Solved Sirefef.fc virus can't be deleted, need help removing

Matt99 · Jul 4, 2012

I have Windows 7, 32 bit, and ESET NOD32 antivirus. ESET keeps detecting sirefef.fc but only gives option to delete or no action, and when I try to delete it says its can't. I downloaded the Sirefef virus removal tool from the ESET website, but it said it couldn't detect the virus, yet I still get the message.

Its similar to this thread https://www.techspot.com/community/topics/sirefef-possibly-related-to-flash-installer-virus.182469/

I would appreciate any help, I'm available all day, let me know if you have paypal

Broni · Jul 4, 2012

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==============================================

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Matt99 · Jul 4, 2012

Thanks, I didn't see Advanced Boot Options, so I just did safe mode with command prompt, I hope that will be fine. Here is the file:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 04-07-2012 02
Ran by matthew.scofield at 04-07-2012 16:43:20
Running from E:\
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

============ One Month Created Files and Folders ==============

2012-07-04 16:43 - 2012-07-04 16:43 - 00000000 ____D C:\FRST
2012-07-04 16:31 - 2012-07-04 16:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-07-04 15:02 - 2012-07-04 16:12 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-04 15:02 - 2012-07-04 15:12 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-04 15:02 - 2012-07-04 15:02 - 00000000 ____D C:\Users\All Users\Google
2012-07-04 15:02 - 2012-07-04 15:02 - 00000000 ____D C:\Program Files\Google
2012-07-03 23:00 - 2012-07-03 23:00 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-03 22:42 - 2012-07-04 12:44 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Izbeu
2012-07-03 22:42 - 2012-07-04 12:07 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Epyk
2012-07-03 22:42 - 2012-07-03 22:42 - 00143360 __ASH (DT Soft Ltd) C:\Users\matthew.scofield\AppData\Roaming\btustc.dll
2012-07-03 22:42 - 2012-07-03 22:42 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Ugigas
2012-07-03 22:42 - 2012-07-03 22:42 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\ESET
2012-06-30 14:19 - 2012-06-30 14:19 - 00000000 ____D C:\Users\matthew.scofield\Documents\WebLearning
2012-06-30 13:17 - 2012-06-30 13:17 - 00000000 ____D C:\Windows\Downloaded Installations
2012-06-30 13:17 - 2012-06-30 13:17 - 00000000 ____D C:\Program Files\Common Files\Macromedia Shared
2012-06-30 13:14 - 2012-06-30 13:14 - 00000000 ____D C:\Windows\System32\QuickTime
2012-06-30 13:10 - 2012-06-30 13:18 - 00000000 ____D C:\Program Files\Macromedia
2012-06-30 13:10 - 2012-06-30 13:14 - 00000000 ____D C:\Users\All Users\Macromedia
2012-06-30 13:10 - 2012-06-30 13:13 - 00000000 ____D C:\Program Files\Common Files\Macromedia
2012-06-28 21:36 - 2012-06-28 21:36 - 242315789 ____A C:\Windows\MEMORY.DMP
2012-06-28 21:36 - 2012-06-28 21:36 - 00146064 ____A C:\Windows\Minidump\062812-20342-01.dmp
2012-06-28 21:36 - 2012-06-28 21:36 - 00000000 ____D C:\Windows\Minidump
2012-06-28 14:52 - 2012-06-30 13:17 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\Macromedia
2012-06-25 12:49 - 2012-07-04 14:36 - 00000000 ____A C:\sniffer.log
2012-06-25 12:49 - 2012-06-25 12:51 - 00000000 ____D C:\Users\matthew.scofield\Documents\Freemake
2012-06-25 12:49 - 2012-06-25 12:50 - 00000000 ____D C:\Users\All Users\Freemake
2012-06-25 12:49 - 2012-06-25 12:49 - 00000000 ____D C:\Program Files\WinPcap
2012-06-25 12:49 - 2012-06-25 12:49 - 00000000 ____D C:\Program Files\Freemake
2012-06-19 08:53 - 2012-07-04 16:30 - 00006814 ____A C:\Users\matthew.scofield\Documents\td.txt
2012-06-10 16:15 - 2012-06-10 16:15 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\Intuit
2012-06-06 20:10 - 2012-06-06 20:10 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$Budget (version 1).xlsx
2012-06-05 19:24 - 2012-06-07 18:30 - 00001533 ____A C:\Users\matthew.scofield\Documents\32.txt
2012-06-05 00:41 - 2012-07-04 11:42 - 00013818 ____A C:\Users\matthew.scofield\Documents\Budget (version 1).xlsx

============ 3 Months Modified Files ========================

2012-07-04 16:41 - 2012-02-16 13:33 - 00007148 ____A C:\Windows\PFRO.log
2012-07-04 16:31 - 2012-07-04 16:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-07-04 16:31 - 2009-07-13 23:39 - 00022235 ____A C:\Windows\setupact.log
2012-07-04 16:30 - 2012-06-19 08:53 - 00006814 ____A C:\Users\matthew.scofield\Documents\td.txt
2012-07-04 16:24 - 2012-03-05 22:31 - 00000952 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841UA.job
2012-07-04 16:15 - 2012-02-16 14:30 - 00000544 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-04 16:12 - 2012-07-04 15:02 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-04 15:12 - 2012-07-04 15:02 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-04 15:11 - 2009-07-13 23:34 - 00018304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-04 15:11 - 2009-07-13 23:34 - 00018304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-04 14:43 - 2012-02-06 17:02 - 00777976 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-04 14:40 - 2012-02-06 17:01 - 01604020 ____A C:\Windows\WindowsUpdate.log
2012-07-04 14:36 - 2012-06-25 12:49 - 00000000 ____A C:\sniffer.log
2012-07-04 14:36 - 2009-07-13 23:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-04 11:59 - 2009-07-13 23:33 - 00427264 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-04 11:42 - 2012-06-05 00:41 - 00013818 ____A C:\Users\matthew.scofield\Documents\Budget (version 1).xlsx
2012-07-04 11:42 - 2012-05-22 10:38 - 00010735 ____A C:\Users\matthew.scofield\Documents\DailyList.xlsx
2012-07-03 22:42 - 2012-07-03 22:42 - 00143360 __ASH (DT Soft Ltd) C:\Users\matthew.scofield\AppData\Roaming\btustc.dll
2012-07-03 17:24 - 2012-03-05 22:31 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841Core.job
2012-07-03 17:10 - 2012-02-17 14:04 - 00113192 ____A C:\Users\matthew.scofield\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-28 23:55 - 2012-04-14 14:27 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-28 23:55 - 2012-02-06 17:12 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-28 21:36 - 2012-06-28 21:36 - 242315789 ____A C:\Windows\MEMORY.DMP
2012-06-28 21:36 - 2012-06-28 21:36 - 00146064 ____A C:\Windows\Minidump\062812-20342-01.dmp
2012-06-13 18:29 - 2012-02-17 13:49 - 00004366 _RASH C:\Users\matthew.scofield\ntuser.pol
2012-06-07 18:30 - 2012-06-05 19:24 - 00001533 ____A C:\Users\matthew.scofield\Documents\32.txt
2012-06-06 20:10 - 2012-06-06 20:10 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$Budget (version 1).xlsx
2012-06-03 04:09 - 2012-05-31 00:42 - 00004024 ____A C:\Users\matthew.scofield\Documents\3n.txt
2012-05-29 10:57 - 2012-02-16 14:36 - 00074160 _RASH C:\Users\All Users\ntuser.pol
2012-05-22 10:38 - 2012-05-22 10:38 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$DailyList.xlsx
2012-05-13 22:15 - 2012-05-13 22:14 - 10750868 ____A C:\Users\matthew.scofield\Downloads\Matt Pics.zip
2012-05-13 07:56 - 2012-05-13 07:45 - 00000095 ____A C:\Windows\QBChanUtil_Trigger.ini
2012-05-08 04:09 - 2012-05-08 04:09 - 00000497 ____A C:\Users\matthew.scofield\Documents\nownow.txt
2012-04-19 20:26 - 2012-04-09 20:13 - 00012517 ____A C:\Users\matthew.scofield\Documents\Budget.xlsx
2012-04-19 17:10 - 2012-04-19 17:00 - 17808134 ____A C:\Users\matthew.scofield\Downloads\gorillaz-spring in your step.m4a
2012-04-18 18:58 - 2012-04-18 18:56 - 158686269 ____A C:\Users\matthew.scofield\Downloads\Wu Tang & Jimi Hendrix - Black Gold.zip
2012-04-12 00:22 - 2012-03-02 17:30 - 00002013 ____A C:\Users\matthew.scofield\Documents\03022011_mtg.txt
2012-04-11 20:30 - 2012-04-11 20:30 - 00057306 ____A C:\Users\matthew.scofield\Documents\360 Program Catalog_2012_without GI Bill v4512 (2).xlsx
2012-04-09 15:44 - 2012-04-09 15:44 - 00020022 ____A C:\Users\matthew.scofield\Downloads\pomodoro11.gadget

ZeroAccess:
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\@
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\L
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\00000001.@
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\80000000.@
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\800000cb.@

ZeroAccess:
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\@
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\L
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\U

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3032.96 MB
Available physical RAM: 2490.96 MB
Total Pagefile: 6064.2 MB
Available Pagefile: 5548.95 MB
Total Virtual: 2047.88 MB
Available Virtual: 1932.07 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:190.4 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (UDISK) (Removable) (Total:1.89 GB) (Free:1.89 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 9 MB
Disk 1 Online 1944 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 232 GB Healthy System (partition with boot components)

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1943 MB 192 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E UDISK FAT32 Removable 1943 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-28 22:06

======================= End Of Log ==========================

Broni · Jul 4, 2012

I didn't see Advanced Boot Options, so I just did safe mode with command prompt

We can't cure this infection from within Windows.
You have to boot to System Recovery Options.

