and deleted successfully.
    C:\Users\Joni\Downloads\SetupRG(8).exe (Adware.GameVance) -> Quarantined and deleted successfully.
    C:\Users\Joni\Downloads\SetupRG.exe (Adware.GameVance) -> Quarantined and deleted successfully.

    (end)


    OTL logfile created on: 7/24/2012 9:57:55 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Joni\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.87 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 52.90% Memory free
    3.75 Gb Paging File | 2.55 Gb Available in Paging File | 67.94% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 288.27 Gb Total Space | 171.71 Gb Free Space | 59.57% Space Free | Partition Type: NTFS
    Drive D: | 9.72 Gb Total Space | 1.46 Gb Free Space | 15.05% Space Free | Partition Type: NTFS
    Drive F: | 7.45 Gb Total Space | 7.40 Gb Free Space | 99.31% Space Free | Partition Type: FAT32

    Computer Name: SALLY | User Name: Joni | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/24 21:53:07 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Joni\Downloads\otl.exe
    PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2011/03/28 18:07:50 | 000,094,264 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    PRC - [2010/11/27 01:55:42 | 000,648,032 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
    PRC - [2010/11/27 01:55:42 | 000,398,176 | ---- | M] (Sony Corporation) -- C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
    PRC - [2009/08/24 22:11:15 | 000,656,896 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
    PRC - [2008/11/20 14:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe


    ========== Modules (No Company Name) ==========


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2009/12/03 20:27:24 | 000,028,672 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agr64svc.exe -- (AgereModemAudio)
    SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2012/07/11 16:25:54 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/07/08 11:12:37 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/09/09 18:10:28 | 000,086,072 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe -- (HP Support Assistant Service)
    SRV - [2011/03/28 18:07:50 | 000,094,264 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe -- (HPDrvMntSvc.exe)
    SRV - [2010/11/27 01:55:42 | 000,398,176 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe -- (PMBDeviceInfoProvider)
    SRV - [2010/10/12 13:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
    DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2011/05/10 08:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/01/26 17:52:22 | 001,212,416 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
    DRV:64bit: - [2009/07/30 13:12:56 | 000,339,744 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvmf6264.sys -- (NVNET)
    DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
    DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQDSK/1
    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {B920F5B5-F0E2-4684-92F2-1383EAA352AF}
    IE:64bit: - HKLM\..\SearchScopes\{B920F5B5-F0E2-4684-92F2-1383EAA352AF}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPDTDF&pc=CPDTDF&src=IE-SearchBox
    IE:64bit: - HKLM\..\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQDSK/1
    IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
    IE - HKLM\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect.search.aol.com...34341254&tb_oid=18-09-2011&tb_mrud=18-09-2011
    IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
    IE - HKLM\..\SearchScopes\{B920F5B5-F0E2-4684-92F2-1383EAA352AF}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPDTDF&pc=CPDTDF&src=IE-SearchBox
    IE - HKLM\..\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=15901
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\SearchScopes,DefaultScope = {0B4A10D1-FBD6-451d-BFDA-F03252B05984}
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect.search.aol.com...34341254&tb_oid=18-09-2011&tb_mrud=18-09-2011
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\SearchScopes\{42B285D5-79C3-427B-8C23-37D7A18FB1A0}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=6A7EB1D9-467C-45A0-AB04-F57D9B858641
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\SearchScopes\{B920F5B5-F0E2-4684-92F2-1383EAA352AF}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPDTDF&pc=CPDTDF&src=IE-SearchBox
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"
    FF - prefs.js..browser.search.defaultthis.engineName: "Philadelphia Phillies Customized Web Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT206402&SearchSource=3&q={searchTerms}"
    FF - prefs.js..browser.search.order.1: "Ask.com"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/"


    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_265.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll (Oberon-Media )
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKLM\Software\MozillaPlugins\npEpicPlayDisplayHost: C:\Program Files (x86)\EpicPlay\npEpicHost.dll ( )
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Joni\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Joni\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/08 11:12:39 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/07/05 07:45:57 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\games@acandy.com: C:\Users\Joni\AppData\Local\ArcadeCandy\games@acandy.com [2012/07/01 21:04:09 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/08 11:12:39 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/07/05 07:45:57 | 000,000,000 | ---D | M]

    [2011/10/31 19:17:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Joni\AppData\Roaming\Mozilla\Extensions
    [2012/07/17 14:56:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\extensions
    [2012/07/17 14:56:09 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
    [2012/07/15 12:44:09 | 000,000,000 | ---D | M] (Philadelphia Phillies Community Toolbar) -- C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\extensions\{f722f063-925c-43d2-8308-584cfc1297fe}
    [2012/03/24 22:18:40 | 000,000,000 | ---D | M] (RivalGaming) -- C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\extensions\links@rivalgaming.com
    [2011/08/04 13:56:29 | 000,002,342 | ---- | M] () -- C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\searchplugins\aol-search.xml
    [2011/09/30 09:29:29 | 000,002,568 | ---- | M] () -- C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\searchplugins\askcom.xml
    [2012/01/05 15:01:36 | 000,000,945 | ---- | M] () -- C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\searchplugins\conduit.xml
    [2012/03/19 10:39:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2011/10/31 19:17:02 | 000,000,000 | ---D | M] (EpicPlay Games) -- C:\USERS\JONI\APPDATA\ROAMING\MOZILLA\EXTENSIONS\{EC8030F7-C20A-464F-9B0E-13A3A9E97384}\TEXTLINKS@EPICPLAY.COM
    [2012/07/08 11:12:39 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/03/17 16:37:08 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
    [2011/12/09 14:24:20 | 000,151,552 | ---- | M] (PopCap Games) -- C:\Program Files (x86)\mozilla firefox\plugins\nppopcaploader.dll
    [2012/07/08 11:12:34 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/07/08 11:12:34 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\Joni\AppData\Local\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Joni\AppData\Local\Google\Chrome\Application\19.0.1084.52\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Joni\AppData\Local\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    CHR - plugin: EpicPlay Games Browser Addon (Enabled) = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\plccnhhjonaiagjelpfkclblmlppjcik\epplay.dll
    CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: downloadUpdater (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
    CHR - plugin: downloadUpdater2 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
    CHR - plugin: PopCap Games Plugin (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\nppopcaploader.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
    CHR - plugin: EpicPlay NPAPI Display Host (Enabled) = C:\Program Files (x86)\EpicPlay\npEpicHost.dll
    CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    CHR - plugin: WildTangent Games App Presence Detector (Enabled) = C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
    CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: RivalGaming = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\adhmhclafdhfabmmglbcngpddpdeijgd\
    CHR - Extension: uTorrentBar = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj\2.3.2.4_0\
    CHR - Extension: uTorrentBar = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj\2.3.7.1_0\
    CHR - Extension: Pulsate = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjilkkfelgjefpjbjfnfdhmmoglpbhli\1.1_0\
    CHR - Extension: YouTube = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.2_0\
    CHR - Extension: YouTube = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
    CHR - Extension: Google Search = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
    CHR - Extension: Google Search = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
    CHR - Extension: Gmail = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.4_0\
    CHR - Extension: Gmail = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
    CHR - Extension: EpicPlay = C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\plccnhhjonaiagjelpfkclblmlppjcik\

    O1 HOSTS File: ([2012/07/24 19:23:25 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (AOL Messaging Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll (Microsoft Corp.)
    O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll (Microsoft Corp.)
    O3 - HKLM\..\Toolbar: (AOL Messaging Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    O3 - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\Toolbar\WebBrowser: (AOL Messaging Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll (AOL Inc.)
    O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4:64bit: - HKLM..\Run: [PC-Doctor for Windows localizer] C:\Program Files\PC-Doctor for Windows\localizer.exe (PC-Doctor, Inc.)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [HP Remote Solution] C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [hpsysdrv] c:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe (Sony Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A056DB89-1379-43E2-9149-76D1C2085A3B}: DhcpNameServer = 192.168.1.1
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/08/04 18:13:52 | 000,000,110 | -H-- | M] () - F:\autorun.inf -- [ FAT32 ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/24 21:29:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/24 21:29:20 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/07/24 21:15:15 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/07/24 20:18:11 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/07/24 19:36:33 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/07/24 19:01:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/07/24 19:01:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/07/24 19:01:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/07/24 19:00:41 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/24 18:59:54 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/07/24 18:58:59 | 004,584,441 | R--- | C] (Swearware) -- C:\Users\Joni\Desktop\ComboFix.exe
    [2012/07/19 15:45:29 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2012/07/19 13:11:26 | 000,000,000 | ---D | C] -- C:\Users\Joni\AppData\Roaming\Malwarebytes
    [2012/07/19 13:11:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/07/19 13:11:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/07/19 10:53:39 | 000,000,000 | ---D | C] -- C:\ProgramData\7812A1690008CB200009235DF875F002
    [2012/07/12 19:50:36 | 000,000,000 | ---D | C] -- C:\Users\Joni\AppData\Roaming\Skunk Studios
    [2012/07/01 21:20:12 | 000,000,000 | ---D | C] -- C:\Users\Joni\Documents\Slingo Mystery Documents
    [2012/07/01 21:19:28 | 000,000,000 | ---D | C] -- C:\Users\Joni\AppData\Roaming\Oberon Media
    [2012/07/01 21:19:25 | 000,000,000 | ---D | C] -- C:\Users\Joni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games of the Month
    [2012/07/01 21:19:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Oberon Media SIDR
    [2012/07/01 21:18:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Oberon Media
    [2012/07/01 21:04:09 | 000,000,000 | ---D | C] -- C:\Users\Joni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ArcadeCandy
    [2012/07/01 21:04:06 | 000,000,000 | ---D | C] -- C:\Users\Joni\AppData\Local\ArcadeCandy
    [2012/07/01 09:54:58 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
    [2012/06/30 18:32:18 | 000,000,000 | ---D | C] -- C:\Users\Joni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Flux Family Secrets - The Book of Oracles
    [2012/06/30 18:32:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Flux Family Secrets - The Book of Oracles
    [2012/06/30 18:32:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Flux Family Secrets - The Book of Oracles
    [1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/07/24 22:03:35 | 000,015,792 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/24 22:03:35 | 000,015,792 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/24 22:01:01 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001UA.job
    [2012/07/24 21:54:38 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/07/24 21:54:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/24 21:54:21 | 1508,761,600 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/24 21:29:29 | 000,001,075 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/24 21:25:38 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/07/24 19:37:05 | 000,729,880 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/07/24 19:37:05 | 000,626,290 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/07/24 19:37:05 | 000,107,566 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/07/24 19:23:25 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/07/24 19:09:20 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/07/24 18:59:06 | 004,584,441 | R--- | M] (Swearware) -- C:\Users\Joni\Desktop\ComboFix.exe
    [2012/07/19 08:34:16 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001Core.job
    [2012/07/19 08:33:59 | 000,000,266 | ---- | M] () -- C:\Windows\tasks\CandyUpdater.job
    [2012/07/12 03:35:22 | 000,000,328 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForJoni.job
    [2012/07/12 03:35:13 | 000,329,176 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2012/07/11 15:08:35 | 000,002,397 | ---- | M] () -- C:\Users\Joni\Desktop\Google Chrome.lnk
    [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/07/01 21:19:25 | 000,002,297 | ---- | M] () -- C:\Users\Joni\Desktop\Slingo Mystery.lnk
    [2012/07/01 21:19:00 | 000,001,212 | ---- | M] () -- C:\Users\Joni\Desktop\Games of the Month.lnk
    [2012/06/30 18:33:11 | 000,002,210 | ---- | M] () -- C:\Users\Public\Desktop\Play Flux Family Secrets - The Book of Oracles.lnk
    [2012/06/30 18:33:11 | 000,001,312 | ---- | M] () -- C:\Users\Public\Desktop\More Great Games.lnk
    [2012/06/30 10:25:45 | 000,000,544 | ---- | M] () -- C:\Windows\tasks\PCDRScheduledMaintenance.job
    [1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/24 21:29:29 | 000,001,075 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/24 19:01:44 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/07/24 19:01:44 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/07/24 19:01:44 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/07/24 19:01:44 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/07/24 19:01:44 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/07/19 15:47:11 | 000,001,921 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/07/01 21:19:25 | 000,002,297 | ---- | C] () -- C:\Users\Joni\Desktop\Slingo Mystery.lnk
    [2012/07/01 21:19:00 | 000,001,212 | ---- | C] () -- C:\Users\Joni\Desktop\Games of the Month.lnk
    [2012/07/01 21:04:09 | 000,000,266 | ---- | C] () -- C:\Windows\tasks\CandyUpdater.job
    [2012/06/30 18:33:11 | 000,002,210 | ---- | C] () -- C:\Users\Public\Desktop\Play Flux Family Secrets - The Book of Oracles.lnk
    [2012/06/30 18:33:11 | 000,001,312 | ---- | C] () -- C:\Users\Public\Desktop\More Great Games.lnk
    [2011/12/02 11:25:29 | 000,000,180 | ---- | C] () -- C:\Users\Joni\AppData\Roaming\wklnhst.dat
    [2011/09/08 14:18:39 | 000,000,010 | ---- | C] () -- C:\Windows\popcinfo.dat
    [2011/08/03 20:25:59 | 000,743,538 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

