TechSpot

Sirefef.fc virus can't be deleted, need help removing

Solved
By Matt99
Jul 4, 2012
  1. I have Windows 7, 32 bit, and ESET NOD32 antivirus. ESET keeps detecting sirefef.fc but only gives option to delete or no action, and when I try to delete it says its can't. I downloaded the Sirefef virus removal tool from the ESET website, but it said it couldn't detect the virus, yet I still get the message.

    Its similar to this thread http://www.techspot.com/community/topics/sirefef-possibly-related-to-flash-installer-virus.182469/

    I would appreciate any help, I'm available all day, let me know if you have paypal
     
  2. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  3. Matt99

    Matt99 TS Rookie Topic Starter

    Thanks, I didn't see Advanced Boot Options, so I just did safe mode with command prompt, I hope that will be fine. Here is the file:

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 04-07-2012 02
    Ran by matthew.scofield at 04-07-2012 16:43:20
    Running from E:\
    Service Pack 1 (X86) OS Language: English(US)
    Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

    ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


    ============ One Month Created Files and Folders ==============

    2012-07-04 16:43 - 2012-07-04 16:43 - 00000000 ____D C:\FRST
    2012-07-04 16:31 - 2012-07-04 16:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
    2012-07-04 15:02 - 2012-07-04 16:12 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-04 15:02 - 2012-07-04 15:12 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-04 15:02 - 2012-07-04 15:02 - 00000000 ____D C:\Users\All Users\Google
    2012-07-04 15:02 - 2012-07-04 15:02 - 00000000 ____D C:\Program Files\Google
    2012-07-03 23:00 - 2012-07-03 23:00 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-03 22:42 - 2012-07-04 12:44 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Izbeu
    2012-07-03 22:42 - 2012-07-04 12:07 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Epyk
    2012-07-03 22:42 - 2012-07-03 22:42 - 00143360 __ASH (DT Soft Ltd) C:\Users\matthew.scofield\AppData\Roaming\btustc.dll
    2012-07-03 22:42 - 2012-07-03 22:42 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Ugigas
    2012-07-03 22:42 - 2012-07-03 22:42 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\ESET
    2012-06-30 14:19 - 2012-06-30 14:19 - 00000000 ____D C:\Users\matthew.scofield\Documents\WebLearning
    2012-06-30 13:17 - 2012-06-30 13:17 - 00000000 ____D C:\Windows\Downloaded Installations
    2012-06-30 13:17 - 2012-06-30 13:17 - 00000000 ____D C:\Program Files\Common Files\Macromedia Shared
    2012-06-30 13:14 - 2012-06-30 13:14 - 00000000 ____D C:\Windows\System32\QuickTime
    2012-06-30 13:10 - 2012-06-30 13:18 - 00000000 ____D C:\Program Files\Macromedia
    2012-06-30 13:10 - 2012-06-30 13:14 - 00000000 ____D C:\Users\All Users\Macromedia
    2012-06-30 13:10 - 2012-06-30 13:13 - 00000000 ____D C:\Program Files\Common Files\Macromedia
    2012-06-28 21:36 - 2012-06-28 21:36 - 242315789 ____A C:\Windows\MEMORY.DMP
    2012-06-28 21:36 - 2012-06-28 21:36 - 00146064 ____A C:\Windows\Minidump\062812-20342-01.dmp
    2012-06-28 21:36 - 2012-06-28 21:36 - 00000000 ____D C:\Windows\Minidump
    2012-06-28 14:52 - 2012-06-30 13:17 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\Macromedia
    2012-06-25 12:49 - 2012-07-04 14:36 - 00000000 ____A C:\sniffer.log
    2012-06-25 12:49 - 2012-06-25 12:51 - 00000000 ____D C:\Users\matthew.scofield\Documents\Freemake
    2012-06-25 12:49 - 2012-06-25 12:50 - 00000000 ____D C:\Users\All Users\Freemake
    2012-06-25 12:49 - 2012-06-25 12:49 - 00000000 ____D C:\Program Files\WinPcap
    2012-06-25 12:49 - 2012-06-25 12:49 - 00000000 ____D C:\Program Files\Freemake
    2012-06-19 08:53 - 2012-07-04 16:30 - 00006814 ____A C:\Users\matthew.scofield\Documents\td.txt
    2012-06-10 16:15 - 2012-06-10 16:15 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\Intuit
    2012-06-06 20:10 - 2012-06-06 20:10 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$Budget (version 1).xlsx
    2012-06-05 19:24 - 2012-06-07 18:30 - 00001533 ____A C:\Users\matthew.scofield\Documents\32.txt
    2012-06-05 00:41 - 2012-07-04 11:42 - 00013818 ____A C:\Users\matthew.scofield\Documents\Budget (version 1).xlsx