Matt99 · Jul 4, 2012

Okay I will try once more, let me give it a crack now

Matt99 · Jul 4, 2012

Okay I was able to get in there and ran it just like your instructions, here is the log. What's next? Thanks!

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 04-07-2012 02
Ran by SYSTEM at 04-07-2012 21:33:01
Running from E:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [2215064 2010-08-12] (ESET)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [137752 2011-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2011-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [172568 2011-02-11] (Intel Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [217088 2009-02-27] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Clearwire Connection Manager] "C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe" -a [54608 2009-12-01] (ClearwireCM)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [2215768 2011-12-06] (Intuit Inc. All rights reserved.)
HKU\matthew.scofield\...\Run: [Spotify] "C:\Users\matthew.scofield\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [7609560 2012-06-28] (Spotify Ltd)
HKU\matthew.scofield\...\Run: [Google Update] "C:\Users\matthew.scofield\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-03-05] (Google Inc.)
HKU\matthew.scofield\...\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent [1242448 2012-03-11] (Valve Corporation)
HKU\matthew.scofield\...\Run: [Spotify Web Helper] "C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1192664 2012-06-28] ()
HKU\matthew.scofield\...\Run: [btustc] rundll32.exe "C:\Users\matthew.scofield\AppData\Roaming\btustc.dll",Rollback [143360 2012-07-03] (DT Soft Ltd)
HKU\matthew.scofield\...\Run: [Noguuftiiw] C:\Users\matthew.scofield\AppData\Roaming\Epyk\tucyl.exe [x]
HKU\matthew.scofield\...\Policies\system: [NoDispScrSavPage] 1
HKU\ronnie\...\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [218032 2006-09-11] (Macrovision Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
Tcpip\..\Interfaces\{2AA4A2F0-F535-4115-9367-E95401EC6A18}: [NameServer]10.0.0.247 10.0.1.100
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Glance.lnk
ShortcutTarget: Glance.lnk -> C:\Program Files\Glance26\Glance.exe (Glance Networks, Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Snagit 10.lnk
ShortcutTarget: Snagit 10.lnk -> C:\Program Files\TechSmith\Snagit 10\Snagit32.exe (TechSmith Corporation)

================================ Services (Whitelisted) ==================

3 CACLEARWIRE; "C:\Program Files\Clearwire\Connection Manager\ConAppsSvc.exe" /n "CACLEARWIRE" [124240 2009-11-09] (SmithMicro Inc.)
3 CLEARWIRERcAppSvc; "C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe" /n "CLEARWIRERcAppSvc" [120144 2009-11-09] (SmithMicro Inc.)
3 EhttpSrv; "C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe" [33584 2010-08-12] (ESET)
2 ekrn; "C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe" [810144 2010-08-12] (ESET)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 FreemakeVideoCapture; "C:\Program Files\Freemake\CaptureLib\CaptureLibService.exe" [8704 2012-06-18] (Microsoft)
2 QBCFMonitorService; "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [45056 2011-12-06] (Intuit)
3 QBFCService; "C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2011-12-06] (Intuit Inc.)
2 QBVSS; "C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe" [1248256 2011-12-06] (Intuit Inc.)
2 SMSI Device Launch Service; "C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe" /n "SMSI Device Launch Service" [107856 2009-11-09] ()

========================== Drivers (Whitelisted) =============

2 DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [37360 2007-07-23] (Roxio)
2 DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [32848 2007-07-23] (Roxio)
2 DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [9104 2007-07-23] (Roxio)
2 DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [108752 2007-07-23] (Roxio)
2 DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [27216 2007-07-23] (Roxio)
2 DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [16304 2007-07-23] (Roxio)
2 DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [93552 2007-07-23] (Roxio)
2 DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [98448 2007-07-23] (Roxio)
2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [136632 2010-07-29] (ESET)
1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [115008 2010-07-29] (ESET)
2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [96920 2010-07-29] (ESET)
3 glancedrv; C:\Windows\System32\DRIVERS\glancedrv.sys [34080 2009-05-13] (Glance Networks, Inc)
2 npf; C:\Windows\System32\drivers\npf.sys [35088 2011-02-11] (CACE Technologies, Inc.)
3 PCTINDIS5; \??\C:\Windows\system32\PCTINDIS5.SYS [32408 2009-11-09] (Smith Micro Inc.)

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-04 13:43 - 2012-07-04 13:43 - 00000000 ____D C:\FRST
2012-07-04 13:31 - 2012-07-04 13:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-07-04 12:02 - 2012-07-04 18:12 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-04 12:02 - 2012-07-04 14:08 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-04 12:02 - 2012-07-04 12:02 - 00000000 ____D C:\Users\All Users\Google
2012-07-04 12:02 - 2012-07-04 12:02 - 00000000 ____D C:\Program Files\Google
2012-07-03 20:00 - 2012-07-03 20:00 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-03 19:42 - 2012-07-04 09:44 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Izbeu
2012-07-03 19:42 - 2012-07-04 09:07 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Epyk
2012-07-03 19:42 - 2012-07-03 19:42 - 00143360 __ASH (DT Soft Ltd) C:\Users\matthew.scofield\AppData\Roaming\btustc.dll
2012-07-03 19:42 - 2012-07-03 19:42 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Ugigas
2012-07-03 19:42 - 2012-07-03 19:42 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\ESET
2012-06-30 11:19 - 2012-06-30 11:19 - 00000000 ____D C:\Users\matthew.scofield\Documents\WebLearning
2012-06-30 10:17 - 2012-06-30 10:17 - 00000000 ____D C:\Windows\Downloaded Installations
2012-06-30 10:17 - 2012-06-30 10:17 - 00000000 ____D C:\Program Files\Common Files\Macromedia Shared
2012-06-30 10:14 - 2012-06-30 10:14 - 00000000 ____D C:\Windows\System32\QuickTime
2012-06-30 10:10 - 2012-06-30 10:18 - 00000000 ____D C:\Program Files\Macromedia
2012-06-30 10:10 - 2012-06-30 10:14 - 00000000 ____D C:\Users\All Users\Macromedia
2012-06-30 10:10 - 2012-06-30 10:13 - 00000000 ____D C:\Program Files\Common Files\Macromedia
2012-06-28 18:36 - 2012-06-28 18:36 - 242315789 ____A C:\Windows\MEMORY.DMP
2012-06-28 18:36 - 2012-06-28 18:36 - 00146064 ____A C:\Windows\Minidump\062812-20342-01.dmp
2012-06-28 18:36 - 2012-06-28 18:36 - 00000000 ____D C:\Windows\Minidump
2012-06-28 11:52 - 2012-06-30 10:17 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\Macromedia
2012-06-25 09:49 - 2012-07-04 13:54 - 00000000 ____A C:\sniffer.log
2012-06-25 09:49 - 2012-06-25 09:51 - 00000000 ____D C:\Users\matthew.scofield\Documents\Freemake
2012-06-25 09:49 - 2012-06-25 09:50 - 00000000 ____D C:\Users\All Users\Freemake
2012-06-25 09:49 - 2012-06-25 09:49 - 00000000 ____D C:\Program Files\WinPcap
2012-06-25 09:49 - 2012-06-25 09:49 - 00000000 ____D C:\Program Files\Freemake
2012-06-19 05:53 - 2012-07-04 16:57 - 00006844 ____A C:\Users\matthew.scofield\Documents\td.txt
2012-06-10 13:15 - 2012-06-10 13:15 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\Intuit
2012-06-06 17:10 - 2012-06-06 17:10 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$Budget (version 1).xlsx
2012-06-05 16:24 - 2012-06-07 15:30 - 00001533 ____A C:\Users\matthew.scofield\Documents\32.txt
2012-06-04 21:41 - 2012-07-04 08:42 - 00013818 ____A C:\Users\matthew.scofield\Documents\Budget (version 1).xlsx