    ========== LOP Check ==========

    [2012/04/24 19:23:31 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Absolutist
    [2011/08/04 13:56:10 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\acccore
    [2011/09/27 10:44:34 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Alawar Entertainment
    [2012/05/05 15:37:06 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\AlawarEntertainment
    [2012/06/16 13:13:41 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Artifex Mundi
    [2011/11/23 08:31:21 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Artogon
    [2011/11/24 09:14:15 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Big Fish Games
    [2011/12/26 20:12:24 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Blue Tea Games
    [2012/02/18 19:40:59 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Boomzap
    [2012/03/21 17:04:40 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\casualArts
    [2012/06/14 17:19:30 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\DailyMagic
    [2012/01/04 10:21:27 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\DarkParablesBriarRoseSE_BFG
    [2012/06/12 15:37:54 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Eipix
    [2011/12/11 12:59:59 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\EleFun Games
    [2012/06/15 21:34:33 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Elephant Games
    [2011/12/30 21:32:54 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Enki Games
    [2011/08/08 10:12:40 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Enlightenus_Egames
    [2012/05/20 11:40:46 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\ERS Game Studios
    [2011/12/07 10:22:16 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Fanda Games
    [2011/10/30 20:11:19 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\flashInstall
    [2011/08/14 12:59:00 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Floodlight Games
    [2011/11/19 18:03:39 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Freeze Tag
    [2012/07/01 21:20:12 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\funkitron
    [2012/03/24 18:13:13 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\GameInvest
    [2012/04/01 01:01:16 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\GameMill Entertainment
    [2011/10/05 10:20:48 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\GO Games
    [2011/09/09 09:46:03 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\HitPoint Studios
    [2011/09/06 10:26:49 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\iWin
    [2011/08/09 15:03:01 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\LestaStudio
    [2012/04/19 10:54:33 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Meridian93
    [2012/01/31 19:53:38 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\MumboJumbo
    [2012/07/01 21:19:28 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Oberon Media
    [2011/10/04 18:19:44 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Orneon
    [2011/09/19 15:24:04 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\PlayPond
    [2011/11/18 20:39:41 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Pogo Games
    [2012/01/14 17:11:57 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\quickclick
    [2011/11/13 10:47:29 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Reincarnations - Back to Reality Strategy Guide
    [2012/07/12 19:50:36 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Skunk Studios
    [2011/09/13 09:46:10 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Specialbit
    [2011/12/02 11:25:43 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Template
    [2012/02/10 16:11:03 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\TikisLab
    [2011/09/28 11:39:03 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Trillian
    [2012/07/08 14:23:57 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\uTorrent
    [2012/03/06 10:37:24 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Vast Studios
    [2011/09/01 09:02:17 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\Vogat Interactive
    [2011/09/15 07:35:57 | 000,000,000 | ---D | M] -- C:\Users\Joni\AppData\Roaming\WinBatch
    [2012/07/19 08:33:59 | 000,000,266 | ---- | M] () -- C:\Windows\Tasks\CandyUpdater.job
    [2012/06/30 10:25:45 | 000,000,544 | ---- | M] () -- C:\Windows\Tasks\PCDRScheduledMaintenance.job
    [2009/07/14 01:08:49 | 000,029,880 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 249 bytes -> C:\ProgramData\Temp:AABECEFB
    @Alternate Data Stream - 249 bytes -> C:\ProgramData\Temp:754E278B
    @Alternate Data Stream - 245 bytes -> C:\ProgramData\Temp:DE3ABE3D
    @Alternate Data Stream - 244 bytes -> C:\ProgramData\Temp:8E11CC80
    @Alternate Data Stream - 244 bytes -> C:\ProgramData\Temp:2CB9631F
    @Alternate Data Stream - 242 bytes -> C:\ProgramData\Temp:53BA2DF6
    @Alternate Data Stream - 237 bytes -> C:\ProgramData\Temp:EB86F355
    @Alternate Data Stream - 237 bytes -> C:\ProgramData\Temp:94A31742
    @Alternate Data Stream - 235 bytes -> C:\ProgramData\Temp:12258D63
    @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:FB4262DE
    @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:C3A047E3
    @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:9195103F
    @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:1A15E356
    @Alternate Data Stream - 233 bytes -> C:\ProgramData\Temp:B8791731
    @Alternate Data Stream - 233 bytes -> C:\ProgramData\Temp:B0A727D1
    @Alternate Data Stream - 233 bytes -> C:\ProgramData\Temp:A88BE334
    @Alternate Data Stream - 232 bytes -> C:\ProgramData\Temp:E0888117
    @Alternate Data Stream - 231 bytes -> C:\ProgramData\Temp:E6C6EB3B
    @Alternate Data Stream - 231 bytes -> C:\ProgramData\Temp:6EE8565A
    @Alternate Data Stream - 230 bytes -> C:\ProgramData\Temp:C0BCE04B
    @Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:F89F2593
    @Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:BEE39E9B
    @Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:57176330
    @Alternate Data Stream - 228 bytes -> C:\ProgramData\Temp:6ED8B881
    @Alternate Data Stream - 228 bytes -> C:\ProgramData\Temp:68198EE3
    @Alternate Data Stream - 227 bytes -> C:\ProgramData\Temp:D3A82449
    @Alternate Data Stream - 227 bytes -> C:\ProgramData\Temp:A6F30843
    @Alternate Data Stream - 227 bytes -> C:\ProgramData\Temp:43CBFAB2
    @Alternate Data Stream - 225 bytes -> C:\ProgramData\Temp:02CC0035
    @Alternate Data Stream - 224 bytes -> C:\ProgramData\Temp:B1381B34
    @Alternate Data Stream - 222 bytes -> C:\ProgramData\Temp:1181620C
    @Alternate Data Stream - 221 bytes -> C:\ProgramData\Temp:14B2E0BD
    @Alternate Data Stream - 220 bytes -> C:\ProgramData\Temp:D055FC10
    @Alternate Data Stream - 218 bytes -> C:\ProgramData\Temp:C0DFB793
    @Alternate Data Stream - 217 bytes -> C:\ProgramData\Temp:C0A9B815
    @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:F5D01D7C
    @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:BD0A043E
    @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:A9223B61
    @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:59465B40
    @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:2BFCDF84
    @Alternate Data Stream - 215 bytes -> C:\ProgramData\Temp:BCFEA004
    @Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:8B4B9596
    @Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:8836A712
    @Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:5D17C178
    @Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:3086B95F
    @Alternate Data Stream - 213 bytes -> C:\ProgramData\Temp:124322E4
    @Alternate Data Stream - 212 bytes -> C:\ProgramData\Temp:AFC732F7
    @Alternate Data Stream - 212 bytes -> C:\ProgramData\Temp:1ECED34B
    @Alternate Data Stream - 208 bytes -> C:\ProgramData\Temp:31B2903F
    @Alternate Data Stream - 207 bytes -> C:\ProgramData\Temp:89A5891E
    @Alternate Data Stream - 202 bytes -> C:\ProgramData\Temp:4DA46765
    @Alternate Data Stream - 196 bytes -> C:\ProgramData\Temp:A7DA2BCD
    @Alternate Data Stream - 189 bytes -> C:\ProgramData\Temp:A1D3FEF0
    @Alternate Data Stream - 154 bytes -> C:\ProgramData\Temp:244E4E3A
    @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:B6E58523
    @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:67C0F0A9
    @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:4C3D5A8B
    @Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:3EC5BC08
    @Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:D026A5A4
    @Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:FFC3922F
    @Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:3D922890
    @Alternate Data Stream - 137 bytes -> C:\ProgramData\Temp:FBE5FDB9
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:C37283B5
    @Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:4F852702
    @Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:A8185163
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:F7FFE8AF
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:F5E90ED3
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:3BC173E4
    @Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:DBC3D477
    @Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:5133A494
    @Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:C820549A
    @Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:A798AA1A
    @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:ED194880
    @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:569CEE83
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:927EC486
    @Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:98982C88
    @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:E6B95E40
    @Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:26499772
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:52641FBE
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:4DDE401B
    @Alternate Data Stream - 100 bytes -> C:\ProgramData\Temp:4911BB5C

    < End of report >
     
  11. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    OTL Extras logfile created on: 7/24/2012 9:57:55 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Joni\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.87 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 52.90% Memory free
    3.75 Gb Paging File | 2.55 Gb Available in Paging File | 67.94% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 288.27 Gb Total Space | 171.71 Gb Free Space | 59.57% Space Free | Partition Type: NTFS
    Drive D: | 9.72 Gb Total Space | 1.46 Gb Free Space | 15.05% Space Free | Partition Type: NTFS
    Drive F: | 7.45 Gb Total Space | 7.40 Gb Free Space | 99.31% Space Free | Partition Type: FAT32