    ============ 3 Months Modified Files ========================

    2012-07-04 16:41 - 2012-02-16 13:33 - 00007148 ____A C:\Windows\PFRO.log
    2012-07-04 16:31 - 2012-07-04 16:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
    2012-07-04 16:31 - 2009-07-13 23:39 - 00022235 ____A C:\Windows\setupact.log
    2012-07-04 16:30 - 2012-06-19 08:53 - 00006814 ____A C:\Users\matthew.scofield\Documents\td.txt
    2012-07-04 16:24 - 2012-03-05 22:31 - 00000952 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841UA.job
    2012-07-04 16:15 - 2012-02-16 14:30 - 00000544 ____A C:\Windows\System32\config\netlogon.ftl
    2012-07-04 16:12 - 2012-07-04 15:02 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-04 15:12 - 2012-07-04 15:02 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-04 15:11 - 2009-07-13 23:34 - 00018304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-04 15:11 - 2009-07-13 23:34 - 00018304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-04 14:43 - 2012-02-06 17:02 - 00777976 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-04 14:40 - 2012-02-06 17:01 - 01604020 ____A C:\Windows\WindowsUpdate.log
    2012-07-04 14:36 - 2012-06-25 12:49 - 00000000 ____A C:\sniffer.log
    2012-07-04 14:36 - 2009-07-13 23:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-04 11:59 - 2009-07-13 23:33 - 00427264 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-04 11:42 - 2012-06-05 00:41 - 00013818 ____A C:\Users\matthew.scofield\Documents\Budget (version 1).xlsx
    2012-07-04 11:42 - 2012-05-22 10:38 - 00010735 ____A C:\Users\matthew.scofield\Documents\DailyList.xlsx
    2012-07-03 22:42 - 2012-07-03 22:42 - 00143360 __ASH (DT Soft Ltd) C:\Users\matthew.scofield\AppData\Roaming\btustc.dll
    2012-07-03 17:24 - 2012-03-05 22:31 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841Core.job
    2012-07-03 17:10 - 2012-02-17 14:04 - 00113192 ____A C:\Users\matthew.scofield\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-28 23:55 - 2012-04-14 14:27 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-06-28 23:55 - 2012-02-06 17:12 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-06-28 21:36 - 2012-06-28 21:36 - 242315789 ____A C:\Windows\MEMORY.DMP
    2012-06-28 21:36 - 2012-06-28 21:36 - 00146064 ____A C:\Windows\Minidump\062812-20342-01.dmp
    2012-06-13 18:29 - 2012-02-17 13:49 - 00004366 _RASH C:\Users\matthew.scofield\ntuser.pol
    2012-06-07 18:30 - 2012-06-05 19:24 - 00001533 ____A C:\Users\matthew.scofield\Documents\32.txt
    2012-06-06 20:10 - 2012-06-06 20:10 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$Budget (version 1).xlsx
    2012-06-03 04:09 - 2012-05-31 00:42 - 00004024 ____A C:\Users\matthew.scofield\Documents\3n.txt
    2012-05-29 10:57 - 2012-02-16 14:36 - 00074160 _RASH C:\Users\All Users\ntuser.pol
    2012-05-22 10:38 - 2012-05-22 10:38 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$DailyList.xlsx
    2012-05-13 22:15 - 2012-05-13 22:14 - 10750868 ____A C:\Users\matthew.scofield\Downloads\Matt Pics.zip
    2012-05-13 07:56 - 2012-05-13 07:45 - 00000095 ____A C:\Windows\QBChanUtil_Trigger.ini
    2012-05-08 04:09 - 2012-05-08 04:09 - 00000497 ____A C:\Users\matthew.scofield\Documents\nownow.txt
    2012-04-19 20:26 - 2012-04-09 20:13 - 00012517 ____A C:\Users\matthew.scofield\Documents\Budget.xlsx
    2012-04-19 17:10 - 2012-04-19 17:00 - 17808134 ____A C:\Users\matthew.scofield\Downloads\gorillaz-spring in your step.m4a
    2012-04-18 18:58 - 2012-04-18 18:56 - 158686269 ____A C:\Users\matthew.scofield\Downloads\Wu Tang & Jimi Hendrix - Black Gold.zip
    2012-04-12 00:22 - 2012-03-02 17:30 - 00002013 ____A C:\Users\matthew.scofield\Documents\03022011_mtg.txt
    2012-04-11 20:30 - 2012-04-11 20:30 - 00057306 ____A C:\Users\matthew.scofield\Documents\360 Program Catalog_2012_without GI Bill v4512 (2).xlsx
    2012-04-09 15:44 - 2012-04-09 15:44 - 00020022 ____A C:\Users\matthew.scofield\Downloads\pomodoro11.gadget