============ 3 Months Modified Files ========================

2012-07-04 18:24 - 2012-03-05 19:31 - 00000952 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841UA.job
2012-07-04 18:12 - 2012-07-04 12:02 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-04 16:57 - 2012-06-19 05:53 - 00006844 ____A C:\Users\matthew.scofield\Documents\td.txt
2012-07-04 14:24 - 2012-03-05 19:31 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841Core.job
2012-07-04 14:08 - 2012-07-04 12:02 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-04 14:01 - 2009-07-13 20:34 - 00018304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-04 14:01 - 2009-07-13 20:34 - 00018304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-04 13:58 - 2012-02-06 14:02 - 00777976 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-04 13:55 - 2012-02-06 14:01 - 01605078 ____A C:\Windows\WindowsUpdate.log
2012-07-04 13:54 - 2012-06-25 09:49 - 00000000 ____A C:\sniffer.log
2012-07-04 13:54 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-04 13:54 - 2009-07-13 20:39 - 00022291 ____A C:\Windows\setupact.log
2012-07-04 13:41 - 2012-02-16 10:33 - 00007148 ____A C:\Windows\PFRO.log
2012-07-04 13:31 - 2012-07-04 13:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-07-04 13:15 - 2012-02-16 11:30 - 00000544 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-04 08:59 - 2009-07-13 20:33 - 00427264 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-04 08:42 - 2012-06-04 21:41 - 00013818 ____A C:\Users\matthew.scofield\Documents\Budget (version 1).xlsx
2012-07-04 08:42 - 2012-05-22 07:38 - 00010735 ____A C:\Users\matthew.scofield\Documents\DailyList.xlsx
2012-07-03 19:42 - 2012-07-03 19:42 - 00143360 __ASH (DT Soft Ltd) C:\Users\matthew.scofield\AppData\Roaming\btustc.dll
2012-07-03 14:10 - 2012-02-17 11:04 - 00113192 ____A C:\Users\matthew.scofield\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-28 20:55 - 2012-04-14 11:27 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-28 20:55 - 2012-02-06 14:12 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-28 18:36 - 2012-06-28 18:36 - 242315789 ____A C:\Windows\MEMORY.DMP
2012-06-28 18:36 - 2012-06-28 18:36 - 00146064 ____A C:\Windows\Minidump\062812-20342-01.dmp
2012-06-13 15:29 - 2012-02-17 10:49 - 00004366 _RASH C:\Users\matthew.scofield\ntuser.pol
2012-06-07 15:30 - 2012-06-05 16:24 - 00001533 ____A C:\Users\matthew.scofield\Documents\32.txt
2012-06-06 17:10 - 2012-06-06 17:10 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$Budget (version 1).xlsx
2012-06-03 01:09 - 2012-05-30 21:42 - 00004024 ____A C:\Users\matthew.scofield\Documents\3n.txt
2012-05-29 07:57 - 2012-02-16 11:36 - 00074160 _RASH C:\Users\All Users\ntuser.pol
2012-05-22 07:38 - 2012-05-22 07:38 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$DailyList.xlsx
2012-05-13 19:15 - 2012-05-13 19:14 - 10750868 ____A C:\Users\matthew.scofield\Downloads\Matt Pics.zip
2012-05-13 04:56 - 2012-05-13 04:45 - 00000095 ____A C:\Windows\QBChanUtil_Trigger.ini
2012-05-08 01:09 - 2012-05-08 01:09 - 00000497 ____A C:\Users\matthew.scofield\Documents\nownow.txt
2012-04-19 17:26 - 2012-04-09 17:13 - 00012517 ____A C:\Users\matthew.scofield\Documents\Budget.xlsx
2012-04-19 14:10 - 2012-04-19 14:00 - 17808134 ____A C:\Users\matthew.scofield\Downloads\gorillaz-spring in your step.m4a
2012-04-18 15:58 - 2012-04-18 15:56 - 158686269 ____A C:\Users\matthew.scofield\Downloads\Wu Tang & Jimi Hendrix - Black Gold.zip
2012-04-11 21:22 - 2012-03-02 14:30 - 00002013 ____A C:\Users\matthew.scofield\Documents\03022011_mtg.txt
2012-04-11 17:30 - 2012-04-11 17:30 - 00057306 ____A C:\Users\matthew.scofield\Documents\360 Program Catalog_2012_without GI Bill v4512 (2).xlsx
2012-04-09 12:44 - 2012-04-09 12:44 - 00020022 ____A C:\Users\matthew.scofield\Downloads\pomodoro11.gadget

ZeroAccess:
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\@
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\L
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\00000001.@
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\80000000.@
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\800000cb.@

ZeroAccess:
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\@
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\L
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\U

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 21%
Total physical RAM: 3032.96 MB
Available physical RAM: 2382.98 MB
Total Pagefile: 3031.23 MB
Available Pagefile: 2387.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.62 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:190.34 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (UDISK) (Removable) (Total:1.89 GB) (Free:1.89 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 9 MB
Disk 1 Online 1944 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1943 MB 192 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E UDISK FAT32 Removable 1943 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-28 19:06

======================= End Of Log ==========================

Broni · Jul 4, 2012

In Vista or Windows 7: Boot to System Recovery Options and run FRST.
In Windows XP: Please boot to UBCD and run FRST.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

Matt99 · Jul 5, 2012

Here you go. What's next? thanks

Farbar Recovery Scan Tool Version: 04-07-2012 02
Ran by SYSTEM at 2012-07-04 23:07:18
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

Broni · Jul 5, 2012

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

Double-click on the Rkill icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Matt99 · Jul 5, 2012

Here they are:

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-07-2012 02
Ran by SYSTEM at 2012-07-04 23:25:26 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
C:\Windows\System32\consrv.dll not found.
HKEY_USERS\matthew.scofield\Software\Microsoft\Windows\CurrentVersion\Run\\Noguuftiiw Value deleted successfully.
C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882} moved successfully.
C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Combofix:

ComboFix 12-07-05.01 - matthew.scofield 07/04/2012 23:41:07.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3033.1993 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\matthew.scofield\AppData\Local\assembly\tmp
c:\users\matthew.scofield\AppData\Roaming\btustc.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
.
.
2012-07-05 05:02 . 2012-07-05 05:0256200----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5708552-FE93-4056-93CC-6071E9822E76}\offreg.dll
2012-07-04 21:43 . 2012-07-04 21:43--------d-----w-C:\FRST
2012-07-04 20:02 . 2012-07-04 20:02--------d-----w-c:\program files\Google
2012-07-04 04:00 . 2012-07-04 04:00--------d-sh--w-c:\windows\system32\%APPDATA%
2012-07-04 03:42 . 2012-07-04 17:44--------d-----w-c:\users\matthew.scofield\AppData\Roaming\Izbeu
2012-07-04 03:42 . 2012-07-04 17:07--------d-----w-c:\users\matthew.scofield\AppData\Roaming\Epyk
2012-07-04 03:42 . 2012-07-04 03:42--------d-----w-c:\users\matthew.scofield\AppData\Roaming\Ugigas
2012-07-04 03:42 . 2012-07-04 03:42--------d-----w-c:\users\matthew.scofield\AppData\Local\ESET
2012-06-30 18:17 . 2012-06-30 18:17--------d-----w-c:\program files\Common Files\Macromedia Shared
2012-06-30 18:17 . 2012-06-30 18:17--------d-----w-c:\windows\Downloaded Installations
2012-06-30 18:16 . 2012-06-30 18:16401408----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\ISRT.dll
2012-06-30 18:16 . 2012-06-30 18:1632768----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\objpscnv.dll
2012-06-30 18:16 . 2012-06-30 18:16266240----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\IScrCnv.dll
2012-06-30 18:16 . 2012-06-30 18:16192512----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\IUserCnv.dll
2012-06-30 18:16 . 2012-06-30 18:16188416----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\iGdiCnv.dll
2012-06-30 18:16 . 2012-06-30 18:16761856----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe
2012-06-30 18:16 . 2012-06-30 18:16299008----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\_ISRES1033.dll
2012-06-30 18:14 . 2005-08-27 19:081398408----a-w-c:\program files\Mozilla Firefox\plugins\NPSWF32.dll
2012-06-30 18:14 . 2012-06-30 18:1445056----a-r-c:\users\matthew.scofield\AppData\Roaming\Microsoft\Installer\{91057632-CA70-413C-B628-2D3CDBBB906B}\ARPPRODUCTICON.exe
2012-06-30 18:14 . 2012-06-30 18:14--------d-----w-c:\windows\system32\QuickTime
2012-06-30 18:10 . 2012-06-30 18:18--------d-----w-c:\program files\Macromedia
2012-06-30 18:10 . 2012-06-30 18:13--------d-----w-c:\program files\Common Files\Macromedia
2012-06-30 18:09 . 2012-06-30 18:13409600------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\ISRT.dll
2012-06-30 18:09 . 2012-06-30 18:1332768------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\objpscnv.dll
2012-06-30 18:09 . 2012-06-30 18:13266240------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IScrCnv.dll
2012-06-30 18:09 . 2012-06-30 18:13180224------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\iGdiCnv.dll
2012-06-30 18:09 . 2012-06-30 18:13172032------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IUserCnv.dll
2012-06-30 18:09 . 2012-06-30 18:13761856------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe
2012-06-30 18:09 . 2012-06-30 18:13540772------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.dll
2012-06-28 19:52 . 2012-06-30 18:17--------d-----w-c:\users\matthew.scofield\AppData\Local\Macromedia
2012-06-28 19:51 . 2012-06-28 19:51421200----a-w-c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-28 19:51 . 2012-06-28 19:51770384----a-w-c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-25 17:49 . 2012-06-25 17:49--------d-----w-c:\program files\WinPcap
2012-06-25 17:49 . 2012-06-25 17:50--------d-----w-c:\programdata\Freemake
2012-06-25 17:49 . 2012-06-25 17:49--------d-----w-c:\program files\Freemake
2012-06-21 08:05 . 2012-05-31 03:416762896----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5708552-FE93-4056-93CC-6071E9822E76}\mpengine.dll
2012-06-18 17:13 . 2009-07-14 01:1590624----a-w-c:\windows\system32\Spool\prtprocs\w32x86\HPZPPWN7.DLL
2012-06-10 21:15 . 2012-06-10 21:15--------d-----w-c:\users\matthew.scofield\AppData\Local\Intuit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 04:55 . 2012-04-14 19:27426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-06-29 04:55 . 2012-02-06 22:1270344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-29 23:56 . 2012-02-23 02:1185472----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify"="c:\users\matthew.scofield\AppData\Roaming\Spotify\Spotify.exe" [2012-06-29 7609560]
"Steam"="c:\program files\Steam\steam.exe" [2012-03-12 1242448]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Spotify Web Helper"="c:\users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-06-29 1192664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-27 217088]
"Clearwire Connection Manager"="c:\program files\Clearwire\Connection Manager\ClearwireCM.exe" [2009-12-01 54608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-12-06 2215768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Glance.lnk - c:\program files\Glance26\Glance.exe [2012-2-7 1827616]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-12-6 5904216]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-12-6 1175912]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2012\QBW32.EXE [2011-12-6 1178984]
Snagit 10.lnk - c:\program files\TechSmith\Snagit 10\Snagit32.exe [2011-11-8 7070608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2344476697-3930214085-3868020663-5745\Scripts\Logon\0\0]
"Script"=login_script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2344476697-3930214085-3868020663-7841\Scripts\Logon\0\0]
"Script"=login_script.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 CACLEARWIRE;Clearwire Con App Svc;c:\program files\Clearwire\Connection Manager\ConAppsSvc.exe [x]
R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\Clearwire\Connection Manager\RcAppSvc.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
S2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\Freemake\CaptureLib\CaptureLibService.exe [x]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [x]
S2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\Clearwire\Connection Manager\DeviceLaunchSvc.exe [x]
S3 glancedrv;glancedrv;c:\windows\system32\DRIVERS\glancedrv.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-04 20:02]
.
2012-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-07-04 20:02]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841Core.job
- c:\users\matthew.scofield\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-06 03:31]
.
2012-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841UA.job
- c:\users\matthew.scofield\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-06 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aus-sharept-1.austin.360training.com/default.aspx
uInternet Settings,ProxyServer = 10.0.0.1:8080
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: 360training.com\aus-sharept-1.austin
Trusted Zone: 360training.com\crm
Trusted Zone: 360training.com\sharepoint
Trusted Zone: 360training.com\sharepoint.austin
Trusted Zone: 360training.com\webmail
Trusted Zone: aus-sharept-1
Trusted Zone: crm
Trusted Zone: 360training.com\aus-sharept-1.austin
Trusted Zone: 360training.com\crm
Trusted Zone: 360training.com\sharepoint
Trusted Zone: 360training.com\sharepoint.austin
Trusted Zone: 360training.com\webmail
Trusted Zone: aus-sharept-1
Trusted Zone: crm
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{2AA4A2F0-F535-4115-9367-E95401EC6A18}: NameServer = 10.0.0.247 10.0.1.100
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\matthew.scofield\AppData\Roaming\Mozilla\Firefox\Profiles\lxi8kb6y.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.tumblr.com/|https://app.nirvana...rnote.com/Login.action?targetUrl=/Home.action
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - prefs.js: network.proxy.ftp - 10.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - 10.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-btustc - c:\users\matthew.scofield\AppData\Roaming\btustc.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1960)
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\TechSmith\Snagit 10\TSCHelp.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\program files\TechSmith\Snagit 10\SnagPriv.exe
c:\program files\TechSmith\Snagit 10\snagiteditor.exe
c:\program files\Common Files\Steam\SteamService.exe
c:\program files\windows defender\MpCmdRun.exe
.
**************************************************************************
.
Completion time: 2012-07-05 00:14:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-05 05:14
.
Pre-Run: 204,277,276,672 bytes free
Post-Run: 205,339,365,376 bytes free
.
- - End Of File - - 415C5303F4E5C266FFE363B301C238AB