    Computer Name: SALLY | User Name: Joni | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-3273348302-90664181-4027946035-1001\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0293AB9B-670B-4522-96DA-614427A49F29}" = lport=139 | protocol=6 | dir=in | app=system |
    "{11A07A52-24C4-41CF-A62C-C714293F26F3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{14CFE587-2092-4B98-B6C1-573EDF8ED0C3}" = rport=138 | protocol=17 | dir=out | app=system |
    "{14D6E128-FE0C-4655-A008-91B102906155}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{1631E798-F9C0-4B8C-ABAA-FAF28D93692E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{29E1BF29-F2B9-415A-80B8-4ED19188CBC8}" = rport=139 | protocol=6 | dir=out | app=system |
    "{34125F2C-DB6E-427F-B231-E2126B7736B6}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{3AA7A4EC-AF90-46D4-AFD1-31A969A11676}" = lport=445 | protocol=6 | dir=in | app=system |
    "{42E98EAA-7DA6-42F1-87C9-C1B54DE3CE56}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{49BF1F60-FD1D-4AFE-A79B-00EF683AB88C}" = rport=445 | protocol=6 | dir=out | app=system |
    "{665E91AD-6D53-4A9F-81E8-895BA9C205CD}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{6863B190-099A-4F97-B9A1-021BD28FDBD5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{69C9AB99-1613-4B79-A60F-436A13C22F6D}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{799BBFCA-2664-432D-8E4E-9B52CD8B0A52}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{890D27A2-8816-452D-A883-EF7A68395BDD}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{89EEAFDC-ED4A-465C-B178-B26447437EC5}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{96842544-E176-429A-BEB9-4CAE485FEDC6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
    "{A2C34458-353D-438C-B9E4-C791A4FB232F}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{B12E923C-A3EB-4BB4-8173-665AC161E4FF}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{B377647A-B4E6-4C0E-9FA3-43317629FBB4}" = lport=138 | protocol=17 | dir=in | app=system |
    "{CD25765F-6549-452D-932F-61B3AA0C4192}" = lport=137 | protocol=17 | dir=in | app=system |
    "{E35F8B78-984D-479F-874D-2248B51E8DC0}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{E871EFBD-AC53-4C45-BFAF-B5568ABB45B5}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{EAA69549-2848-43B5-ADEF-04E2C6702FB2}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{FAB84F7F-D8C6-4F60-899C-8B09BB4AE853}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{02A8BB24-4C4E-445C-B856-D5E0726388DB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{05A35D69-0675-473E-B3C1-C3DA866227BD}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{05E1915F-C311-4C8D-8178-0CC2FFA89581}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{0C6F40B3-52B8-4B70-8E6A-9631B679BAD1}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{167D0E53-29A1-413C-8758-C58A4300C7D2}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "{271F7DEC-C053-49E4-9F92-EEF4520C6C72}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "{2C0E0D38-82D2-480E-BA5C-047D8904EEB0}" = protocol=17 | dir=in | app=c:\program files (x86)\aim\aim.exe |
    "{3F8B1512-D5C3-449A-9E2F-D34239662739}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{453CE734-0BF6-45FB-B5E2-0225E4ADC5EB}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{4737083B-77BD-4674-9650-D88C1A60FC60}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{52E60E59-A794-4FF2-B299-4CF0EB8B6463}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{5AFCAE78-1205-449E-82A1-C3C027A9A8C7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{5CFDDCB5-9736-4CC7-80AE-1CB20080995D}" = dir=in | app=c:\program files (x86)\windows live\messenger\wlcsdk.exe |
    "{5F37FADD-2BB4-4067-B60A-3B8B37F3D40F}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
    "{6B76B6DE-B151-4F0C-B364-44F5A8CB330F}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
    "{76501808-9224-4336-A488-48FCFBAA597E}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
    "{92E87DBE-E380-4E8E-90DE-74D8776389EC}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{99AC415E-EFBA-4104-A647-D87010A3CDE0}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A793499D-9D5D-4839-9EE5-36F32F431BA2}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A95005B6-4D6F-4AD3-8D1E-6C1BCA6661D5}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{AC3BBBCA-2CBF-408B-8944-63F5375836BF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{C399682D-4C79-488F-B7D3-F4E5A3EC2D5A}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
    "{C3A7BB2E-8FCA-4BFA-9872-D3FDE9CBCFA6}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
    "{C40925D0-357D-4D50-AD14-C1B7272134E7}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{C4EB508C-80EF-4E8A-AC1D-B683DA4DC550}" = dir=in | app=c:\program files (x86)\cyberlink\powerdirector\pdr.exe |
    "{C8A21C41-872B-45B0-A744-BED928864C0E}" = protocol=6 | dir=in | app=c:\program files (x86)\aim\aim.exe |
    "{CAFD62CE-E24A-4985-9146-1AC8735DBEC5}" = dir=in | app=c:\program files (x86)\windows live\sync\windowslivesync.exe |
    "{D188B84B-3318-43C7-A4E2-7C6153A86C58}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{D7707D3C-39F5-4008-8689-0A52C5246E8B}" = protocol=6 | dir=out | app=system |
    "{E8CE945C-703B-4744-A6B4-FD5DBFEAC6D3}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{FFC761B4-EFEC-4E7E-926B-278FC6847EF0}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "TCP Query User{351F0FC8-FD02-4824-88F0-EA9814FCDF8F}C:\program files (x86)\aim\aim.exe" = protocol=6 | dir=in | app=c:\program files (x86)\aim\aim.exe |
    "TCP Query User{464BA734-2F33-4213-AC48-93DCFBC1E651}C:\users\joni\downloads\utorrent(2).exe" = protocol=6 | dir=in | app=c:\users\joni\downloads\utorrent(2).exe |
    "TCP Query User{7B2728A0-31DF-48AD-AF9C-D3393FA82495}C:\program files (x86)\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files (x86)\google\google earth\client\googleearth.exe |
    "TCP Query User{F00AEBED-B77F-4C90-981F-63A9C4C5D633}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
    "UDP Query User{510D83DE-C593-4A9F-84D2-31DC0B7C417D}C:\program files (x86)\aim\aim.exe" = protocol=17 | dir=in | app=c:\program files (x86)\aim\aim.exe |
    "UDP Query User{5D63EEA9-5054-45FE-811D-DBB384FAE33A}C:\program files (x86)\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files (x86)\google\google earth\client\googleearth.exe |
    "UDP Query User{ADA42359-0DD9-482D-88CD-FA16D7871F83}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
    "UDP Query User{F8578B9C-E3BE-420C-AD9A-2E8ADB6C41CF}C:\users\joni\downloads\utorrent(2).exe" = protocol=17 | dir=in | app=c:\users\joni\downloads\utorrent(2).exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
    "{439760BC-7737-4386-9B1D-A90A3E8A22EA}" = Apple Mobile Device Support
    "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
    "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{B613A9BB-2B34-4824-A4BE-2427653D59D6}" = iTunes
    "{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
    "{CA0D2F09-F811-48D4-843E-C87696C6A9D9}" = Bonjour
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "LSI Soft Modem" = LSI PCI-SV92EX Soft Modem
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "NVIDIA Display Control Panel" = NVIDIA Display Control Panel
    "NVIDIA Drivers" = NVIDIA Drivers
    "OfficeTrial" = Microsoft Office Home and Student 60 day trial
    "PC-Doctor for Windows" = Hardware Diagnostic Tools

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
    "{17B4760F-334B-475D-829F-1A3E94A6A4E6}" = HP Setup
    "{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
    "{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App" = Update Installer for WildTangent Games App
    "{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
    "{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}" = HP Advisor
    "{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = Recovery Manager
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{553C904F-57A2-4113-888E-BA0C3D1C69C0}" = Microsoft VC9 runtime libraries
    "{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
    "{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.2.0
    "{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}" = HP Support Assistant
    "{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-hp" = WildTangent Games App (HP Games)
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
    "{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A436F67F-687E-4736-BD2B-537121A804CF}" = HP Product Detection
    "{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
    "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
    "{B6A98E5F-D6A7-46FB-9E9D-1F7BF443491C}" = PMB
    "{B8AC1A89-FFD1-4F97-8051-E505A160F562}" = HP Odometer
    "{B9A03B7B-E0FF-4FB3-BA83-762E58A1B0AA}" = HP Support Information
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "{C611CF88-969D-43E6-A877-D6D6439DD081}" = HP Remote Solution
    "{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "{CC8E94A2-55C7-4460-953C-2A790180578C}" = LightScribe System Software
    "{D46D081B-F60E-467E-A7C4-117B70D76731}" = HP Update
    "{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
    "{DF802C05-4660-418c-970C-B988ADB1D316}" = Microsoft Live Search Toolbar
    "{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
    "{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)
    "{EA4FFFE4-0517-46AC-A19B-A8013985F766}" = Microsoft Live Search Toolbar
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
    "{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
    "117739927" = Slingo Mystery
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.6
    "AIM Toolbar" = AOL Messaging Toolbar
    "AIM_7" = AIM 7
    "BFG-4 Elements" = 4 Elements
    "BFG-Awakening - The Goblin Kingdom Collector's Edition" = Awakening: The Goblin Kingdom Collector's Edition
    "BFG-Azada - In Libro" = Azada: In Libro
    "BFG-Big City Adventure - London Story" = Big City Adventure: London Story
    "BFG-Big Kahuna Reef 2 - Chain Reaction" = Big Kahuna Reef 2 - Chain Reaction
    "BFG-Bluebeard's Castle" = Bluebeard's Castle
    "BFGC" = Big Fish Games: Game Manager
    "BFG-Clutter" = Clutter
    "BFG-Clutter II - He Said She Said" = Clutter II: He Said, She Said
    "BFG-Cursed Memories - The Secret of Agony Creek Collector's Edition" = Cursed Memories: The Secret of Agony Creek Collector's Edition
    "BFG-Dark Parables - Curse of Briar Rose" = Dark Parables: Curse of Briar Rose
    "BFG-Dark Parables - Rise of the Snow Queen Collector's Edition" = Dark Parables: Rise of the Snow Queen Collector's Edition
    "BFG-Dark Strokes - Sins of the Fathers" = Dark Strokes: Sins of the Fathers
    "BFG-Dark Tales - Edgar Allan Poe's The Black Cat" = Dark Tales: ™ Edgar Allan Poe's The Black Cat
    "BFG-Dark Tales - Edgar Allan Poe's The Premature Burial Collector's Edition" = Dark Tales: Edgar Allan Poe's The Premature Burial Collector's Edition
    "BFG-Easter Eggztravaganza" = Easter Eggztravaganza
    "BFG-Echoes of the Past - The Citadels of Time Collectors Edition" = Echoes of the Past: The Citadels of Time Collector's Edition
    "BFG-Escape the Museum" = Escape the Museum
    "BFG-F.A.C.E.S. Collector's Edition" = F.A.C.E.S. Collector's Edition
    "BFG-Fairies" = Fairies
    "BFG-Fear for Sale - Sunnyvale Story Collectors Edition" = Fear for Sale: Sunnyvale Story Collector's Edition
    "BFG-Final Cut - Death on the Silver Screen Collector's Edition" = Final Cut: Death on the Silver Screen Collector's Edition
    "BFG-Flux Family Secrets - The Book of Oracles" = Flux Family Secrets: The Book of Oracles
    "BFG-Glyph" = Glyph
    "BFG-Green Moon" = Green Moon
    "BFG-Haunted Halls - Fears from Childhood Collector's Edition" = Haunted Halls: Fears from Childhood Collector's Edition
    "BFG-Haunted Hotel" = Haunted Hotel
    "BFG-Haunted Legends - The Bronze Horseman" = Haunted Legends: The Bronze Horseman
    "BFG-Hidden Expedition - The Uncharted Islands Collector's Edition" = Hidden Expedition: The Uncharted Islands Collector's Edition
    "BFG-Hidden Mysteries - Royal Family Secrets" = Hidden Mysteries: Royal Family Secrets
    "BFG-Hidden Mysteries - Salem Secrets" = Hidden Mysteries&reg;: Salem Secrets
    "BFG-House of 1000 Doors - Family Secret Collector's Edition" = House of 1000 Doors: Family Secret Collector's Edition
    "BFG-House of 1000 Doors - The Palm of Zoroaster Collector's Edition" = House of 1000 Doors: The Palm of Zoroaster Collector's Edition
    "BFG-Lost Lagoon - The Trail of Destiny" = Lost Lagoon: The Trail of Destiny
    "BFG-Macabre Mysteries - Curse of the Nightingale Collector's Edition" = Macabre Mysteries: Curse of the Nightingale Collector's Edition
    "BFG-Midnight Mysteries - Haunted Houdini Deluxe" = Midnight Mysteries: Haunted Houdini Deluxe
    "BFG-Mystery Case Files - Escape from Ravenhearst Collector's Edition" = Mystery Case Files&reg;: Escape from Ravenhearst™ Collector's Edition
    "BFG-Mystery Legends - Beauty and the Beast Collector's Edition" = Mystery Legends: Beauty and the Beast Collector's Edition
    "BFG-Mystery Trackers - Black Isle" = Mystery Trackers: Black Isle
    "BFG-Mystic Diary - Haunted Island" = Mystic Diary: Haunted Island
    "BFG-Nancy Drew - Shadow at the Water's Edge" = Nancy Drew: Shadow at the Water's Edge
    "BFG-Nightfall Mysteries - Asylum Conspiracy" = Nightfall Mysteries: Asylum Conspiracy
    "BFG-Nightfall Mysteries - Black Heart" = Nightfall Mysteries: Black Heart
    "BFG-Nightfall Mysteries - Curse of the Opera" = Nightfall Mysteries: Curse of the Opera
    "BFG-Nightmare Realm" = Nightmare Realm
    "BFG-Nightmares from the Deep - The Cursed Heart" = Nightmares from the Deep: The Cursed Heart
    "BFG-Oddly Enough - Pied Piper" = Oddly Enough: Pied Piper
    "BFG-Otherworld - Spring of Shadows" = Otherworld: Spring of Shadows
    "BFG-Puppetshow - Return to Joyville" = Puppetshow: Return to Joyville
    "BFG-Reincarnations - Back to Reality" = Reincarnations: Back to Reality
    "BFG-Reincarnations - Back to Reality Strategy Guide" = Reincarnations: Back to Reality Strategy Guide
    "BFG-Reincarnations - Uncover the Past" = Reincarnations: Uncover the Past
    "BFG-Sacra Terra - Angelic Night" = Sacra Terra: Angelic Night
    "BFG-Samantha Swift and the Hidden Roses of Athena" = Samantha Swift and the Hidden Roses of Athena
    "BFG-Shiver - Vanishing Hitchhiker" = Shiver: Vanishing Hitchhiker
    "BFG-Slingo Supreme 2" = Slingo Supreme 2
    "BFG-Spirit Seasons - Little Ghost Story" = Spirit Seasons: Little Ghost Story
    "BFG-Spirit Walkers - Curse of the Cypress Witch" = Spirit Walkers: Curse of the Cypress Witch
    "BFG-Spirits of Mystery - Amber Maiden" = Spirits of Mystery: Amber Maiden
    "BFG-Temple of Life - The Legend of Four Elements" = Temple of Life: The Legend of Four Elements
    "BFG-The Book of Desires" = The Book of Desires
    "BFG-The Mystery of the Crystal Portal" = The Mystery of the Crystal Portal
    "BFG-The Secret Order - New Horizon" = The Secret Order: New Horizon
    "BFG-The Secrets of Arcelia Island" = The Secrets of Arcelia Island
    "BFG-Time Mysteries - The Ancient Spectres Collectors Edition" = Time Mysteries: The Ancient Spectres Collector's Edition
    "BFG-Treasure Seekers - Follow the Ghosts" = Treasure Seekers: Follow the Ghosts
    "BFG-Treasure Seekers - The Enchanted Canvases" = Treasure Seekers: The Enchanted Canvases
    "BFG-Victorian Mysteries - Woman in White" = Victorian Mysteries: Woman in White
    "BFG-Weird Park - Broken Tune Collectors Edition" = Weird Park: Broken Tune Collector's Edition
    "BFG-World Riddles - Seven Wonders" = World Riddles: Seven Wonders
    "BFG-Zuma Deluxe" = Zuma Deluxe
    "HP Remote Solution" = HP Remote Solution
    "InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
    "InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "PopCap Browser Plugin" = PopCap Browser Plugin
    "RivalGaming" = RivalGaming
    "SoftwareUpdUtility" = Download Updater (AOL LLC)
    "Trillian" = Trillian
    "uTorrent" = µTorrent
    "WildTangent hp Master Uninstall" = HP Games
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "YTdetect" = Yahoo! Detect