    ZeroAccess:
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\@
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\L
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\00000001.@
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\80000000.@
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\800000cb.@

    ZeroAccess:
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\@
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\L
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\U

    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ========================= Memory info ======================

    Percentage of memory in use: 17%
    Total physical RAM: 3032.96 MB
    Available physical RAM: 2490.96 MB
    Total Pagefile: 6064.2 MB
    Available Pagefile: 5548.95 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1932.07 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:232.88 GB) (Free:190.4 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (UDISK) (Removable) (Total:1.89 GB) (Free:1.89 GB) FAT32

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 232 GB 9 MB
    Disk 1 Online 1944 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 232 GB 31 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 232 GB Healthy System (partition with boot components)

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1943 MB 192 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E UDISK FAT32 Removable 1943 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-06-28 22:06

    ======================= End Of Log ==========================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    We can't cure this infection from within Windows.
    You have to boot to System Recovery Options.
     
  5. Matt99

    Matt99 TS Rookie Topic Starter

    Okay I will try once more, let me give it a crack now
     
  6. Matt99

    Matt99 TS Rookie Topic Starter

    Okay I was able to get in there and ran it just like your instructions, here is the log. What's next? Thanks!

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 04-07-2012 02
    Ran by SYSTEM at 04-07-2012 21:33:01
    Running from E:\
    Windows 7 Professional (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [2215064 2010-08-12] (ESET)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [137752 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [172568 2011-02-11] (Intel Corporation)
    HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [217088 2009-02-27] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [Clearwire Connection Manager] "C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe" -a [54608 2009-12-01] (ClearwireCM)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
    HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [2215768 2011-12-06] (Intuit Inc. All rights reserved.)
    HKU\matthew.scofield\...\Run: [Spotify] "C:\Users\matthew.scofield\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [7609560 2012-06-28] (Spotify Ltd)
    HKU\matthew.scofield\...\Run: [Google Update] "C:\Users\matthew.scofield\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-03-05] (Google Inc.)
    HKU\matthew.scofield\...\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent [1242448 2012-03-11] (Valve Corporation)
    HKU\matthew.scofield\...\Run: [Spotify Web Helper] "C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1192664 2012-06-28] ()
    HKU\matthew.scofield\...\Run: [btustc] rundll32.exe "C:\Users\matthew.scofield\AppData\Roaming\btustc.dll",Rollback [143360 2012-07-03] (DT Soft Ltd)
    HKU\matthew.scofield\...\Run: [Noguuftiiw] C:\Users\matthew.scofield\AppData\Roaming\Epyk\tucyl.exe [x]
    HKU\matthew.scofield\...\Policies\system: [NoDispScrSavPage] 1
    HKU\ronnie\...\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [218032 2006-09-11] (Macrovision Corporation)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
    Tcpip\..\Interfaces\{2AA4A2F0-F535-4115-9367-E95401EC6A18}: [NameServer]10.0.0.247 10.0.1.100
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Glance.lnk
    ShortcutTarget: Glance.lnk -> C:\Program Files\Glance26\Glance.exe (Glance Networks, Inc.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk
    ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
    ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Snagit 10.lnk
    ShortcutTarget: Snagit 10.lnk -> C:\Program Files\TechSmith\Snagit 10\Snagit32.exe (TechSmith Corporation)