Broni · Jul 5, 2012

Looks good

Any current issues?

=====================================

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=====================================

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Matt99 · Jul 5, 2012

Here they are. Yeah I haven't got any more warnings about the malware, it seems to be okay. Do these log files look ok?

malware log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.05.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
matthew.scofield :: AUSTIN-181 [administrator]

7/5/2012 1:03:01 PM
mbam-log-2012-07-05 (13-03-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 270636
Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
OTL.txt:
OTL logfile created on: 7/5/2012 2:14:11 PM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\matthew.scofield\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 1.87 Gb Available Physical Memory | 63.23% Memory free
5.92 Gb Paging File | 4.72 Gb Available in Paging File | 79.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 190.80 Gb Free Space | 81.93% Space Free | Partition Type: NTFS
Drive E: | 1.89 Gb Total Space | 1.88 Gb Free Space | 99.15% Space Free | Partition Type: FAT32

Computer Name: AUSTIN-181 | User Name: matthew.scofield | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/05 12:56:32 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\matthew.scofield\Desktop\OTL.exe
PRC - [2012/06/28 23:55:19 | 000,529,232 | ---- | M] (Valve Corporation) -- C:\Program Files\Common Files\Steam\SteamService.exe
PRC - [2012/06/28 23:54:52 | 007,609,560 | ---- | M] (Spotify Ltd) -- C:\Users\matthew.scofield\AppData\Roaming\Spotify\spotify.exe
PRC - [2012/06/28 23:54:51 | 001,192,664 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
PRC - [2012/06/18 13:15:32 | 000,008,704 | ---- | M] (Microsoft) -- C:\Program Files\Freemake\CaptureLib\CaptureLibService.exe
PRC - [2012/03/11 23:30:16 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2011/12/06 08:48:02 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/12/06 06:40:30 | 001,248,256 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
PRC - [2011/11/08 10:07:22 | 000,094,608 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 10\TscHelp.exe
PRC - [2011/11/08 10:07:20 | 000,094,608 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 10\SnagPriv.exe
PRC - [2011/11/08 10:07:18 | 007,397,776 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 10\SnagitEditor.exe
PRC - [2011/11/08 10:07:16 | 007,070,608 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 10\Snagit32.exe
PRC - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/06/23 23:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/18 15:04:44 | 001,827,616 | ---- | M] (Glance Networks, Inc.) -- C:\Program Files\Glance26\Glance.exe
PRC - [2010/11/20 07:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/08/12 15:16:26 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2010/08/12 15:16:12 | 002,215,064 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/11/09 13:00:32 | 000,107,856 | ---- | M] () -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
PRC - [2009/07/13 20:14:46 | 000,115,200 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2009/02/27 10:18:32 | 000,217,088 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2009/01/31 16:15:38 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2009/01/31 14:43:30 | 000,049,250 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/11/24 05:56:46 | 000,054,568 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe

========== Modules (No Company Name) ==========

MOD - [2012/06/28 23:55:18 | 020,313,384 | ---- | M] () -- C:\Program Files\Steam\bin\libcef.dll
MOD - [2012/06/28 23:55:03 | 001,099,576 | ---- | M] () -- C:\Program Files\Steam\bin\avcodec-53.dll
MOD - [2012/06/28 23:55:03 | 000,895,312 | ---- | M] () -- C:\Program Files\Steam\bin\chromehtml.dll
MOD - [2012/06/28 23:55:03 | 000,190,776 | ---- | M] () -- C:\Program Files\Steam\bin\avformat-53.dll
MOD - [2012/06/28 23:55:03 | 000,123,192 | ---- | M] () -- C:\Program Files\Steam\bin\avutil-51.dll
MOD - [2012/06/28 23:54:52 | 020,214,784 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\libcef.dll
MOD - [2012/06/28 23:54:51 | 001,192,664 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
MOD - [2012/05/01 19:49:31 | 001,670,144 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\3ce70b84dbb9970e1893672c5d430c80\Microsoft.VisualBasic.ni.dll
MOD - [2012/04/05 15:31:46 | 000,008,704 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Local\Microsoft\Windows Sidebar\Gadgets\All_CPU_Meter_V3.9.gadget\GetCoreTempInfoNET.dll
MOD - [2012/04/05 15:31:46 | 000,007,680 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Local\Microsoft\Windows Sidebar\Gadgets\All_CPU_Meter_V3.9.gadget\SystemInfo.dll
MOD - [2012/04/05 15:31:46 | 000,006,144 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Local\Microsoft\Windows Sidebar\Gadgets\All_CPU_Meter_V3.9.gadget\CoreTempReader.dll
MOD - [2012/02/16 14:04:36 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\9866d1f6178e1cde25642f1ac293ff8d\System.Xml.ni.dll
MOD - [2012/02/16 14:04:32 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e620323cacb5b6bfd93fd28d263440e4\System.Configuration.ni.dll
MOD - [2012/02/16 14:04:31 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\faf4e8730ecbd07570111bb7c3b20565\System.ni.dll
MOD - [2012/02/16 14:04:23 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2011/07/28 18:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2007/07/23 16:04:46 | 000,068,080 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll