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3273348302-90664181-4027946035-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{6A2EF989-A524-48bf-985F-9D076B334980}" = ArcadeCandy
    "Enlightenus" = Enlightenus
    "Google Chrome" = Google Chrome

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 7/15/2012 2:35:22 PM | Computer Name = SALLY | Source = Application Hang | ID = 1002
    Description = The program firefox.exe version 13.0.1.4548 stopped interacting with
    Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Action Center control panel. Process ID: eb4 Start
    Time: 01cd62b834f36bc8 Termination Time: 71 Application Path: C:\Program Files (x86)\Mozilla
    Firefox\firefox.exe Report Id: cec614f9-ceab-11e1-8551-002354f8dfd4

    Error - 7/15/2012 2:36:25 PM | Computer Name = SALLY | Source = Application Hang | ID = 1002
    Description = The program firefox.exe version 13.0.1.4548 stopped interacting with
    Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Action Center control panel. Process ID: f50 Start
    Time: 01cd62b89a71b888 Termination Time: 30 Application Path: C:\Program Files (x86)\Mozilla
    Firefox\firefox.exe Report Id:

    Error - 7/15/2012 2:40:02 PM | Computer Name = SALLY | Source = Application Hang | ID = 1002
    Description = The program firefox.exe version 13.0.1.4548 stopped interacting with
    Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Action Center control panel. Process ID: d88 Start
    Time: 01cd62b8c049b588 Termination Time: 90 Application Path: C:\Program Files (x86)\Mozilla
    Firefox\firefox.exe Report Id: 794dc859-ceac-11e1-8551-002354f8dfd4

    Error - 7/15/2012 2:41:02 PM | Computer Name = SALLY | Source = Application Hang | ID = 1002
    Description = The program firefox.exe version 13.0.1.4548 stopped interacting with
    Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Action Center control panel. Process ID: 830 Start
    Time: 01cd62b9428362d8 Termination Time: 80 Application Path: C:\Program Files (x86)\Mozilla
    Firefox\firefox.exe Report Id: 9d53c479-ceac-11e1-8551-002354f8dfd4

    Error - 7/15/2012 4:55:39 PM | Computer Name = SALLY | Source = Application Error | ID = 1000
    Description = Faulting application name: FlashPlayerPlugin_11_3_300_257.exe, version:
    11.3.300.257, time stamp: 0x4fc82063 Faulting module name: NPSWF32_11_3_300_257.dll,
    version: 11.3.300.257, time stamp: 0x4fc821fc Exception code: 0xc0000005 Fault offset:
    0x0016b4bd Faulting process id: 0x11ac Faulting application start time: 0x01cd62c781765028
    Faulting
    application path: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_257.exe
    Faulting
    module path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll Report
    Id: 6e5a2758-cebf-11e1-8551-002354f8dfd4

    Error - 7/16/2012 6:49:38 AM | Computer Name = SALLY | Source = SideBySide | ID = 16842787
    Description = Activation context generation failed for "c:\program files (x86)\windows
    live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
    files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
    found in manifest does not match the identity of the component requested. Reference
    is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
    is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
    sxstrace.exe for detailed diagnosis.

    Error - 7/16/2012 7:47:47 PM | Computer Name = SALLY | Source = Application Error | ID = 1000
    Description = Faulting application name: FlashPlayerPlugin_11_3_300_257.exe, version:
    11.3.300.257, time stamp: 0x4fc82063 Faulting module name: NPSWF32_11_3_300_257.dll,
    version: 11.3.300.257, time stamp: 0x4fc821fc Exception code: 0xc0000005 Fault offset:
    0x000ccb60 Faulting process id: 0x7f0 Faulting application start time: 0x01cd6380e998c58c
    Faulting
    application path: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_257.exe
    Faulting
    module path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll Report
    Id: a4a26a50-cfa0-11e1-8551-002354f8dfd4

    Error - 7/18/2012 6:36:33 AM | Computer Name = SALLY | Source = SideBySide | ID = 16842787
    Description = Activation context generation failed for "c:\program files (x86)\windows
    live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
    files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
    found in manifest does not match the identity of the component requested. Reference
    is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
    is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
    sxstrace.exe for detailed diagnosis.

    Error - 7/18/2012 10:02:09 AM | Computer Name = SALLY | Source = Application Error | ID = 1000
    Description = Faulting application name: FlashPlayerPlugin_11_3_300_257.exe, version:
    11.3.300.257, time stamp: 0x4fc82063 Faulting module name: NPSWF32_11_3_300_257.dll,
    version: 11.3.300.257, time stamp: 0x4fc821fc Exception code: 0xc0000005 Fault offset:
    0x000ccb60 Faulting process id: 0x934 Faulting application start time: 0x01cd64ea00be1310
    Faulting
    application path: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_257.exe
    Faulting
    module path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll Report
    Id: 29b467fc-d0e1-11e1-8551-002354f8dfd4

    Error - 7/18/2012 5:34:49 PM | Computer Name = SALLY | Source = Bonjour Service | ID = 100
    Description = mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) !=
    mDNS_reentrancy (0)

    Error - 7/18/2012 5:34:50 PM | Computer Name = SALLY | Source = Bonjour Service | ID = 100
    Description = mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1)
    != mDNS_reentrancy (0)

    [ Hewlett-Packard Events ]
    Error - 6/30/2012 8:55:45 AM | Computer Name = SALLY | Source = hpsa_service.exe | ID = 2000
    Description = HP Error ID: -2146233088hpsa_service.exe at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Message: One HP Active Check Local Mode job already running. StackTrace:
    at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager Name: hpsa_service.exe
    Version:
    06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    Format:
    en-US RAM: 1918 Ram Utilization: 70 TargetSite: Void UpdateAndDetect()

    Error - 7/7/2012 1:22:30 AM | Computer Name = SALLY | Source = hpsa_service.exe | ID = 2000
    Description = HP Error ID: -2146233088hpsa_service.exe at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Message: One HP Active Check Local Mode job already running. StackTrace:
    at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager Name: hpsa_service.exe
    Version:
    06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    Format:
    en-US RAM: 1918 Ram Utilization: 60 TargetSite: Void UpdateAndDetect()

    Error - 7/7/2012 9:28:26 AM | Computer Name = SALLY | Source = hpsa_service.exe | ID = 2000
    Description = HP Error ID: -2146233088hpsa_service.exe at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Message: One HP Active Check Local Mode job already running. StackTrace:
    at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager Name: hpsa_service.exe
    Version:
    06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    Format:
    en-US RAM: 1918 Ram Utilization: TargetSite: Void UpdateAndDetect()

    Error - 7/14/2012 11:15:15 AM | Computer Name = SALLY | Source = hpsa_service.exe | ID = 2000
    Description = HP Error ID: -2146233088 at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Message: One HP Active Check Local Mode job already running. StackTrace:
    at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager Name: hpsa_service.exe
    Version:
    06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    Format:
    en-US RAM: 1918 Ram Utilization: 40 TargetSite: Void UpdateAndDetect()

    Error - 7/24/2012 7:16:46 PM | Computer Name = SALLY | Source = HPSF.exe | ID = 4000
    Description = HP Error ID: -2147467259 at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendBeginAnalysis() Message: A device
    attached to the system is not functioning StackTrace: at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendBeginAnalysis() Source: System

    Name:
    HPSF.exe Version: 06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support
    Framework\HPSF.exe Format: en-US RAM: 1918 Ram Utilization: 60 TargetSite: Boolean
    StartWithShellExecuteEx(System.Diagnostics.ProcessStartInfo)

    Error - 7/24/2012 7:18:14 PM | Computer Name = SALLY | Source = hpsa_service.exe | ID = 2000
    Description = HP Error ID: -2146233088 at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Message: One HP Active Check Local Mode job already running. StackTrace:
    at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

    at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
    Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager Name: hpsa_service.exe
    Version:
    06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
    Format:
    en-US RAM: 1918 Ram Utilization: 60 TargetSite: Void UpdateAndDetect()

    Error - 7/24/2012 7:18:31 PM | Computer Name = SALLY | Source = HPSF.exe | ID = 4000
    Description = HP Error ID: -2147467259HPSF.exe at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Message: A device
    attached to the system is not functioning StackTrace: at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: System

    Name:
    HPSF.exe Version: 06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support
    Framework\HPSF.exe Format: en-US RAM: 1918 Ram Utilization: 60 TargetSite: Boolean
    StartWithShellExecuteEx(System.Diagnostics.ProcessStartInfo)

    Error - 7/24/2012 7:19:28 PM | Computer Name = SALLY | Source = HPSF.exe | ID = 4000
    Description = HP Error ID: -2147467259HPSF.exe at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Message: A device
    attached to the system is not functioning StackTrace: at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: System

    Name:
    HPSF.exe Version: 06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support
    Framework\HPSF.exe Format: en-US RAM: 1918 Ram Utilization: 60 TargetSite: Boolean
    StartWithShellExecuteEx(System.Diagnostics.ProcessStartInfo)

    Error - 7/24/2012 7:20:13 PM | Computer Name = SALLY | Source = HPSF.exe | ID = 4000
    Description = HP Error ID: -2147467259HPSF.exe at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Message: A device
    attached to the system is not functioning StackTrace: at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: System

    Name:
    HPSF.exe Version: 06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support
    Framework\HPSF.exe Format: en-US RAM: 1918 Ram Utilization: 60 TargetSite: Boolean
    StartWithShellExecuteEx(System.Diagnostics.ProcessStartInfo)

    Error - 7/24/2012 7:21:17 PM | Computer Name = SALLY | Source = HPSF.exe | ID = 4000
    Description = HP Error ID: -2147467259HPSF.exe at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Message: A device
    attached to the system is not functioning StackTrace: at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo
    startInfo) at System.Diagnostics.Process.Start() at HP.SupportAssistant.UI.MessengerCommunication.launchMessenger()

    at HP.SupportAssistant.UI.MessengerCommunication.initializeCommunication()
    at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: System

    Name:
    HPSF.exe Version: 06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support
    Framework\HPSF.exe Format: en-US RAM: 1918 Ram Utilization: 60 TargetSite: Boolean
    StartWithShellExecuteEx(System.Diagnostics.ProcessStartInfo)

    [ System Events ]
    Error - 5/11/2012 5:15:35 PM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the Netman service.