    ================================ Services (Whitelisted) ==================

    3 CACLEARWIRE; "C:\Program Files\Clearwire\Connection Manager\ConAppsSvc.exe" /n "CACLEARWIRE" [124240 2009-11-09] (SmithMicro Inc.)
    3 CLEARWIRERcAppSvc; "C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe" /n "CLEARWIRERcAppSvc" [120144 2009-11-09] (SmithMicro Inc.)
    3 EhttpSrv; "C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe" [33584 2010-08-12] (ESET)
    2 ekrn; "C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe" [810144 2010-08-12] (ESET)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 FreemakeVideoCapture; "C:\Program Files\Freemake\CaptureLib\CaptureLibService.exe" [8704 2012-06-18] (Microsoft)
    2 QBCFMonitorService; "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [45056 2011-12-06] (Intuit)
    3 QBFCService; "C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [61440 2011-12-06] (Intuit Inc.)
    2 QBVSS; "C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe" [1248256 2011-12-06] (Intuit Inc.)
    2 SMSI Device Launch Service; "C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe" /n "SMSI Device Launch Service" [107856 2009-11-09] ()

    ========================== Drivers (Whitelisted) =============

    2 DLABMFSM; C:\Windows\System32\Drivers\DLABMFSM.SYS [37360 2007-07-23] (Roxio)
    2 DLABOIOM; C:\Windows\System32\Drivers\DLABOIOM.SYS [32848 2007-07-23] (Roxio)
    2 DLADResM; C:\Windows\System32\Drivers\DLADResM.SYS [9104 2007-07-23] (Roxio)
    2 DLAIFS_M; C:\Windows\System32\Drivers\DLAIFS_M.SYS [108752 2007-07-23] (Roxio)
    2 DLAOPIOM; C:\Windows\System32\Drivers\DLAOPIOM.SYS [27216 2007-07-23] (Roxio)
    2 DLAPoolM; C:\Windows\System32\Drivers\DLAPoolM.SYS [16304 2007-07-23] (Roxio)
    2 DLAUDFAM; C:\Windows\System32\Drivers\DLAUDFAM.SYS [93552 2007-07-23] (Roxio)
    2 DLAUDF_M; C:\Windows\System32\Drivers\DLAUDF_M.SYS [98448 2007-07-23] (Roxio)
    2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [136632 2010-07-29] (ESET)
    1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [115008 2010-07-29] (ESET)
    2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [96920 2010-07-29] (ESET)
    3 glancedrv; C:\Windows\System32\DRIVERS\glancedrv.sys [34080 2009-05-13] (Glance Networks, Inc)
    2 npf; C:\Windows\System32\drivers\npf.sys [35088 2011-02-11] (CACE Technologies, Inc.)
    3 PCTINDIS5; \??\C:\Windows\system32\PCTINDIS5.SYS [32408 2009-11-09] (Smith Micro Inc.)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-04 13:43 - 2012-07-04 13:43 - 00000000 ____D C:\FRST
    2012-07-04 13:31 - 2012-07-04 13:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
    2012-07-04 12:02 - 2012-07-04 18:12 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-04 12:02 - 2012-07-04 14:08 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-04 12:02 - 2012-07-04 12:02 - 00000000 ____D C:\Users\All Users\Google