========== Win32 Services (SafeList) ==========

SRV - [2012/06/29 18:56:19 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/28 23:55:19 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/06/18 13:15:32 | 000,008,704 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files\Freemake\CaptureLib\CaptureLibService.exe -- (FreemakeVideoCapture)
SRV - [2012/02/06 17:35:20 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/12/06 08:48:02 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2011/12/06 06:40:30 | 001,248,256 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe -- (QBVSS)
SRV - [2011/12/06 06:40:08 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2010/08/12 15:18:40 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2010/08/12 15:16:26 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/11/09 13:02:48 | 000,120,144 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe -- (CLEARWIRERcAppSvc)
SRV - [2009/11/09 13:00:32 | 000,107,856 | ---- | M] () [Auto | Running] -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe -- (SMSI Device Launch Service)
SRV - [2009/11/09 13:00:20 | 000,124,240 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Clearwire\Connection Manager\ConAppsSvc.exe -- (CACLEARWIRE)
SRV - [2009/07/13 20:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\MATTHE~1.SCO\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2011/02/11 16:23:34 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (npf)
DRV - [2010/11/20 07:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 07:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 07:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 04:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 04:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/07/29 14:31:26 | 000,136,632 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)
DRV - [2010/07/29 14:31:26 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/07/29 14:31:26 | 000,096,920 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfpr.sys -- (epfwwfpr)
DRV - [2009/11/09 12:47:26 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2009/07/13 18:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/05/13 10:56:28 | 000,034,080 | ---- | M] (Glance Networks, Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\glancedrv.sys -- (glancedrv)
DRV - [2009/03/24 17:25:24 | 000,197,680 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/07/23 16:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 16:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 16:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 16:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 16:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 16:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 16:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 16:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 15:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\Windows\System32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 15:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\DLACDBHM.SYS -- (DLACDBHM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://aus-sharept-1.austin.360training.com/default.aspx
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..\SearchScopes,DefaultScope = {DAB9445D-2285-4F8E-8D01-4F2028EFD0B3}
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..\SearchScopes\{359EC1E4-6454-497A-9303-017CC312BC68}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..\SearchScopes\{DAB9445D-2285-4F8E-8D01-4F2028EFD0B3}: "URL" = http://www.google.com/search?q={sea...ie={inputEncoding?}&oe={outputEncoding?}&rlz=
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.0.0.1:8080

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "https://www.tumblr.com/|https://app...rnote.com/Login.action?targetUrl=/Home.action"
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p="
FF - prefs.js..network.proxy.ftp: "10.0.0.1"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.http: "10.0.0.1"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "10.0.0.1"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "10.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_257.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@glance.net/GlanceClient: C:\Program Files\Glance26\npglance.dll (Glance Networks, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@skyhookwireless.com/LokiPlugin,version=3.1.0.05: C:\Program Files\Skyhook Wireless\Loki ActiveX Component\versions\3.1.0.05\loki.dll (Skyhook Wireless)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\matthew.scofield\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\matthew.scofield\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\matthew.scofield\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\matthew.scofield\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\matthew.scofield\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/03/27 10:54:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fmdownloader@gmail.com: C:\Program Files\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\ [2012/06/25 12:49:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/30 13:14:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/30 13:14:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012/02/06 17:09:04 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/30 13:14:15 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/30 13:14:15 | 000,000,000 | ---D | M]

[2012/02/17 15:44:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\matthew.scofield\AppData\Roaming\mozilla\Extensions
[2012/07/04 13:53:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\matthew.scofield\AppData\Roaming\mozilla\Firefox\Profiles\lxi8kb6y.default\extensions
[2012/07/02 20:04:55 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\matthew.scofield\AppData\Roaming\mozilla\Firefox\Profiles\lxi8kb6y.default\extensions\firefox@ghostery.com
[2012/05/21 19:59:17 | 000,000,000 | ---D | M] ("TableTools2") -- C:\Users\matthew.scofield\AppData\Roaming\mozilla\Firefox\Profiles\lxi8kb6y.default\extensions\tabletools2@mingyi.org
[2012/07/05 12:36:53 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/05 12:36:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2012/06/25 12:49:20 | 000,000,000 | ---D | M] (Freemake Video Downloader Plugin) -- C:\PROGRAM FILES\FREEMAKE\FREEMAKE VIDEO DOWNLOADER\BROWSERPLUGIN\FIREFOX
[2012/06/29 18:56:26 | 000,084,634 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\{0545B830-F0AA-4D7E-8820-50A4629A56FE}.XPI
[2012/04/13 18:25:44 | 000,050,631 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\{54BB9F3F-07E5-486C-9B39-C7398B99391C}.XPI
[2012/04/13 18:25:44 | 000,023,443 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\{68836A21-FC7D-4EA1-A065-7EFABD99D414}.XPI
[2012/07/04 13:53:24 | 000,340,684 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\{A7C6CF7F-112C-4500-A7EA-39801A327E5F}.XPI
[2012/05/21 19:59:12 | 001,335,949 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI
[2012/04/13 22:31:41 | 000,038,314 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\FIREPICKER@THEDARKONE.XPI
[2012/06/29 18:56:20 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2005/08/27 14:08:06 | 001,398,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll
[2012/02/16 05:42:53 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/16 05:42:53 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google

riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\Application\19.0.1084.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\Application\19.0.1084.56\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\Application\19.0.1084.56\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Glance\u2122 (Enabled) = C:\Program Files\Glance26\npglance.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Loki Plugin (Enabled) = C:\Program Files\Skyhook Wireless\Loki ActiveX Component\versions\3.1.0.05\loki.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\matthew.scofield\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: Google Update (Enabled) = C:\Users\matthew.scofield\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Freemake Video Downloader = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpegkgagfojjbcpkihigfmkojdmmimdf\1.0.0_0\
CHR - Extension: Google Search = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: DropinSavings = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk\1.0_0\
CHR - Extension: Chromodoro = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\mipdbifffceniaiejmikimkmnobmefke\1.0.2_0\
CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0\
CHR - Extension: Gmail = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/07/05 00:05:33 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841..\Run: [Spotify] C:\Users\matthew.scofield\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
O4 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841..\Run: [Spotify Web Helper] C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe ()
O4 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841..\Run: [Steam] C:\Program Files\Steam\steam.exe (Valve Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKLM\..Trusted Domains: 360training.com ([aus-sharept-1.austin] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 360training.com ([crm] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 360training.com ([sharepoint] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 360training.com ([sharepoint.austin] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 360training.com ([webmail] https in Trusted sites)
O15 - HKLM\..Trusted Domains: aus-sharept-1 ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: crm ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([aus-sharept-1.austin] http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([crm] http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([sharepoint] http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([sharepoint.austin] http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([webmail] https in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: aus-sharept-1 ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: crm ([]http in Trusted sites)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = austin.360training.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{13E45424-1CD7-4313-AE31-B60EE441F0C7}: DhcpNameServer = 10.0.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2AA4A2F0-F535-4115-9367-E95401EC6A18}: NameServer = 10.0.0.247 10.0.1.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{635D2EDA-1D42-4280-9990-86C7ABACC5D6}: DhcpNameServer = 10.0.1.1
O18 - Protocol\Handler\intu-help-qb5 {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/05 14:13:25 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\matthew.scofield\Desktop\OTL.exe
[2012/07/05 13:00:00 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Malwarebytes
[2012/07/05 12:59:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/05 12:59:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/07/05 12:59:33 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/07/05 12:59:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/07/05 12:36:44 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/07/05 12:33:31 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012/07/05 00:13:16 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/07/04 23:48:36 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/07/04 23:39:00 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/07/04 23:39:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/07/04 23:39:00 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/07/04 23:37:23 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/04 23:37:03 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/07/04 16:43:11 | 000,000,000 | ---D | C] -- C:\FRST
[2012/07/04 15:02:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2012/07/04 15:02:01 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/07/03 23:00:03 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/07/03 22:42:16 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Ugigas
[2012/07/03 22:42:16 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Izbeu
[2012/07/03 22:42:16 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Epyk
[2012/07/03 22:42:01 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Local\ESET
[2012/06/30 14:19:01 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\Documents\WebLearning
[2012/06/30 13:18:05 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Macromedia
[2012/06/30 13:17:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macromedia Shared
[2012/06/30 13:17:04 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2012/06/30 13:14:02 | 000,000,000 | ---D | C] -- C:\Windows\System32\QuickTime
[2012/06/30 13:10:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Macromedia
[2012/06/30 13:10:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Macromedia
[2012/06/30 13:10:03 | 000,000,000 | ---D | C] -- C:\Program Files\Macromedia
[2012/06/30 13:10:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macromedia
[2012/06/28 21:36:27 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/06/28 14:52:12 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Local\Macromedia
[2012/06/25 12:49:46 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2012/06/25 12:49:22 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\Documents\Freemake
[2012/06/25 12:49:21 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Freemake
[2012/06/25 12:49:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freemake
[2012/06/25 12:49:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Freemake
[2012/06/25 12:49:02 | 000,000,000 | ---D | C] -- C:\Program Files\Freemake
[2012/06/10 16:15:16 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Local\Intuit

========== Files - Modified Within 30 Days ==========

[2012/07/05 14:24:00 | 000,000,952 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841UA.job
[2012/07/05 14:15:05 | 000,018,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/05 14:15:05 | 000,018,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/05 14:14:06 | 000,659,818 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/07/05 14:14:06 | 000,120,714 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/07/05 14:12:00 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/05 14:10:00 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/05 14:07:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/05 14:07:42 | 2385,211,392 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/05 12:56:32 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\matthew.scofield\Desktop\OTL.exe
[2012/07/05 00:05:33 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/07/04 17:24:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841Core.job
[2012/07/04 16:31:13 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2012/07/04 11:59:08 | 000,427,264 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/06/28 21:36:21 | 242,315,789 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/06/19 10:39:58 | 000,177,090 | ---- | M] () -- C:\Users\matthew.scofield\Documents\Scofield_Resume_W7.pdf
[2012/06/13 18:29:08 | 000,004,366 | RHS- | M] () -- C:\Users\matthew.scofield\ntuser.pol