    Error - 5/11/2012 6:37:55 PM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the Netman service.

    Error - 5/13/2012 9:02:15 AM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the lmhosts service.

    Error - 5/13/2012 5:54:04 PM | Computer Name = SALLY | Source = NetBT | ID = 4321
    Description = The name "WORKGROUP :1d" could not be registered on the interface
    with IP address 192.168.1.4. The computer with the IP address 192.168.1.3 did not
    allow the name to be claimed by this computer.

    Error - 5/13/2012 6:13:53 PM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the lmhosts service.

    Error - 5/14/2012 4:49:56 AM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the ShellHWDetection service.

    Error - 5/14/2012 9:03:48 AM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the ShellHWDetection service.

    Error - 5/14/2012 6:21:59 PM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the ShellHWDetection service.

    Error - 5/15/2012 9:12:30 AM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the ShellHWDetection service.

    Error - 5/16/2012 9:04:49 AM | Computer Name = SALLY | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the Netman service.


    < End of report >
     
  12. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE:64bit: - HKLM\..\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
      IE - HKLM\..\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
      IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=15901
      IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\SearchScopes\{42B285D5-79C3-427B-8C23-37D7A18FB1A0}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=6A7EB1D9-467C-45A0-AB04-F57D9B858641
      IE - HKU\S-1-5-21-3273348302-90664181-4027946035-1001\..\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
      FF - prefs.js..browser.search.defaultengine: "Ask.com"
      FF - prefs.js..browser.search.defaultenginename: "Ask.com"
      FF - prefs.js..browser.search.order.1: "Ask.com"
      [2011/09/30 09:29:29 | 000,002,568 | ---- | M] () -- C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\searchplugins\askcom.xml
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      [2012/07/24 21:15:15 | 000,000,000 | ---D | C] -- C:\FRST
      @Alternate Data Stream - 249 bytes -> C:\ProgramData\Temp:AABECEFB
      @Alternate Data Stream - 249 bytes -> C:\ProgramData\Temp:754E278B
      @Alternate Data Stream - 245 bytes -> C:\ProgramData\Temp:DE3ABE3D
      @Alternate Data Stream - 244 bytes -> C:\ProgramData\Temp:8E11CC80
      @Alternate Data Stream - 244 bytes -> C:\ProgramData\Temp:2CB9631F
      @Alternate Data Stream - 242 bytes -> C:\ProgramData\Temp:53BA2DF6
      @Alternate Data Stream - 237 bytes -> C:\ProgramData\Temp:EB86F355
      @Alternate Data Stream - 237 bytes -> C:\ProgramData\Temp:94A31742
      @Alternate Data Stream - 235 bytes -> C:\ProgramData\Temp:12258D63
      @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:FB4262DE
      @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:C3A047E3
      @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:9195103F
      @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:1A15E356
      @Alternate Data Stream - 233 bytes -> C:\ProgramData\Temp:B8791731
      @Alternate Data Stream - 233 bytes -> C:\ProgramData\Temp:B0A727D1
      @Alternate Data Stream - 233 bytes -> C:\ProgramData\Temp:A88BE334
      @Alternate Data Stream - 232 bytes -> C:\ProgramData\Temp:E0888117
      @Alternate Data Stream - 231 bytes -> C:\ProgramData\Temp:E6C6EB3B
      @Alternate Data Stream - 231 bytes -> C:\ProgramData\Temp:6EE8565A
      @Alternate Data Stream - 230 bytes -> C:\ProgramData\Temp:C0BCE04B
      @Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:F89F2593
      @Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:BEE39E9B
      @Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:57176330
      @Alternate Data Stream - 228 bytes -> C:\ProgramData\Temp:6ED8B881
      @Alternate Data Stream - 228 bytes -> C:\ProgramData\Temp:68198EE3
      @Alternate Data Stream - 227 bytes -> C:\ProgramData\Temp:D3A82449
      @Alternate Data Stream - 227 bytes -> C:\ProgramData\Temp:A6F30843
      @Alternate Data Stream - 227 bytes -> C:\ProgramData\Temp:43CBFAB2
      @Alternate Data Stream - 225 bytes -> C:\ProgramData\Temp:02CC0035
      @Alternate Data Stream - 224 bytes -> C:\ProgramData\Temp:B1381B34
      @Alternate Data Stream - 222 bytes -> C:\ProgramData\Temp:1181620C
      @Alternate Data Stream - 221 bytes -> C:\ProgramData\Temp:14B2E0BD
      @Alternate Data Stream - 220 bytes -> C:\ProgramData\Temp:D055FC10
      @Alternate Data Stream - 218 bytes -> C:\ProgramData\Temp:C0DFB793
      @Alternate Data Stream - 217 bytes -> C:\ProgramData\Temp:C0A9B815
      @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:F5D01D7C
      @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:BD0A043E
      @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:A9223B61
      @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:59465B40
      @Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:2BFCDF84
      @Alternate Data Stream - 215 bytes -> C:\ProgramData\Temp:BCFEA004
      @Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:8B4B9596
      @Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:8836A712
      @Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:5D17C178
      @Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:3086B95F
      @Alternate Data Stream - 213 bytes -> C:\ProgramData\Temp:124322E4
      @Alternate Data Stream - 212 bytes -> C:\ProgramData\Temp:AFC732F7
      @Alternate Data Stream - 212 bytes -> C:\ProgramData\Temp:1ECED34B
      @Alternate Data Stream - 208 bytes -> C:\ProgramData\Temp:31B2903F
      @Alternate Data Stream - 207 bytes -> C:\ProgramData\Temp:89A5891E
      @Alternate Data Stream - 202 bytes -> C:\ProgramData\Temp:4DA46765
      @Alternate Data Stream - 196 bytes -> C:\ProgramData\Temp:A7DA2BCD
      @Alternate Data Stream - 189 bytes -> C:\ProgramData\Temp:A1D3FEF0
      @Alternate Data Stream - 154 bytes -> C:\ProgramData\Temp:244E4E3A
      @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:B6E58523
      @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:67C0F0A9
      @Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:4C3D5A8B
      @Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:3EC5BC08
      @Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:D026A5A4
      @Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:FFC3922F
      @Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:3D922890
      @Alternate Data Stream - 137 bytes -> C:\ProgramData\Temp:FBE5FDB9
      @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:C37283B5
      @Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:4F852702
      @Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:A8185163
      @Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:F7FFE8AF
      @Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:F5E90ED3
      @Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:3BC173E4
      @Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:DBC3D477
      @Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:5133A494
      @Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:C820549A
      @Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:A798AA1A
      @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:ED194880
      @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:569CEE83
      @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:927EC486
      @Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:98982C88
      @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:E6B95E40
      @Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:26499772
      @Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:52641FBE
      @Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:4DDE401B
      @Alternate Data Stream - 100 bytes -> C:\ProgramData\Temp:4911BB5C
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===========================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  13. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    All processes killed
    ========== OTL ==========
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25840A9-9DF4-421A-B33A-075A43A77128}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25840A9-9DF4-421A-B33A-075A43A77128}\ not found.
    HKU\S-1-5-21-3273348302-90664181-4027946035-1001\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    Registry key HKEY_USERS\S-1-5-21-3273348302-90664181-4027946035-1001\Software\Microsoft\Internet Explorer\SearchScopes\{42B285D5-79C3-427B-8C23-37D7A18FB1A0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42B285D5-79C3-427B-8C23-37D7A18FB1A0}\ not found.
    Registry key HKEY_USERS\S-1-5-21-3273348302-90664181-4027946035-1001\Software\Microsoft\Internet Explorer\SearchScopes\{E25840A9-9DF4-421A-B33A-075A43A77128}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25840A9-9DF4-421A-B33A-075A43A77128}\ not found.
    Prefs.js: "Ask.com" removed from browser.search.defaultengine
    Prefs.js: "Ask.com" removed from browser.search.defaultenginename
    Prefs.js: "Ask.com" removed from browser.search.order.1
    C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\searchplugins\askcom.xml moved successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    C:\FRST\Quarantine\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\U folder moved successfully.
    C:\FRST\Quarantine\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\L folder moved successfully.
    C:\FRST\Quarantine\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e} folder moved successfully.
    C:\FRST\Quarantine\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e}\L folder moved successfully.
    C:\FRST\Quarantine\{ecaef146-6f03-bb2d-ffdf-c21cbfcc103e} folder moved successfully.
    C:\FRST\Quarantine folder moved successfully.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    ADS C:\ProgramData\Temp:AABECEFB deleted successfully.
    ADS C:\ProgramData\Temp:754E278B deleted successfully.
    ADS C:\ProgramData\Temp:DE3ABE3D deleted successfully.
    ADS C:\ProgramData\Temp:8E11CC80 deleted successfully.
    ADS C:\ProgramData\Temp:2CB9631F deleted successfully.
    ADS C:\ProgramData\Temp:53BA2DF6 deleted successfully.
    ADS C:\ProgramData\Temp:EB86F355 deleted successfully.
    ADS C:\ProgramData\Temp:94A31742 deleted successfully.
    ADS C:\ProgramData\Temp:12258D63 deleted successfully.
    ADS C:\ProgramData\Temp:FB4262DE deleted successfully.
    ADS C:\ProgramData\Temp:C3A047E3 deleted successfully.
    ADS C:\ProgramData\Temp:9195103F deleted successfully.
    ADS C:\ProgramData\Temp:1A15E356 deleted successfully.
    ADS C:\ProgramData\Temp:B8791731 deleted successfully.
    ADS C:\ProgramData\Temp:B0A727D1 deleted successfully.
    ADS C:\ProgramData\Temp:A88BE334 deleted successfully.
    ADS C:\ProgramData\Temp:E0888117 deleted successfully.
    ADS C:\ProgramData\Temp:E6C6EB3B deleted successfully.
    ADS C:\ProgramData\Temp:6EE8565A deleted successfully.
    ADS C:\ProgramData\Temp:C0BCE04B deleted successfully.
    ADS C:\ProgramData\Temp:F89F2593 deleted successfully.
    ADS C:\ProgramData\Temp:BEE39E9B deleted successfully.
    ADS C:\ProgramData\Temp:57176330 deleted successfully.
    ADS C:\ProgramData\Temp:6ED8B881 deleted successfully.
    ADS C:\ProgramData\Temp:68198EE3 deleted successfully.
    ADS C:\ProgramData\Temp:D3A82449 deleted successfully.
    ADS C:\ProgramData\Temp:A6F30843 deleted successfully.
    ADS C:\ProgramData\Temp:43CBFAB2 deleted successfully.
    ADS C:\ProgramData\Temp:02CC0035 deleted successfully.
    ADS C:\ProgramData\Temp:B1381B34 deleted successfully.
    ADS C:\ProgramData\Temp:1181620C deleted successfully.
    ADS C:\ProgramData\Temp:14B2E0BD deleted successfully.
    ADS C:\ProgramData\Temp:D055FC10 deleted successfully.
    ADS C:\ProgramData\Temp:C0DFB793 deleted successfully.
    ADS C:\ProgramData\Temp:C0A9B815 deleted successfully.
    ADS C:\ProgramData\Temp:F5D01D7C deleted successfully.
    ADS C:\ProgramData\Temp:BD0A043E deleted successfully.
    ADS C:\ProgramData\Temp:A9223B61 deleted successfully.
    ADS C:\ProgramData\Temp:59465B40 deleted successfully.
    ADS C:\ProgramData\Temp:2BFCDF84 deleted successfully.
    ADS C:\ProgramData\Temp:BCFEA004 deleted successfully.
    ADS C:\ProgramData\Temp:8B4B9596 deleted successfully.
    ADS C:\ProgramData\Temp:8836A712 deleted successfully.
    ADS C:\ProgramData\Temp:5D17C178 deleted successfully.
    ADS C:\ProgramData\Temp:3086B95F deleted successfully.
    ADS C:\ProgramData\Temp:124322E4 deleted successfully.
    ADS C:\ProgramData\Temp:AFC732F7 deleted successfully.
    ADS C:\ProgramData\Temp:1ECED34B deleted successfully.
    ADS C:\ProgramData\Temp:31B2903F deleted successfully.
    ADS C:\ProgramData\Temp:89A5891E deleted successfully.
    ADS C:\ProgramData\Temp:4DA46765 deleted successfully.
    ADS C:\ProgramData\Temp:A7DA2BCD deleted successfully.
    ADS C:\ProgramData\Temp:A1D3FEF0 deleted successfully.
    ADS C:\ProgramData\Temp:244E4E3A deleted successfully.
    ADS C:\ProgramData\Temp:B6E58523 deleted successfully.
    ADS C:\ProgramData\Temp:67C0F0A9 deleted successfully.
    ADS C:\ProgramData\Temp:4C3D5A8B deleted successfully.
    ADS C:\ProgramData\Temp:3EC5BC08 deleted successfully.
    ADS C:\ProgramData\Temp:D026A5A4 deleted successfully.
    ADS C:\ProgramData\Temp:FFC3922F deleted successfully.
    ADS C:\ProgramData\Temp:3D922890 deleted successfully.
    ADS C:\ProgramData\Temp:FBE5FDB9 deleted successfully.
    ADS C:\ProgramData\Temp:C37283B5 deleted successfully.
    ADS C:\ProgramData\Temp:4F852702 deleted successfully.
    ADS C:\ProgramData\Temp:A8185163 deleted successfully.
    ADS C:\ProgramData\Temp:F7FFE8AF deleted successfully.
    ADS C:\ProgramData\Temp:F5E90ED3 deleted successfully.
    ADS C:\ProgramData\Temp:3BC173E4 deleted successfully.
    ADS C:\ProgramData\Temp:DBC3D477 deleted successfully.
    ADS C:\ProgramData\Temp:5133A494 deleted successfully.
    ADS C:\ProgramData\Temp:C820549A deleted successfully.
    ADS C:\ProgramData\Temp:A798AA1A deleted successfully.
    ADS C:\ProgramData\Temp:ED194880 deleted successfully.
    ADS C:\ProgramData\Temp:569CEE83 deleted successfully.
    ADS C:\ProgramData\Temp:927EC486 deleted successfully.
    ADS C:\ProgramData\Temp:98982C88 deleted successfully.
    ADS C:\ProgramData\Temp:E6B95E40 deleted successfully.
    ADS C:\ProgramData\Temp:26499772 deleted successfully.
    ADS C:\ProgramData\Temp:52641FBE deleted successfully.
    ADS C:\ProgramData\Temp:4DDE401B deleted successfully.
    ADS C:\ProgramData\Temp:4911BB5C deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56468 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Joni
    ->Temp folder emptied: 11289 bytes
    ->Temporary Internet Files folder emptied: 10152742 bytes
    ->Java cache emptied: 197491299 bytes
    ->FireFox cache emptied: 63464592 bytes
    ->Google Chrome cache emptied: 357613914 bytes
    ->Flash cache emptied: 55482 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1427226 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 100969318 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 697.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Joni
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Joni
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.53.1 log created on 07242012_224716