    2012-07-04 12:02 - 2012-07-04 12:02 - 00000000 ____D C:\Program Files\Google
    2012-07-03 20:00 - 2012-07-03 20:00 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-03 19:42 - 2012-07-04 09:44 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Izbeu
    2012-07-03 19:42 - 2012-07-04 09:07 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Epyk
    2012-07-03 19:42 - 2012-07-03 19:42 - 00143360 __ASH (DT Soft Ltd) C:\Users\matthew.scofield\AppData\Roaming\btustc.dll
    2012-07-03 19:42 - 2012-07-03 19:42 - 00000000 ____D C:\Users\matthew.scofield\AppData\Roaming\Ugigas
    2012-07-03 19:42 - 2012-07-03 19:42 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\ESET
    2012-06-30 11:19 - 2012-06-30 11:19 - 00000000 ____D C:\Users\matthew.scofield\Documents\WebLearning
    2012-06-30 10:17 - 2012-06-30 10:17 - 00000000 ____D C:\Windows\Downloaded Installations
    2012-06-30 10:17 - 2012-06-30 10:17 - 00000000 ____D C:\Program Files\Common Files\Macromedia Shared
    2012-06-30 10:14 - 2012-06-30 10:14 - 00000000 ____D C:\Windows\System32\QuickTime
    2012-06-30 10:10 - 2012-06-30 10:18 - 00000000 ____D C:\Program Files\Macromedia
    2012-06-30 10:10 - 2012-06-30 10:14 - 00000000 ____D C:\Users\All Users\Macromedia
    2012-06-30 10:10 - 2012-06-30 10:13 - 00000000 ____D C:\Program Files\Common Files\Macromedia
    2012-06-28 18:36 - 2012-06-28 18:36 - 242315789 ____A C:\Windows\MEMORY.DMP
    2012-06-28 18:36 - 2012-06-28 18:36 - 00146064 ____A C:\Windows\Minidump\062812-20342-01.dmp
    2012-06-28 18:36 - 2012-06-28 18:36 - 00000000 ____D C:\Windows\Minidump
    2012-06-28 11:52 - 2012-06-30 10:17 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\Macromedia
    2012-06-25 09:49 - 2012-07-04 13:54 - 00000000 ____A C:\sniffer.log
    2012-06-25 09:49 - 2012-06-25 09:51 - 00000000 ____D C:\Users\matthew.scofield\Documents\Freemake
    2012-06-25 09:49 - 2012-06-25 09:50 - 00000000 ____D C:\Users\All Users\Freemake
    2012-06-25 09:49 - 2012-06-25 09:49 - 00000000 ____D C:\Program Files\WinPcap
    2012-06-25 09:49 - 2012-06-25 09:49 - 00000000 ____D C:\Program Files\Freemake
    2012-06-19 05:53 - 2012-07-04 16:57 - 00006844 ____A C:\Users\matthew.scofield\Documents\td.txt
    2012-06-10 13:15 - 2012-06-10 13:15 - 00000000 ____D C:\Users\matthew.scofield\AppData\Local\Intuit
    2012-06-06 17:10 - 2012-06-06 17:10 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$Budget (version 1).xlsx
    2012-06-05 16:24 - 2012-06-07 15:30 - 00001533 ____A C:\Users\matthew.scofield\Documents\32.txt
    2012-06-04 21:41 - 2012-07-04 08:42 - 00013818 ____A C:\Users\matthew.scofield\Documents\Budget (version 1).xlsx