========== Files Created - No Company Name ==========

[2012/07/04 23:39:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/07/04 23:39:00 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/07/04 23:39:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/07/04 23:39:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/07/04 23:39:00 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/07/04 16:31:13 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2012/07/04 15:02:11 | 000,000,906 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/04 15:02:10 | 000,000,902 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/28 21:36:21 | 242,315,789 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/06/19 10:39:57 | 000,177,090 | ---- | C] () -- C:\Users\matthew.scofield\Documents\Scofield_Resume_W7.pdf
[2012/05/13 07:45:43 | 000,000,095 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2012/03/12 03:31:42 | 000,007,605 | ---- | C] () -- C:\Users\matthew.scofield\AppData\Local\Resmon.ResmonCfg
[2012/02/24 19:55:08 | 000,000,032 | R--- | C] () -- C:\ProgramData\hash.dat
[2012/02/17 13:49:45 | 000,004,366 | RHS- | C] () -- C:\Users\matthew.scofield\ntuser.pol
[2012/02/16 14:36:05 | 000,074,160 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2012/02/07 17:23:59 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2012/02/07 15:01:06 | 000,000,234 | ---- | C] () -- C:\Windows\wininit.ini
[2011/12/06 06:34:10 | 000,667,280 | ---- | C] () -- C:\Windows\System32\tx12.dll
[2011/12/06 06:34:10 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx12_ic.ini
[2011/12/06 06:34:10 | 000,000,186 | ---- | C] () -- C:\Windows\System32\Gsw32.exe.config
[2011/06/10 07:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2011/02/11 20:10:52 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2011/02/11 20:10:50 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2011/02/11 20:10:50 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2011/02/11 19:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2011/02/11 19:38:44 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2011/02/11 16:23:34 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll

========== LOP Check ==========

[2012/04/13 18:20:29 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\.purple
[2012/04/05 15:38:34 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Audacity
[2012/07/04 12:07:58 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Epyk
[2012/07/04 12:44:31 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Izbeu
[2012/04/11 16:52:54 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Notepad++
[2012/07/05 14:15:28 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Spotify
[2012/03/03 15:15:43 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\StreamTorrent
[2012/02/24 19:52:09 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Three Rings Design
[2012/07/03 22:42:16 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Ugigas
[2012/02/22 21:25:22 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Unity
[2009/07/13 23:53:46 | 000,008,840 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:15B79D44
< End of report >

Matt99 · Jul 5, 2012

EXTRAS.TXT
OTL Extras logfile created on: 7/5/2012 2:14:11 PM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\matthew.scofield\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 1.87 Gb Available Physical Memory | 63.23% Memory free
5.92 Gb Paging File | 4.72 Gb Available in Paging File | 79.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 190.80 Gb Free Space | 81.93% Space Free | Partition Type: NTFS
Drive E: | 1.89 Gb Total Space | 1.88 Gb Free Space | 99.15% Space Free | Partition Type: FAT32

Computer Name: AUSTIN-181 | User Name: matthew.scofield | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Classes\<extension>]
.html [@ = Notepad++_file] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 0
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\360training\LCMSClient\LCMS.UI.exe:*:enabled:LCMS" = C:\Program Files\360training\LCMSClient\LCMS.UI.exe:*:enabled:LCMS
"c:\Program Files\Bold Software\operatorclient.exe:*:enabled:Bold Chat" = c:\Program Files\Bold Software\operatorclient.exe:*:enabled:Bold Chat -- (Bold Software, LLC)
"C:\Program Files\DameWare Development\DameWare NT Utilities\DWRCC.exe:*:enabled

ameWare" = C:\Program Files\DameWare Development\DameWare NT Utilities\DWRCC.exe:*:enabled

ameWare
"C:\Program Files\Glance25\Glance.exe:*:enabled:Glance" = C:\Program Files\Glance25\Glance.exe:*:enabled:Glance
"C:\program files\microsoft office\office14\outlook.exe:*:enabled: Outlook 2010" = C:\program files\microsoft office\office14\outlook.exe:*:enabled: Outlook 2010
"C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe:*:enabled:SQL Management Studio" = C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe:*:enabled:SQL Management Studio
"C:\Program Files\Nortel Networks\i2050SoftwarePhone\i2050.exe:*:enabled:Soft Phone" = C:\Program Files\Nortel Networks\i2050SoftwarePhone\i2050.exe:*:enabled:Soft Phone
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NBNmSrvc.exe:*:enabled:NBNMSRVC" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NBNmSrvc.exe:*:enabled:NBNMSRVC
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\ngen.exe:*:enabled:Symposium Ngen" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\ngen.exe:*:enabled:Symposium Ngen
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICAGSSM.exe:*:enabled:Symposium - Call Center Ops - Agent Skillset Assignment Matrix" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICAGSSM.exe:*:enabled:Symposium - Call Center Ops - Agent Skillset Assignment Matrix
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcapr.exe:*:enabled:Symposium Agent Call Presentation Class" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcapr.exe:*:enabled:Symposium Agent Call Presentation Class
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicgcer.exe:*:enabled:NICLT_CLNICGCER" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicgcer.exe:*:enabled:NICLT_CLNICGCER
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgmprs.exe:*:enabled:SSCC Import" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgmprs.exe:*:enabled:SSCC Import
"C:\program files\nortel networks\symposium express call center\client\en\bin\nicgrdsp.exe:*:enabled:Symposium Real Time Display (GP)" = C:\program files\nortel networks\symposium express call center\client\en\bin\nicgrdsp.exe:*:enabled:Symposium Real Time Display (GP)
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicm1ac.exe:*:enabled:Symposium Configuration - Activity Codes" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicm1ac.exe:*:enabled:Symposium Configuration - Activity Codes
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRPTOM.exe:*:enabled:Symposium - Call Center Ops - Report Manager" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRPTOM.exe:*:enabled:Symposium - Call Center Ops - Report Manager
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTDSP.exe:*:enabled:Symposium - Call Center Ops - Real Time Display" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTDSP.exe:*:enabled:Symposium - Call Center Ops - Real Time Display
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTMGR.exe:*:enabled:Symposium - Call Center Ops - Real Time Display Manager" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTMGR.exe:*:enabled:Symposium - Call Center Ops - Real Time Display Manager
"c:\Program Files\Nortel\GRTD\grtd.exe:*:enabled:GRTD" = c:\Program Files\Nortel\GRTD\grtd.exe:*:enabled:GRTD
"C:\Program Files\Nortel\IP Softphone 2050\i2050.exe:*:enabled:Soft Phone" = C:\Program Files\Nortel\IP Softphone 2050\i2050.exe:*:enabled:Soft Phone
"c:\Program Files\Pidgin\pidgin.exe:*:enabled

idgin" = c:\Program Files\Pidgin\pidgin.exe:*:enabled

idgin -- (The Pidgin developer community)
"C:\Program Files\Spark\Spark.exe:*:enabled:Spark" = C:\Program Files\Spark\Spark.exe:*:enabled:Spark
"C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe:*:enabled:SVN" = C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe:*:enabled:SVN
"C:\Windows\System32\dwrcs.exe:*:Enabled

amware client" = C:\Windows\System32\dwrcs.exe:*:Enabled

amware client

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enable port for Spiceworks" = 135:TCP:*:Enable port for Spiceworks
"445:TCP:*:Enable port for Spiceworks" = 445:TCP:*:Enable port for Spiceworks
"137:UDP:*:enabled

roduction-Name Services" = 137:UDP:*:enabled

roduction-Name Services
"138:UDP:*:enabled

roduction-Datagram Services" = 138:UDP:*:enabled

roduction-Datagram Services
"139::TCP:*:enabled

roduction-Session Services" = 139::TCP:*:enabled

roduction-Session Services
"1433:TCP:*:enabled:MS SQL server" = 1433:TCP:*:enabled:MS SQL server
"1723:TCP:enabled:VPN Server" = 1723:TCP:enabled:VPN Server
"20:TCP:*:enabled:FTP" = 20:TCP:*:enabled:FTP
"21:TCP:*:enabled:FTP" = 21:TCP:*:enabled:FTP
"22:TCP:enabled:SSH" = 22:TCP:enabled:SSH
"3000:TCP:*:enabled:Nortel Meridian Link Services (MLS)" = 3000:TCP:*:enabled:Nortel Meridian Link Services (MLS)
"3306:TCP:enabled

atabase Server" = 3306:TCP:enabled

atabase Server
"3307:TCP:enabled

atabase Server" = 3307:TCP:enabled

atabase Server
"443:TCP:*:enabled:HTTPS" = 443:TCP:*:enabled:HTTPS
"5000:TCP:*:enabled:Symposium Call Center Server Database" = 5000:TCP:*:enabled:Symposium Call Center Server Database
"50000:TCP:enabled

atabase Server" = 50000:TCP:enabled

atabase Server
"50000:UDP:enabled

atabase Server" = 50000:UDP:enabled

atabase Server
"5001:TCP:*:enabled:Symposium Call Center Server Database" = 5001:TCP:*:enabled:Symposium Call Center Server Database
"5002:TCP:*:enabled:Symposium Call Center Server Database" = 5002:TCP:*:enabled:Symposium Call Center Server Database
"5003:TCP:*:enabled:Symposium Call Center Server Database" = 5003:TCP:*:enabled:Symposium Call Center Server Database
"5222:TCP:*:enabled:Openfire Server" = 5222:TCP:*:enabled:Openfire Server
"5223:TCP:*:enabled:Spark" = 5223:TCP:*:enabled:Spark
"5938:TCP:*:enabled:teamviewer" = 5938:TCP:*:enabled:teamviewer
"80:TCP:*:enabled:Web Server" = 80:TCP:*:enabled:Web Server
"8080:TCP:*:enabled:Web Server" = 8080:TCP:*:enabled:Web Server
"81:TCP:*:enabled

roduction-Web Service Troubleshoot" = 81:TCP:*:enabled

roduction-Web Service Troubleshoot
"879:TCP:*:enabled:SVN Server" = 879:TCP:*:enabled:SVN Server
"879:UDP:*:enabled:SVN Server" = 879:UDP:*:enabled:SVN Server