    Files\Folders moved on Reboot...
    C:\Users\Joni\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...
    File C:\Users\Joni\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

    Registry entries deleted on Reboot...


    Results of screen317's Security Check version 0.99.24
    Windows 7 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Treasure Seekers: Follow the Ghosts
    Java(TM) 6 Update 31
    Adobe Flash Player 11.3.300.265
    Adobe Reader X (10.1.3)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Malwarebytes' Anti-Malware mbamservice.exe
    Malwarebytes' Anti-Malware mbamgui.exe
    Microsoft Security Essentials msseces.exe
    ``````````End of Log````````````


    Farbar Service Scanner Version: 22-07-2012
    Ran by Joni (administrator) on 24-07-2012 at 22:59:23
    Running from "C:\Users\Joni\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============

    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is set to Auto
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  14. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    Can't run eset right now. The popup window is saying the site is down for maintenance or there is a server error. Will try again in a few minutes.

    I am also now getting a popup for ilitili.com/awholebunchofcrapandnumbers. And am getting many Java update notifications(these look normal, just holding off on them until everything is clear.)
     
  15. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Eset site works fine for me.
    Try different browser.

    Which browser gives you pop-ups?
     
  16. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    Firefox gives me a blank popup when I click run, chrome gives me a server error(http error 500 (internal server error): an unuxpected condition was encountered while the server was attempting to fulfill the request,) and IE has a website cannot display image message. Same thing happens if I click the "Need help?" link on their page.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Hmmm....

    Give me fresh Combofix log.
     
  18. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    It looks as if I can download the free trial of their NOD32 Antivirus 5. But still no luck with any of the online scans. Should I try that option?
     
  19. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    Running combofix now.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    No. Something is wrong.
    Possibly you got reinfected.

     
  21. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    ComboFix 12-07-25.04 - Joni 07/24/2012 23:53:27.2.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.1098 [GMT -4:00]
    Running from: C:\Users\Joni\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


    ((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))


    2012-07-25 04:25:10 . 2012-07-25 04:25:10 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8B00366E-5117-476A-ADA8-79DE80A0E174}\offreg.dll
    2012-07-25 04:23:49 . 2012-07-25 04:23:49 -------- d-----w- C:\Users\Default\AppData\Local\temp
    2012-07-25 03:45:03 . 2012-06-29 07:04:30 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8B00366E-5117-476A-ADA8-79DE80A0E174}\mpengine.dll
    2012-07-25 02:47:17 . 2012-07-25 02:47:17 -------- d-----w- C:\_OTL
    2012-07-25 01:29:20 . 2012-07-03 17:46:44 24904 ----a-w- C:\Windows\system32\drivers\mbam.sys
    2012-07-19 19:51:19 . 2012-02-11 05:59:00 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-07-19 17:11:26 . 2012-07-19 17:11:26 -------- d-----w- C:\Users\Joni\AppData\Roaming\Malwarebytes
    2012-07-19 17:11:16 . 2012-07-19 17:11:16 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-07-19 17:11:15 . 2012-07-25 01:29:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-19 14:53:39 . 2012-07-25 01:03:03 -------- d-----w- C:\ProgramData\7812A1690008CB200009235DF875F002
    2012-07-17 23:30:51 . 2012-06-29 10:04:29 9133488 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-12 23:50:36 . 2012-07-12 23:50:36 -------- d-----w- C:\Users\Joni\AppData\Roaming\Skunk Studios
    2012-07-12 07:17:10 . 2012-06-12 03:08:36 3148800 ----a-w- C:\Windows\system32\win32k.sys
    2012-07-12 07:01:59 . 2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\system32\wininet.dll
    2012-07-11 20:25:15 . 2012-07-11 20:25:18 9822920 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2012-07-08 15:12:36 . 2012-07-08 15:12:36 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
    2012-07-08 15:12:36 . 2012-07-08 15:12:36 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
    2012-07-04 13:16:30 . 2012-02-11 05:59:00 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B683106-9709-4C16-8E2A-6074D6C71B6A}\gapaengine.dll
    2012-07-02 01:19:28 . 2012-07-02 01:19:28 -------- d-----w- C:\Users\Joni\AppData\Roaming\Oberon Media
    2012-07-02 01:19:02 . 2012-07-02 01:19:02 -------- d-----w- C:\Program Files (x86)\Oberon Media SIDR
    2012-07-02 01:18:58 . 2012-07-02 01:18:59 -------- d-----w- C:\Program Files (x86)\Common Files\Oberon Media
    2012-07-02 01:04:06 . 2012-07-02 01:04:09 -------- d-----w- C:\Users\Joni\AppData\Local\ArcadeCandy
    2012-07-01 13:54:58 . 2012-07-01 13:54:58 -------- d-----w- C:\ProgramData\McAfee
    2012-06-30 22:32:18 . 2012-06-30 22:33:14 -------- d-----w- C:\Program Files (x86)\Flux Family Secrets - The Book of Oracles
    2012-06-25 20:04:24 . 2012-06-25 20:04:24 1394248 ----a-w- C:\Windows\SysWow64\msxml4.dll
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2012-07-12 07:03:09 . 2011-08-03 23:41:35 59701280 ----a-w- C:\Windows\system32\MRT.exe
    2012-07-11 20:25:53 . 2012-06-10 00:00:04 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-11 20:25:53 . 2011-08-04 00:36:38 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-02 22:19:46 . 2012-06-21 13:46:51 38424 ----a-w- C:\Windows\system32\wups.dll
    2012-06-02 22:19:43 . 2012-06-21 13:47:11 2428952 ----a-w- C:\Windows\system32\wuaueng.dll
    2012-06-02 22:19:42 . 2012-06-21 13:47:12 44056 ----a-w- C:\Windows\system32\wups2.dll
    2012-06-02 22:19:42 . 2012-06-21 13:47:11 57880 ----a-w- C:\Windows\system32\wuauclt.exe
    2012-06-02 22:19:23 . 2012-06-21 13:46:50 701976 ----a-w- C:\Windows\system32\wuapi.dll
    2012-06-02 22:15:31 . 2012-06-21 13:47:11 2622464 ----a-w- C:\Windows\system32\wucltux.dll
    2012-06-02 22:15:08 . 2012-06-21 13:46:51 99840 ----a-w- C:\Windows\system32\wudriver.dll
    2012-06-02 19:19:42 . 2012-06-21 13:46:24 186752 ----a-w- C:\Windows\system32\wuwebv.dll
    2012-06-02 19:15:12 . 2012-06-21 13:46:23 36864 ----a-w- C:\Windows\system32\wuapp.exe
    2012-05-04 11:06:22 . 2012-06-19 20:33:40 5559664 ----a-w- C:\Windows\system32\ntoskrnl.exe
    2012-05-04 10:03:53 . 2012-06-19 20:33:38 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03:50 . 2012-06-19 20:33:38 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-05-01 05:40:20 . 2012-06-19 20:34:08 209920 ----a-w- C:\Windows\system32\profsvc.dll
    2012-04-28 03:55:21 . 2012-06-19 20:33:18 210944 ----a-w- C:\Windows\system32\drivers\rdpwd.sys
    2012-04-26 05:41:56 . 2012-06-19 20:34:25 77312 ----a-w- C:\Windows\system32\rdpwsx.dll
    2012-04-26 05:41:55 . 2012-06-19 20:34:26 149504 ----a-w- C:\Windows\system32\rdpcorekmts.dll
    2012-04-26 05:34:27 . 2012-06-19 20:34:25 9216 ----a-w- C:\Windows\system32\rdrmemptylst.exe


    ((((((((((((((((((((((((((((( SnapShot@2012-07-24_23.23.44 )))))))))))))))))))))))))))))))))))))))))