    ============ 3 Months Modified Files ========================

    2012-07-04 18:24 - 2012-03-05 19:31 - 00000952 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841UA.job
    2012-07-04 18:12 - 2012-07-04 12:02 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-04 16:57 - 2012-06-19 05:53 - 00006844 ____A C:\Users\matthew.scofield\Documents\td.txt
    2012-07-04 14:24 - 2012-03-05 19:31 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841Core.job
    2012-07-04 14:08 - 2012-07-04 12:02 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-04 14:01 - 2009-07-13 20:34 - 00018304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-04 14:01 - 2009-07-13 20:34 - 00018304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-04 13:58 - 2012-02-06 14:02 - 00777976 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-04 13:55 - 2012-02-06 14:01 - 01605078 ____A C:\Windows\WindowsUpdate.log
    2012-07-04 13:54 - 2012-06-25 09:49 - 00000000 ____A C:\sniffer.log
    2012-07-04 13:54 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-04 13:54 - 2009-07-13 20:39 - 00022291 ____A C:\Windows\setupact.log
    2012-07-04 13:41 - 2012-02-16 10:33 - 00007148 ____A C:\Windows\PFRO.log
    2012-07-04 13:31 - 2012-07-04 13:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
    2012-07-04 13:15 - 2012-02-16 11:30 - 00000544 ____A C:\Windows\System32\config\netlogon.ftl
    2012-07-04 08:59 - 2009-07-13 20:33 - 00427264 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-04 08:42 - 2012-06-04 21:41 - 00013818 ____A C:\Users\matthew.scofield\Documents\Budget (version 1).xlsx
    2012-07-04 08:42 - 2012-05-22 07:38 - 00010735 ____A C:\Users\matthew.scofield\Documents\DailyList.xlsx
    2012-07-03 19:42 - 2012-07-03 19:42 - 00143360 __ASH (DT Soft Ltd) C:\Users\matthew.scofield\AppData\Roaming\btustc.dll
    2012-07-03 14:10 - 2012-02-17 11:04 - 00113192 ____A C:\Users\matthew.scofield\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-28 20:55 - 2012-04-14 11:27 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-06-28 20:55 - 2012-02-06 14:12 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-06-28 18:36 - 2012-06-28 18:36 - 242315789 ____A C:\Windows\MEMORY.DMP
    2012-06-28 18:36 - 2012-06-28 18:36 - 00146064 ____A C:\Windows\Minidump\062812-20342-01.dmp
    2012-06-13 15:29 - 2012-02-17 10:49 - 00004366 _RASH C:\Users\matthew.scofield\ntuser.pol
    2012-06-07 15:30 - 2012-06-05 16:24 - 00001533 ____A C:\Users\matthew.scofield\Documents\32.txt
    2012-06-06 17:10 - 2012-06-06 17:10 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$Budget (version 1).xlsx
    2012-06-03 01:09 - 2012-05-30 21:42 - 00004024 ____A C:\Users\matthew.scofield\Documents\3n.txt
    2012-05-29 07:57 - 2012-02-16 11:36 - 00074160 _RASH C:\Users\All Users\ntuser.pol
    2012-05-22 07:38 - 2012-05-22 07:38 - 00000165 ___AH C:\Users\matthew.scofield\Documents\~$DailyList.xlsx
    2012-05-13 19:15 - 2012-05-13 19:14 - 10750868 ____A C:\Users\matthew.scofield\Downloads\Matt Pics.zip
    2012-05-13 04:56 - 2012-05-13 04:45 - 00000095 ____A C:\Windows\QBChanUtil_Trigger.ini
    2012-05-08 01:09 - 2012-05-08 01:09 - 00000497 ____A C:\Users\matthew.scofield\Documents\nownow.txt
    2012-04-19 17:26 - 2012-04-09 17:13 - 00012517 ____A C:\Users\matthew.scofield\Documents\Budget.xlsx
    2012-04-19 14:10 - 2012-04-19 14:00 - 17808134 ____A C:\Users\matthew.scofield\Downloads\gorillaz-spring in your step.m4a
    2012-04-18 15:58 - 2012-04-18 15:56 - 158686269 ____A C:\Users\matthew.scofield\Downloads\Wu Tang & Jimi Hendrix - Black Gold.zip
    2012-04-11 21:22 - 2012-03-02 14:30 - 00002013 ____A C:\Users\matthew.scofield\Documents\03022011_mtg.txt
    2012-04-11 17:30 - 2012-04-11 17:30 - 00057306 ____A C:\Users\matthew.scofield\Documents\360 Program Catalog_2012_without GI Bill v4512 (2).xlsx
    2012-04-09 12:44 - 2012-04-09 12:44 - 00020022 ____A C:\Users\matthew.scofield\Downloads\pomodoro11.gadget


    ZeroAccess:
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\@
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\L
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\00000001.@
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\80000000.@
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882}\U\800000cb.@

    ZeroAccess:
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\@
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\L
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 21%
    Total physical RAM: 3032.96 MB
    Available physical RAM: 2382.98 MB
    Total Pagefile: 3031.23 MB
    Available Pagefile: 2387.45 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1965.62 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:232.88 GB) (Free:190.34 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (UDISK) (Removable) (Total:1.89 GB) (Free:1.89 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 232 GB 9 MB
    Disk 1 Online 1944 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 232 GB 31 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 232 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1943 MB 192 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E UDISK FAT32 Removable 1943 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-06-28 19:06

    ======================= End Of Log ==========================
     
  7. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
     
  8. Matt99

    Matt99 TS Rookie Topic Starter

    Here you go. What's next? thanks

    Farbar Recovery Scan Tool Version: 04-07-2012 02
    Ran by SYSTEM at 2012-07-04 23:07:18
    Running from E:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===
     
  9. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  10. Matt99

    Matt99 TS Rookie Topic Starter

    Here they are:

    Fixlog:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-07-2012 02
    Ran by SYSTEM at 2012-07-04 23:25:26 Run:1
    Running from E:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
    C:\Windows\System32\consrv.dll not found.
    HKEY_USERS\matthew.scofield\Software\Microsoft\Windows\CurrentVersion\Run\\Noguuftiiw Value deleted successfully.
    C:\Windows\Installer\{584fa204-976f-4031-e729-45ca834ea882} moved successfully.
    C:\Users\matthew.scofield\AppData\Local\{584fa204-976f-4031-e729-45ca834ea882} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====