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 10.0.0.112

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 0
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\360training\LCMSClient\LCMS.UI.exe:*:enabled:LCMS" = C:\Program Files\360training\LCMSClient\LCMS.UI.exe:*:enabled:LCMS
"C:\Program Files\Bold Software\operatorclient.exe:*:enabled:Bold Chat" = C:\Program Files\Bold Software\operatorclient.exe:*:enabled:Bold Chat -- (Bold Software, LLC)
"C:\Program Files\DameWare Development\DameWare NT Utilities\DWRCC.exe:*:enabled

ameWare" = C:\Program Files\DameWare Development\DameWare NT Utilities\DWRCC.exe:*:enabled

ameWare
"C:\Program Files\Glance25\Glance.exe:*:enabled:Glance" = C:\Program Files\Glance25\Glance.exe:*:enabled:Glance
"C:\program files\microsoft office\office14\outlook.exe:*:enabled: Outlook 2010" = C:\program files\microsoft office\office14\outlook.exe:*:enabled: Outlook 2010
"C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe:*:enabled:SQL Management Studio" = C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe:*:enabled:SQL Management Studio
"C:\Program Files\Nortel Networks\i2050SoftwarePhone\i2050.exe:*:enabled:Softphone" = C:\Program Files\Nortel Networks\i2050SoftwarePhone\i2050.exe:*:enabled:Softphone
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NBNmSrvc.exe:*:enabled:NBNMSRVC" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NBNmSrvc.exe:*:enabled:NBNMSRVC
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\ngen.exe:*:enabled:Symposium Ngen" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\ngen.exe:*:enabled:Symposium Ngen
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICAGSSM.exe:*:enabled:Symposium – Call Center Ops – Agent Skillset Assignment Matrix" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICAGSSM.exe:*:enabled:Symposium – Call Center Ops – Agent Skillset Assignment Matrix
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcapr.exe:*:enabled:Symposium Agent Call Presentation Class" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcapr.exe:*:enabled:Symposium Agent Call Presentation Class
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcer.exe:*:enabled:NICLT_CLNICGCER" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcer.exe:*:enabled:NICLT_CLNICGCER
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgmprs.exe:*:enabled:SSCC Import" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgmprs.exe:*:enabled:SSCC Import
"C:\program files\nortel networks\symposium express call center\client\en\bin\nicgrdsp.exe:*:enabled:Symposium Real Time Display (GP)" = C:\program files\nortel networks\symposium express call center\client\en\bin\nicgrdsp.exe:*:enabled:Symposium Real Time Display (GP)
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicm1ac.exe:*:enabled:Symposium Configuration - Activity Codes" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicm1ac.exe:*:enabled:Symposium Configuration - Activity Codes
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRPTOM.exe:*:enabled:Symposium - Call Center Ops - Report Manager" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRPTOM.exe:*:enabled:Symposium - Call Center Ops - Report Manager
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTDSP.exe:*:enabled:Symposium - Call Center Ops - Real Time Display" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTDSP.exe:*:enabled:Symposium - Call Center Ops - Real Time Display
"C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTMGR.exe:*:enabled:Symposium - Call Center Ops - Real Time Display Manager" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTMGR.exe:*:enabled:Symposium - Call Center Ops - Real Time Display Manager
"C:\Program Files\Nortel\GRTD\grtd.exe:*:enabled:GRTD" = C:\Program Files\Nortel\GRTD\grtd.exe:*:enabled:GRTD
"C:\Program Files\Nortel\IP Softphone 2050\i2050.exe:*:enabled:Softphone" = C:\Program Files\Nortel\IP Softphone 2050\i2050.exe:*:enabled:Softphone
"C:\Program Files\Pidgin\pidgin.exe:*:enabled

idgin" = C:\Program Files\Pidgin\pidgin.exe:*:enabled

idgin -- (The Pidgin developer community)
"C:\Program Files\Spark\Spark.exe:*:enabled:Spark" = C:\Program Files\Spark\Spark.exe:*:enabled:Spark
"C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe:*:enabled:SVN" = C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe:*:enabled:SVN
"C:\Windows\System32\dwrcs.exe:*:Enabled

amware client" = C:\Windows\System32\dwrcs.exe:*:Enabled

amware client

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List]
"135:TCP:*:Enable port for Spiceworks" = 135:TCP:*:Enable port for Spiceworks
"445:TCP:*:Enable port for Spiceworks" = 445:TCP:*:Enable port for Spiceworks
"137:UDP:*:enabled

roduction-Name Services" = 137:UDP:*:enabled

roduction-Name Services
"138:UDP:*:enabled

roduction-Name Services" = 138:UDP:*:enabled

roduction-Name Services
"139:UDP:*:enabled

roduction-Name Services" = 139:UDP:*:enabled

roduction-Name Services
"1433:TCP:*:enabled:Microsoft SQL Server" = 1433:TCP:*:enabled:Microsoft SQL Server
"1723:TCP:enabled:VPN Server" = 1723:TCP:enabled:VPN Server
"20:TCP:*:enabled:FTP" = 20:TCP:*:enabled:FTP
"21:TCP:*:enabled:FTP" = 21:TCP:*:enabled:FTP
"22:TCP:*:enabled:SSH" = 22:TCP:*:enabled:SSH
"3000:TCP:*:enabled:Nortel Meridian Link Services (MLS)" = 3000:TCP:*:enabled:Nortel Meridian Link Services (MLS)
"3306:TCP:*:enabled

atabase Server" = 3306:TCP:*:enabled

atabase Server
"3307:TCP:*:enabled

atabase Server" = 3307:TCP:*:enabled

atabase Server
"443:TCP:*:enabled:HTTPS" = 443:TCP:*:enabled:HTTPS
"5000:TCP:*:enabled:Symposium Call Center Server Database" = 5000:TCP:*:enabled:Symposium Call Center Server Database
"50000:TCP:enabled

atabase Server" = 50000:TCP:enabled

atabase Server
"50000:UDP:enabled

atabase Server" = 50000:UDP:enabled

atabase Server
"5001:TCP:*:enabled:Symposium Call Center Server Database" = 5001:TCP:*:enabled:Symposium Call Center Server Database
"5002:TCP:*:enabled:Symposium Call Center Server Database" = 5002:TCP:*:enabled:Symposium Call Center Server Database
"5003:TCP:*:enabled:Symposium Call Center Server Database" = 5003:TCP:*:enabled:Symposium Call Center Server Database
"5222:TCP:enabled:Openfire Server" = 5222:TCP:enabled:Openfire Server
"5223:TCP:*:enabled:Spark" = 5223:TCP:*:enabled:Spark
"5938:TCP:*:enabled:teamviewer" = 5938:TCP:*:enabled:teamviewer
"80:TCP:*:enabled:Web Server" = 80:TCP:*:enabled:Web Server
"8080:TCP:*:enabled:Web Server" = 8080:TCP:*:enabled:Web Server
"81:TCP:*:enabled

roduction-Web Service Troubleshoot" = 81:TCP:*:enabled

roduction-Web Service Troubleshoot
"879:TCP:*:enabled:SVN Server" = 879:TCP:*:enabled:SVN Server
"879:UDP:*:enabled:SVN Server" = 879:UDP:*:enabled:SVN Server

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 10.0.0.112

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"TCP Query User{DBC9C6DD-4DED-4C8C-B9F3-329A89128501}C:\users\matthew.scofield\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\matthew.scofield\appdata\roaming\spotify\spotify.exe |
"UDP Query User{7755449C-50BE-4936-9144-CE1ADF926708}C:\users\matthew.scofield\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\matthew.scofield\appdata\roaming\spotify\spotify.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{077AA014-B568-4FF8-B360-9ACE1A1F4571}" = CLEAR Connection Manager
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2181214D-1954-4C60-91FD-EEA7EBB32022}" = QuickBooks Premier: Accountant Edition 2012
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{25E202D1-D8E7-46AF-B4B0-157D9993A93E}" = QuickBooks
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 33
"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B9535BF-CC90-4158-AF32-CAF57A8820CA}" = Macromedia Contribute 3.11
"{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}" = Macromedia Fireworks 8
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00B0-0409-0000-0000000FF1CE}" = Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91057632-CA70-413C-B628-2D3CDBBB906B}" = Macromedia Flash Player 8 Plugin
"{92D194E7-AEF9-4A9E-8620-8F3AE712E3F7}" = Snagit 10.0.2
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{975C3A93-2491-3D44-A071-F6CBF153E46D}" = Google Talk Plugin
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA241315-157C-420F-B168-15055DCFA40D}" = Bold Software v7.10
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{D02EDDE7-B5C5-40A2-AF57-73A3278F4EEB}" = ESET NOD32 Antivirus
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Audacity_is1" = Audacity 2.0
"DivX Setup" = DivX Setup
"Easy CD-DA Extractor 16" = Easy CD-DA Extractor 16
"ExamDiff_is1" = ExamDiff 1.9 (Build 1.9.0.0)
"Freemake Video Downloader_is1" = Freemake Video Downloader
"Glance_is1" = Glance 2.6
"LAME_is1" = LAME v3.99.3 (for Windows)
"Loki ActiveX Control" = Loki ActiveX Control
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Notepad++" = Notepad++
"Pidgin" = Pidgin
"PROPLUS" = Microsoft Office Professional Plus 2007
"Steam App 8930" = Sid Meier's Civilization V
"WinPcapInst" = WinPcap 4.1.2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Puzzle Pirates" = Puzzle Pirates
"Spotify" = Spotify
"UnityWebPlayer" = Unity Web Player