    + 2009-11-25 21:05:00 . 2012-07-25 03:05:57 28036 C:\Windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10:35 . 2012-07-25 03:48:32 37636 C:\Windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-08-03 23:09:36 . 2012-07-25 03:48:32 10768 C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3273348302-90664181-4027946035-1001_UserData.bin
    + 2011-08-04 00:07:16 . 2012-07-25 02:51:13 3392 C:\Windows\system32\wdi\ERCQueuedResolutions.dat
    - 2012-07-24 23:22:52 . 2012-07-24 23:22:52 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-25 04:25:05 . 2012-07-25 04:25:05 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-25 04:25:05 . 2012-07-25 04:25:05 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-07-24 23:22:52 . 2012-07-24 23:22:52 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-08-04 11:01:23 . 2012-07-25 04:14:03 235072 C:\Windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
    + 2009-07-14 02:36:59 . 2012-07-24 23:37:05 626290 C:\Windows\system32\perfh009.dat
    - 2009-07-14 02:36:59 . 2012-07-24 22:59:27 626290 C:\Windows\system32\perfh009.dat
    - 2009-07-14 02:36:59 . 2012-07-24 22:59:27 107566 C:\Windows\system32\perfc009.dat
    + 2009-07-14 02:36:59 . 2012-07-24 23:37:05 107566 C:\Windows\system32\perfc009.dat
    + 2009-07-14 05:01:48 . 2012-07-25 04:24:25 288976 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01:48 . 2012-07-24 23:22:10 288976 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-08-04 00:07:16 . 2012-07-25 04:24:30 4556984 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3273348302-90664181-4027946035-1001-8192.dat

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 18:47:28 62768]
    "HP Remote Solution"="C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 02:11:15 656896]
    "HP Software Update"="c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 22:50:04 54576]
    "APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 12:22:28 59240]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2011-10-24 19:28:52 421888]
    "Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
    "PMBVolumeWatcher"="C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 05:55:42 648032]
    "SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 18:02:04 254696]
    "Malwarebytes' Anti-Malware"="C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 17:46:44 462920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 18:27:14 138576]
    R2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:46:42 136176]
    R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 22:10:28 86072]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 20:25:54 250056]
    R3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 17:59:12 206072]
    R3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:46:42 136176]
    R3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-08 15:12:37 113120]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 00:44:12 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\Program Files\Microsoft Security Client\NisSrv.exe [2012-03-26 22:49:56 291696]
    R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 11:07:05 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [2011-05-10 12:06:08 51712]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2011-08-03 23:29:26 1255736]
    S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 13:10:42 63928]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 22:07:50 94264]
    S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 17:46:44 655944]
    S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-11-27 05:55:42 398176]
    S3 MBAMProtector;MBAMProtector;C:\Windows\system32\drivers\mbam.sys [2012-07-03 17:46:44 24904]


    Contents of the 'Scheduled Tasks' folder

    2012-07-25 C:\Windows\Tasks\Adobe Flash Player Updater.job
    - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 00:00:05 . 2012-07-11 20:25:54]

    2012-07-25 C:\Windows\Tasks\CandyUpdater.job
    - C:\Users\Joni\AppData\Local\ArcadeCandy\candyUpdater.exe [2012-06-25 19:45:04 . 2012-06-25 19:45:04]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:47:06 . 2011-08-04 01:46:42]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:47:06 . 2011-08-04 01:46:42]

    2012-07-19 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001Core.job
    - C:\Users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-17 13:14:10 . 2011-10-17 13:14:07]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001UA.job
    - C:\Users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-17 13:14:10 . 2011-10-17 13:14:07]

    2012-07-12 C:\Windows\Tasks\HPCeeScheduleForJoni.job
    - C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 03:15:40 . 2010-09-14 03:15:40]

    2012-06-30 C:\Windows\Tasks\PCDRScheduledMaintenance.job
    - C:\Program Files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11:04 . 2009-09-18 07:11:04]


    --------- X64 Entries -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PC-Doctor for Windows localizer"="C:\Program Files\PC-Doctor for Windows\localizer.exe" [2009-09-17 05:57:42 95728]
    "MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2012-03-26 22:54:34 1271168]

    ------- Supplementary Scan -------

    uStart Page =
    uLocal Page = C:\Windows\system32\blank.htm
    mLocal Page = C:\Windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT206402&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
     
  22. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Bottom of the log got cut off.
    Repost.
     
  23. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    Here's the new log. It's the end of the night for me, the machine is off, hop we can pick up tomorrow. Thanks for the help.

    ComboFix 12-07-25.04 - Joni 07/24/2012 23:53:27.2.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.1098 [GMT -4:00]
    Running from: C:\Users\Joni\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


    ((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))


    2012-07-25 04:25:10 . 2012-07-25 04:25:10 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8B00366E-5117-476A-ADA8-79DE80A0E174}\offreg.dll
    2012-07-25 04:23:49 . 2012-07-25 04:23:49 -------- d-----w- C:\Users\Default\AppData\Local\temp
    2012-07-25 03:45:03 . 2012-06-29 07:04:30 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8B00366E-5117-476A-ADA8-79DE80A0E174}\mpengine.dll
    2012-07-25 02:47:17 . 2012-07-25 02:47:17 -------- d-----w- C:\_OTL
    2012-07-25 01:29:20 . 2012-07-03 17:46:44 24904 ----a-w- C:\Windows\system32\drivers\mbam.sys
    2012-07-19 19:51:19 . 2012-02-11 05:59:00 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-07-19 17:11:26 . 2012-07-19 17:11:26 -------- d-----w- C:\Users\Joni\AppData\Roaming\Malwarebytes
    2012-07-19 17:11:16 . 2012-07-19 17:11:16 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-07-19 17:11:15 . 2012-07-25 01:29:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-19 14:53:39 . 2012-07-25 01:03:03 -------- d-----w- C:\ProgramData\7812A1690008CB200009235DF875F002
    2012-07-17 23:30:51 . 2012-06-29 10:04:29 9133488 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-12 23:50:36 . 2012-07-12 23:50:36 -------- d-----w- C:\Users\Joni\AppData\Roaming\Skunk Studios
    2012-07-12 07:17:10 . 2012-06-12 03:08:36 3148800 ----a-w- C:\Windows\system32\win32k.sys
    2012-07-12 07:01:59 . 2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\system32\wininet.dll
    2012-07-11 20:25:15 . 2012-07-11 20:25:18 9822920 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2012-07-08 15:12:36 . 2012-07-08 15:12:36 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
    2012-07-08 15:12:36 . 2012-07-08 15:12:36 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
    2012-07-04 13:16:30 . 2012-02-11 05:59:00 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B683106-9709-4C16-8E2A-6074D6C71B6A}\gapaengine.dll
    2012-07-02 01:19:28 . 2012-07-02 01:19:28 -------- d-----w- C:\Users\Joni\AppData\Roaming\Oberon Media
    2012-07-02 01:19:02 . 2012-07-02 01:19:02 -------- d-----w- C:\Program Files (x86)\Oberon Media SIDR
    2012-07-02 01:18:58 . 2012-07-02 01:18:59 -------- d-----w- C:\Program Files (x86)\Common Files\Oberon Media
    2012-07-02 01:04:06 . 2012-07-02 01:04:09 -------- d-----w- C:\Users\Joni\AppData\Local\ArcadeCandy
    2012-07-01 13:54:58 . 2012-07-01 13:54:58 -------- d-----w- C:\ProgramData\McAfee
    2012-06-30 22:32:18 . 2012-06-30 22:33:14 -------- d-----w- C:\Program Files (x86)\Flux Family Secrets - The Book of Oracles
    2012-06-25 20:04:24 . 2012-06-25 20:04:24 1394248 ----a-w- C:\Windows\SysWow64\msxml4.dll
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2012-07-12 07:03:09 . 2011-08-03 23:41:35 59701280 ----a-w- C:\Windows\system32\MRT.exe
    2012-07-11 20:25:53 . 2012-06-10 00:00:04 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-11 20:25:53 . 2011-08-04 00:36:38 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-02 22:19:46 . 2012-06-21 13:46:51 38424 ----a-w- C:\Windows\system32\wups.dll
    2012-06-02 22:19:43 . 2012-06-21 13:47:11 2428952 ----a-w- C:\Windows\system32\wuaueng.dll
    2012-06-02 22:19:42 . 2012-06-21 13:47:12 44056 ----a-w- C:\Windows\system32\wups2.dll
    2012-06-02 22:19:42 . 2012-06-21 13:47:11 57880 ----a-w- C:\Windows\system32\wuauclt.exe
    2012-06-02 22:19:23 . 2012-06-21 13:46:50 701976 ----a-w- C:\Windows\system32\wuapi.dll
    2012-06-02 22:15:31 . 2012-06-21 13:47:11 2622464 ----a-w- C:\Windows\system32\wucltux.dll
    2012-06-02 22:15:08 . 2012-06-21 13:46:51 99840 ----a-w- C:\Windows\system32\wudriver.dll
    2012-06-02 19:19:42 . 2012-06-21 13:46:24 186752 ----a-w- C:\Windows\system32\wuwebv.dll
    2012-06-02 19:15:12 . 2012-06-21 13:46:23 36864 ----a-w- C:\Windows\system32\wuapp.exe
    2012-05-04 11:06:22 . 2012-06-19 20:33:40 5559664 ----a-w- C:\Windows\system32\ntoskrnl.exe
    2012-05-04 10:03:53 . 2012-06-19 20:33:38 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03:50 . 2012-06-19 20:33:38 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-05-01 05:40:20 . 2012-06-19 20:34:08 209920 ----a-w- C:\Windows\system32\profsvc.dll
    2012-04-28 03:55:21 . 2012-06-19 20:33:18 210944 ----a-w- C:\Windows\system32\drivers\rdpwd.sys
    2012-04-26 05:41:56 . 2012-06-19 20:34:25 77312 ----a-w- C:\Windows\system32\rdpwsx.dll
    2012-04-26 05:41:55 . 2012-06-19 20:34:26 149504 ----a-w- C:\Windows\system32\rdpcorekmts.dll
    2012-04-26 05:34:27 . 2012-06-19 20:34:25 9216 ----a-w- C:\Windows\system32\rdrmemptylst.exe


    ((((((((((((((((((((((((((((( SnapShot@2012-07-24_23.23.44 )))))))))))))))))))))))))))))))))))))))))

    + 2009-11-25 21:05:00 . 2012-07-25 03:05:57 28036 C:\Windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10:35 . 2012-07-25 03:48:32 37636 C:\Windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-08-03 23:09:36 . 2012-07-25 03:48:32 10768 C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3273348302-90664181-4027946035-1001_UserData.bin
    + 2011-08-04 00:07:16 . 2012-07-25 02:51:13 3392 C:\Windows\system32\wdi\ERCQueuedResolutions.dat
    - 2012-07-24 23:22:52 . 2012-07-24 23:22:52 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-25 04:25:05 . 2012-07-25 04:25:05 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-25 04:25:05 . 2012-07-25 04:25:05 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-07-24 23:22:52 . 2012-07-24 23:22:52 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-08-04 11:01:23 . 2012-07-25 04:14:03 235072 C:\Windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
    + 2009-07-14 02:36:59 . 2012-07-24 23:37:05 626290 C:\Windows\system32\perfh009.dat
    - 2009-07-14 02:36:59 . 2012-07-24 22:59:27 626290 C:\Windows\system32\perfh009.dat
    - 2009-07-14 02:36:59 . 2012-07-24 22:59:27 107566 C:\Windows\system32\perfc009.dat
    + 2009-07-14 02:36:59 . 2012-07-24 23:37:05 107566 C:\Windows\system32\perfc009.dat
    + 2009-07-14 05:01:48 . 2012-07-25 04:24:25 288976 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01:48 . 2012-07-24 23:22:10 288976 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-08-04 00:07:16 . 2012-07-25 04:24:30 4556984 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3273348302-90664181-4027946035-1001-8192.dat

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 18:47:28 62768]
    "HP Remote Solution"="C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 02:11:15 656896]
    "HP Software Update"="c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 22:50:04 54576]
    "APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 12:22:28 59240]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2011-10-24 19:28:52 421888]
    "Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
    "PMBVolumeWatcher"="C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 05:55:42 648032]
    "SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 18:02:04 254696]
    "Malwarebytes' Anti-Malware"="C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 17:46:44 462920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 18:27:14 138576]
    R2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:46:42 136176]
    R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 22:10:28 86072]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 20:25:54 250056]
    R3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 17:59:12 206072]
    R3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:46:42 136176]
    R3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-08 15:12:37 113120]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 00:44:12 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\Program Files\Microsoft Security Client\NisSrv.exe [2012-03-26 22:49:56 291696]
    R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 11:07:05 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [2011-05-10 12:06:08 51712]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2011-08-03 23:29:26 1255736]
    S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 13:10:42 63928]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 22:07:50 94264]
    S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 17:46:44 655944]
    S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-11-27 05:55:42 398176]
    S3 MBAMProtector;MBAMProtector;C:\Windows\system32\drivers\mbam.sys [2012-07-03 17:46:44 24904]