    Combofix:

    ComboFix 12-07-05.01 - matthew.scofield 07/04/2012 23:41:07.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3033.1993 [GMT -5:00]
    Running from: E:\ComboFix.exe
    AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\matthew.scofield\AppData\Local\assembly\tmp
    c:\users\matthew.scofield\AppData\Roaming\btustc.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-05 05:02 . 2012-07-05 05:0256200----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5708552-FE93-4056-93CC-6071E9822E76}\offreg.dll
    2012-07-04 21:43 . 2012-07-04 21:43--------d-----w-C:\FRST
    2012-07-04 20:02 . 2012-07-04 20:02--------d-----w-c:\program files\Google
    2012-07-04 04:00 . 2012-07-04 04:00--------d-sh--w-c:\windows\system32\%APPDATA%
    2012-07-04 03:42 . 2012-07-04 17:44--------d-----w-c:\users\matthew.scofield\AppData\Roaming\Izbeu
    2012-07-04 03:42 . 2012-07-04 17:07--------d-----w-c:\users\matthew.scofield\AppData\Roaming\Epyk
    2012-07-04 03:42 . 2012-07-04 03:42--------d-----w-c:\users\matthew.scofield\AppData\Roaming\Ugigas
    2012-07-04 03:42 . 2012-07-04 03:42--------d-----w-c:\users\matthew.scofield\AppData\Local\ESET
    2012-06-30 18:17 . 2012-06-30 18:17--------d-----w-c:\program files\Common Files\Macromedia Shared
    2012-06-30 18:17 . 2012-06-30 18:17--------d-----w-c:\windows\Downloaded Installations
    2012-06-30 18:16 . 2012-06-30 18:16401408----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\ISRT.dll
    2012-06-30 18:16 . 2012-06-30 18:1632768----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\objpscnv.dll
    2012-06-30 18:16 . 2012-06-30 18:16266240----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\IScrCnv.dll
    2012-06-30 18:16 . 2012-06-30 18:16192512----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\IUserCnv.dll
    2012-06-30 18:16 . 2012-06-30 18:16188416----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\iGdiCnv.dll
    2012-06-30 18:16 . 2012-06-30 18:16761856----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe
    2012-06-30 18:16 . 2012-06-30 18:16299008----a-w-c:\program files\Common Files\InstallShield\Driver\9\Intel 32\_ISRES1033.dll
    2012-06-30 18:14 . 2005-08-27 19:081398408----a-w-c:\program files\Mozilla Firefox\plugins\NPSWF32.dll
    2012-06-30 18:14 . 2012-06-30 18:1445056----a-r-c:\users\matthew.scofield\AppData\Roaming\Microsoft\Installer\{91057632-CA70-413C-B628-2D3CDBBB906B}\ARPPRODUCTICON.exe
    2012-06-30 18:14 . 2012-06-30 18:14--------d-----w-c:\windows\system32\QuickTime
    2012-06-30 18:10 . 2012-06-30 18:18--------d-----w-c:\program files\Macromedia
    2012-06-30 18:10 . 2012-06-30 18:13--------d-----w-c:\program files\Common Files\Macromedia
    2012-06-30 18:09 . 2012-06-30 18:13409600------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\ISRT.dll
    2012-06-30 18:09 . 2012-06-30 18:1332768------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\objpscnv.dll
    2012-06-30 18:09 . 2012-06-30 18:13266240------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IScrCnv.dll
    2012-06-30 18:09 . 2012-06-30 18:13180224------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\iGdiCnv.dll
    2012-06-30 18:09 . 2012-06-30 18:13172032------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IUserCnv.dll
    2012-06-30 18:09 . 2012-06-30 18:13761856------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe
    2012-06-30 18:09 . 2012-06-30 18:13540772------w-c:\program files\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.dll
    2012-06-28 19:52 . 2012-06-30 18:17--------d-----w-c:\users\matthew.scofield\AppData\Local\Macromedia
    2012-06-28 19:51 . 2012-06-28 19:51421200----a-w-c:\program files\Mozilla Firefox\msvcp100.dll
    2012-06-28 19:51 . 2012-06-28 19:51770384----a-w-c:\program files\Mozilla Firefox\msvcr100.dll
    2012-06-25 17:49 . 2012-06-25 17:49--------d-----w-c:\program files\WinPcap
    2012-06-25 17:49 . 2012-06-25 17:50--------d-----w-c:\programdata\Freemake
    2012-06-25 17:49 . 2012-06-25 17:49--------d-----w-c:\program files\Freemake
    2012-06-21 08:05 . 2012-05-31 03:416762896----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5708552-FE93-4056-93CC-6071E9822E76}\mpengine.dll
    2012-06-18 17:13 . 2009-07-14 01:1590624----a-w-c:\windows\system32\Spool\prtprocs\w32x86\HPZPPWN7.DLL