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/4/2012 7:58:06 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 7/4/2012 8:07:45 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 7/4/2012 8:55:41 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 7/4/2012 9:04:43 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 7/4/2012 10:12:49 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 7/5/2012 2:09:01 AM | Computer Name = AUSTIN-181.austin.360training.com | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Clearwire\Connection
Manager\OemDriverManager64.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 7/5/2012 1:32:58 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Application Error | ID = 1000
Description = Faulting application name: Snagit32.exe, version: 10.0.2.21, time
stamp: 0x4eb943d4 Faulting module name: Snagit32.exe, version: 10.0.2.21, time stamp:
0x4eb943d4 Exception code: 0xc0000005 Fault offset: 0x000d5992 Faulting process id:
0x824 Faulting application start time: 0x01cd5a6e994e0645 Faulting application path:
C:\Program Files\TechSmith\Snagit 10\Snagit32.exe Faulting module path: C:\Program
Files\TechSmith\Snagit 10\Snagit32.exe Report Id: 75b8c625-c6c7-11e1-be3e-0024e8de82bd

Error - 7/5/2012 1:33:04 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Application Error | ID = 1000
Description = Faulting application name: Snagit32.exe, version: 10.0.2.21, time
stamp: 0x4eb943d4 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
stamp: 0x4ec49b60 Exception code: 0xc0150010 Fault offset: 0x00083fbe Faulting process
id: 0x824 Faulting application start time: 0x01cd5a6e994e0645 Faulting application
path: C:\Program Files\TechSmith\Snagit 10\Snagit32.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 7932b7ad-c6c7-11e1-be3e-0024e8de82bd

Error - 7/5/2012 2:10:16 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 7/5/2012 2:10:21 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

[ System Events ]
Error - 7/5/2012 1:58:03 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 7/5/2012 1:58:03 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 7/5/2012 1:58:04 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 7/5/2012 3:07:53 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
in domain AUSTIN due to the following: %%1311 This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem persists,
please
contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
for the specified domain, it sets up the secure session to the primary domain controller
emulator in the specified domain. Otherwise, this computer sets up the secure session
to any domain controller in the specified domain.

Error - 7/5/2012 3:08:17 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-GroupPolicy | ID = 1129
Description = The processing of Group Policy failed because of lack of network connectivity
to a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for several
hours, then contact your administrator.

Error - 7/5/2012 3:10:03 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-GroupPolicy | ID = 1129
Description = The processing of Group Policy failed because of lack of network connectivity
to a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for several
hours, then contact your administrator.

Error - 7/5/2012 3:11:39 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 7/5/2012 3:11:40 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 7/5/2012 3:11:40 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 7/5/2012 3:11:41 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

< End of report >

Broni · Jul 5, 2012

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.0.0.1:8080
O15 - HKLM\..Trusted Domains: 360training.com ([aus-sharept-1.austin] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 360training.com ([crm] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 360training.com ([sharepoint] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 360training.com ([sharepoint.austin] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 360training.com ([webmail] https in Trusted sites)
O15 - HKLM\..Trusted Domains: aus-sharept-1 ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: crm ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([aus-sharept-1.austin] http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([crm] http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([sharepoint] http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([sharepoint.austin] http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([webmail] https in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: aus-sharept-1 ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: crm ([]http in Trusted sites)
[2012/07/04 12:07:58 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Epyk
[2012/07/04 12:44:31 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Izbeu
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:15B79D44

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

=================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please, run F-Secure Online Scanner

Disable your Antivirus program.
Checkmark I have read and accepted the license terms.
Click on Run Check button.
Quick scan (recommended) option will come pre-checked. Don't change it.
Click on Start button.
When scan is done, in Step 3: Clean the files, leave all settings as they're.
Click Next button.
Click Full report... button.
Copy report's content and paste it into your next reply.

Matt99 · Jul 6, 2012

Okay here's what OTL log looks like:

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
The security check program just opened then closed real quick, each time I ran it, no log was produced.
FSS log:
Farbar Service Scanner Version: 02-07-2012
Ran by matthew.scofield (administrator) on 06-07-2012 at 14:03:39
Running from "C:\Users\matthew.scofield\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
Fsecure:
[FONT=verdana][FONT=Arial]2 malware found[/FONT][/FONT]

[FONT=verdana]TrackingCookie.2o7[/FONT][FONT=verdana] (spyware)[/FONT]

System (Disinfected)

[FONT=verdana]TrackingCookie.Atdmt[/FONT][FONT=verdana] (spyware)[/FONT]

System (Disinfected)

[FONT=verdana][/FONT]
[FONT=verdana][FONT=Arial]Statistics[/FONT][/FONT]

[FONT=verdana]Scanned:[/FONT]

Files: 4207
System: 4207
Not scanned: 0

[FONT=verdana]Actions:[/FONT]

Disinfected: 2
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0

[FONT=verdana][/FONT]
[FONT=verdana][FONT=Arial]Options[/FONT][/FONT]

[FONT=verdana]Scanning engines:[/FONT]

Broni · Jul 6, 2012

OTL fix log is incorrect.
Please redo.

Matt99 · Jul 6, 2012

Here ya go. Everything good?

All processes killed
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\aus-sharept-1.austin\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\crm\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\sharepoint\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\sharepoint.austin\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\webmail\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aus-sharept-1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crm\ not found.
Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\aus-sharept-1.austin\ not found.
Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\crm\ not found.
Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\sharepoint\ not found.
Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\sharepoint.austin\ not found.
Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\webmail\ not found.
Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aus-sharept-1\ not found.
Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crm\ not found.
Folder C:\Users\matthew.scofield\AppData\Roaming\Epyk\ not found.
Folder C:\Users\matthew.scofield\AppData\Roaming\Izbeu\ not found.
Unable to delete ADS C:\ProgramData\TEMP:15B79D44 .
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: matthew.scofield
->Temp folder emptied: 491333464 bytes
->Temporary Internet Files folder emptied: 77731262 bytes
->Java cache emptied: 29631 bytes
->FireFox cache emptied: 20288299 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2521 bytes

User: Public
->Temp folder emptied: 0 bytes

User: ronnie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: suzie.sands
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3224 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1637064 bytes

Total Files Cleaned = 564.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: matthew.scofield
->Java cache emptied: 0 bytes

User: Public

User: ronnie
->Java cache emptied: 0 bytes

User: suzie.sands

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: matthew.scofield
->Flash cache emptied: 0 bytes

User: Public

User: ronnie
->Flash cache emptied: 0 bytes

User: suzie.sands

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.53.1 log created on 07062012_200533
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

Broni · Jul 6, 2012

I still need Security Check log.

Matt99 · Jul 6, 2012

It ran this time, here you go. Look good?

Results of screen317's Security Check version 0.99.24
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET NOD32 Antivirus
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 33
Adobe Flash Player 11.3.300.262
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

Broni · Jul 6, 2012

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

Matt99 · Jul 8, 2012

Here is the final log, it seems all is good. Thank you very much for your help, I'll be happy to make a donation shortly, thanks alot Broni.

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: matthew.scofield
->Temp folder emptied: 116884 bytes
->Temporary Internet Files folder emptied: 238790497 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 6629 bytes

User: Public
->Temp folder emptied: 0 bytes

User: ronnie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: suzie.sands
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5944 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 595968 bytes

Total Files Cleaned = 228.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: matthew.scofield
->Flash cache emptied: 0 bytes

User: Public

User: ronnie
->Flash cache emptied: 0 bytes

User: suzie.sands

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: matthew.scofield
->Java cache emptied: 0 bytes

User: Public

User: ronnie
->Java cache emptied: 0 bytes

User: suzie.sands

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.53.1 log created on 07082012_140646
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

Broni · Jul 8, 2012

Way to go!!
Good luck and stay safe

Solved Sirefef.fc virus can't be deleted, need help removing

Posts: 12 +0

Posts: 56,041 +516

Posts: 12 +0

Posts: 56,041 +516

Posts: 12 +0

Posts: 12 +0

Posts: 56,041 +516

Posts: 12 +0

Posts: 56,041 +516

Attachments

Posts: 12 +0

Posts: 56,041 +516

Posts: 12 +0

Posts: 12 +0

Posts: 56,041 +516

Posts: 12 +0

Posts: 56,041 +516

Posts: 12 +0

Posts: 56,041 +516

Posts: 12 +0

Posts: 56,041 +516

Posts: 12 +0

Posts: 56,041 +516

Similar threads