    Contents of the 'Scheduled Tasks' folder

    2012-07-25 C:\Windows\Tasks\Adobe Flash Player Updater.job
    - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 00:00:05 . 2012-07-11 20:25:54]

    2012-07-25 C:\Windows\Tasks\CandyUpdater.job
    - C:\Users\Joni\AppData\Local\ArcadeCandy\candyUpdater.exe [2012-06-25 19:45:04 . 2012-06-25 19:45:04]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:47:06 . 2011-08-04 01:46:42]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:47:06 . 2011-08-04 01:46:42]

    2012-07-19 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001Core.job
    - C:\Users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-17 13:14:10 . 2011-10-17 13:14:07]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001UA.job
    - C:\Users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-17 13:14:10 . 2011-10-17 13:14:07]

    2012-07-12 C:\Windows\Tasks\HPCeeScheduleForJoni.job
    - C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 03:15:40 . 2010-09-14 03:15:40]

    2012-06-30 C:\Windows\Tasks\PCDRScheduledMaintenance.job
    - C:\Program Files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11:04 . 2009-09-18 07:11:04]


    --------- X64 Entries -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PC-Doctor for Windows localizer"="C:\Program Files\PC-Doctor for Windows\localizer.exe" [2009-09-17 05:57:42 95728]
    "MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2012-03-26 22:54:34 1271168]

    ------- Supplementary Scan -------

    uStart Page =
    uLocal Page = C:\Windows\system32\blank.htm
    mLocal Page = C:\Windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT206402&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
     
  24. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Same thing.
    Re-run Combofix.
     
  25. notforyou

    notforyou TS Rookie Topic Starter Posts: 24

    Just re-ran combofix and this is the entirety of the log:

    ComboFix 12-07-26.03 - Joni 07/25/2012 12:52:09.3.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1918.1202 [GMT -4:00]
    Running from: C:\Users\Joni\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


    ((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))


    2012-07-25 17:03:30 . 2012-07-25 17:03:30 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8B00366E-5117-476A-ADA8-79DE80A0E174}\offreg.dll
    2012-07-25 17:02:20 . 2012-07-25 17:02:20 -------- d-----w- C:\Users\Default\AppData\Local\temp
    2012-07-25 03:45:03 . 2012-06-29 07:04:30 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8B00366E-5117-476A-ADA8-79DE80A0E174}\mpengine.dll
    2012-07-25 02:47:17 . 2012-07-25 02:47:17 -------- d-----w- C:\_OTL
    2012-07-25 01:29:20 . 2012-07-03 17:46:44 24904 ----a-w- C:\Windows\system32\drivers\mbam.sys
    2012-07-19 19:51:19 . 2012-02-11 05:59:00 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-07-19 17:11:26 . 2012-07-19 17:11:26 -------- d-----w- C:\Users\Joni\AppData\Roaming\Malwarebytes
    2012-07-19 17:11:16 . 2012-07-19 17:11:16 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-07-19 17:11:15 . 2012-07-25 01:29:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-19 14:53:39 . 2012-07-25 01:03:03 -------- d-----w- C:\ProgramData\7812A1690008CB200009235DF875F002
    2012-07-17 23:30:51 . 2012-06-29 10:04:29 9133488 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-12 23:50:36 . 2012-07-12 23:50:36 -------- d-----w- C:\Users\Joni\AppData\Roaming\Skunk Studios
    2012-07-12 07:17:10 . 2012-06-12 03:08:36 3148800 ----a-w- C:\Windows\system32\win32k.sys
    2012-07-12 07:01:59 . 2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\system32\wininet.dll
    2012-07-11 20:25:15 . 2012-07-11 20:25:18 9822920 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2012-07-08 15:12:36 . 2012-07-08 15:12:36 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
    2012-07-08 15:12:36 . 2012-07-08 15:12:36 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
    2012-07-04 13:16:30 . 2012-02-11 05:59:00 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B683106-9709-4C16-8E2A-6074D6C71B6A}\gapaengine.dll
    2012-07-02 01:19:28 . 2012-07-02 01:19:28 -------- d-----w- C:\Users\Joni\AppData\Roaming\Oberon Media
    2012-07-02 01:19:02 . 2012-07-02 01:19:02 -------- d-----w- C:\Program Files (x86)\Oberon Media SIDR
    2012-07-02 01:18:58 . 2012-07-02 01:18:59 -------- d-----w- C:\Program Files (x86)\Common Files\Oberon Media
    2012-07-02 01:04:06 . 2012-07-02 01:04:09 -------- d-----w- C:\Users\Joni\AppData\Local\ArcadeCandy
    2012-07-01 13:54:58 . 2012-07-01 13:54:58 -------- d-----w- C:\ProgramData\McAfee
    2012-06-30 22:32:18 . 2012-06-30 22:33:14 -------- d-----w- C:\Program Files (x86)\Flux Family Secrets - The Book of Oracles
    2012-06-25 20:04:24 . 2012-06-25 20:04:24 1394248 ----a-w- C:\Windows\SysWow64\msxml4.dll
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2012-07-12 07:03:09 . 2011-08-03 23:41:35 59701280 ----a-w- C:\Windows\system32\MRT.exe
    2012-07-11 20:25:53 . 2012-06-10 00:00:04 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-11 20:25:53 . 2011-08-04 00:36:38 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-02 22:19:46 . 2012-06-21 13:46:51 38424 ----a-w- C:\Windows\system32\wups.dll
    2012-06-02 22:19:43 . 2012-06-21 13:47:11 2428952 ----a-w- C:\Windows\system32\wuaueng.dll
    2012-06-02 22:19:42 . 2012-06-21 13:47:12 44056 ----a-w- C:\Windows\system32\wups2.dll
    2012-06-02 22:19:42 . 2012-06-21 13:47:11 57880 ----a-w- C:\Windows\system32\wuauclt.exe
    2012-06-02 22:19:23 . 2012-06-21 13:46:50 701976 ----a-w- C:\Windows\system32\wuapi.dll
    2012-06-02 22:15:31 . 2012-06-21 13:47:11 2622464 ----a-w- C:\Windows\system32\wucltux.dll
    2012-06-02 22:15:08 . 2012-06-21 13:46:51 99840 ----a-w- C:\Windows\system32\wudriver.dll
    2012-06-02 19:19:42 . 2012-06-21 13:46:24 186752 ----a-w- C:\Windows\system32\wuwebv.dll
    2012-06-02 19:15:12 . 2012-06-21 13:46:23 36864 ----a-w- C:\Windows\system32\wuapp.exe
    2012-05-04 11:06:22 . 2012-06-19 20:33:40 5559664 ----a-w- C:\Windows\system32\ntoskrnl.exe
    2012-05-04 10:03:53 . 2012-06-19 20:33:38 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:03:50 . 2012-06-19 20:33:38 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-05-01 05:40:20 . 2012-06-19 20:34:08 209920 ----a-w- C:\Windows\system32\profsvc.dll
    2012-04-28 03:55:21 . 2012-06-19 20:33:18 210944 ----a-w- C:\Windows\system32\drivers\rdpwd.sys


    ((((((((((((((((((((((((((((( SnapShot@2012-07-24_23.23.44 )))))))))))))))))))))))))))))))))))))))))

    + 2009-11-25 21:05:00 . 2012-07-25 16:41:32 28280 C:\Windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10:35 . 2012-07-25 16:41:33 37724 C:\Windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-08-03 23:09:36 . 2012-07-25 16:41:33 10964 C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3273348302-90664181-4027946035-1001_UserData.bin
    + 2011-08-04 00:07:16 . 2012-07-25 04:47:46 3392 C:\Windows\system32\wdi\ERCQueuedResolutions.dat
    - 2012-07-24 23:22:52 . 2012-07-24 23:22:52 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-25 17:03:25 . 2012-07-25 17:03:25 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-25 17:03:25 . 2012-07-25 17:03:25 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-07-24 23:22:52 . 2012-07-24 23:22:52 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-08-04 11:01:23 . 2012-07-25 04:14:03 235072 C:\Windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
    - 2009-07-14 02:36:59 . 2012-07-24 22:59:27 626290 C:\Windows\system32\perfh009.dat
    + 2009-07-14 02:36:59 . 2012-07-24 23:37:05 626290 C:\Windows\system32\perfh009.dat
    - 2009-07-14 02:36:59 . 2012-07-24 22:59:27 107566 C:\Windows\system32\perfc009.dat
    + 2009-07-14 02:36:59 . 2012-07-24 23:37:05 107566 C:\Windows\system32\perfc009.dat
    + 2009-07-14 05:01:48 . 2012-07-25 17:02:47 288976 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01:48 . 2012-07-24 23:22:10 288976 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-08-04 00:07:16 . 2012-07-25 04:47:45 4556984 C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3273348302-90664181-4027946035-1001-8192.dat

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 18:47:28 62768]
    "HP Remote Solution"="C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 02:11:15 656896]
    "HP Software Update"="c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 22:50:04 54576]
    "APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 12:22:28 59240]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2011-10-24 19:28:52 421888]
    "Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
    "PMBVolumeWatcher"="C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 05:55:42 648032]
    "SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 18:02:04 254696]
    "Malwarebytes' Anti-Malware"="C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 17:46:44 462920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 18:27:14 138576]
    R2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:46:42 136176]
    R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 22:10:28 86072]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 20:25:54 250056]
    R3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 17:59:12 206072]
    R3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:46:42 136176]
    R3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-08 15:12:37 113120]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 00:44:12 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\Program Files\Microsoft Security Client\NisSrv.exe [2012-03-26 22:49:56 291696]
    R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 11:07:05 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [2011-05-10 12:06:08 51712]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2011-08-03 23:29:26 1255736]
    S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 13:10:42 63928]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 22:07:50 94264]
    S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 17:46:44 655944]
    S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-11-27 05:55:42 398176]
    S3 MBAMProtector;MBAMProtector;C:\Windows\system32\drivers\mbam.sys [2012-07-03 17:46:44 24904]


    Contents of the 'Scheduled Tasks' folder

    2012-07-25 C:\Windows\Tasks\Adobe Flash Player Updater.job
    - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 00:00:05 . 2012-07-11 20:25:54]

    2012-07-25 C:\Windows\Tasks\CandyUpdater.job
    - C:\Users\Joni\AppData\Local\ArcadeCandy\candyUpdater.exe [2012-06-25 19:45:04 . 2012-06-25 19:45:04]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:47:06 . 2011-08-04 01:46:42]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-04 01:47:06 . 2011-08-04 01:46:42]

    2012-07-19 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001Core.job
    - C:\Users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-17 13:14:10 . 2011-10-17 13:14:07]

    2012-07-25 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3273348302-90664181-4027946035-1001UA.job
    - C:\Users\Joni\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-17 13:14:10 . 2011-10-17 13:14:07]

    2012-07-12 C:\Windows\Tasks\HPCeeScheduleForJoni.job
    - C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 03:15:40 . 2010-09-14 03:15:40]

    2012-06-30 C:\Windows\Tasks\PCDRScheduledMaintenance.job
    - C:\Program Files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11:04 . 2009-09-18 07:11:04]


    --------- X64 Entries -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PC-Doctor for Windows localizer"="C:\Program Files\PC-Doctor for Windows\localizer.exe" [2009-09-17 05:57:42 95728]
    "MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2012-03-26 22:54:34 1271168]

    ------- Supplementary Scan -------

    uStart Page =
    uLocal Page = C:\Windows\system32\blank.htm
    mLocal Page = C:\Windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - C:\Users\Joni\AppData\Roaming\Mozilla\Firefox\Profiles\q09ji2zk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT206402&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...