    2012-06-10 21:15 . 2012-06-10 21:15--------d-----w-c:\users\matthew.scofield\AppData\Local\Intuit
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-29 04:55 . 2012-04-14 19:27426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-06-29 04:55 . 2012-02-06 22:1270344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-29 23:56 . 2012-02-23 02:1185472----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Spotify"="c:\users\matthew.scofield\AppData\Roaming\Spotify\Spotify.exe" [2012-06-29 7609560]
    "Steam"="c:\program files\Steam\steam.exe" [2012-03-12 1242448]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Spotify Web Helper"="c:\users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-06-29 1192664]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-27 217088]
    "Clearwire Connection Manager"="c:\program files\Clearwire\Connection Manager\ClearwireCM.exe" [2009-12-01 54608]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-12-06 2215768]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Glance.lnk - c:\program files\Glance26\Glance.exe [2012-2-7 1827616]
    Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-12-6 5904216]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-12-6 1175912]
    QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2012\QBW32.EXE [2011-12-6 1178984]
    Snagit 10.lnk - c:\program files\TechSmith\Snagit 10\Snagit32.exe [2011-11-8 7070608]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceStartMenuLogOff"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2344476697-3930214085-3868020663-5745\Scripts\Logon\0\0]
    "Script"=login_script.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2344476697-3930214085-3868020663-7841\Scripts\Logon\0\0]
    "Script"=login_script.bat
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 CACLEARWIRE;Clearwire Con App Svc;c:\program files\Clearwire\Connection Manager\ConAppsSvc.exe [x]
    R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\Clearwire\Connection Manager\RcAppSvc.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    S2 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files\Freemake\CaptureLib\CaptureLibService.exe [x]
    S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
    S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [x]
    S2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\Clearwire\Connection Manager\DeviceLaunchSvc.exe [x]
    S3 glancedrv;glancedrv;c:\windows\system32\DRIVERS\glancedrv.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-07-04 20:02]
    .
    2012-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-07-04 20:02]
    .
    2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841Core.job
    - c:\users\matthew.scofield\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-06 03:31]
    .
    2012-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841UA.job
    - c:\users\matthew.scofield\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-06 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://aus-sharept-1.austin.360training.com/default.aspx
    uInternet Settings,ProxyServer = 10.0.0.1:8080
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: 360training.com\aus-sharept-1.austin
    Trusted Zone: 360training.com\crm
    Trusted Zone: 360training.com\sharepoint
    Trusted Zone: 360training.com\sharepoint.austin
    Trusted Zone: 360training.com\webmail
    Trusted Zone: aus-sharept-1
    Trusted Zone: crm
    Trusted Zone: 360training.com\aus-sharept-1.austin
    Trusted Zone: 360training.com\crm
    Trusted Zone: 360training.com\sharepoint
    Trusted Zone: 360training.com\sharepoint.austin
    Trusted Zone: 360training.com\webmail
    Trusted Zone: aus-sharept-1
    Trusted Zone: crm
    TCP: DhcpNameServer = 10.0.1.1
    TCP: Interfaces\{2AA4A2F0-F535-4115-9367-E95401EC6A18}: NameServer = 10.0.0.247 10.0.1.100
    Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll
    FF - ProfilePath - c:\users\matthew.scofield\AppData\Roaming\Mozilla\Firefox\Profiles\lxi8kb6y.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxps://www.tumblr.com/|https://app.nirvana...rnote.com/Login.action?targetUrl=/Home.action
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
    FF - prefs.js: network.proxy.ftp - 10.0.0.1
    FF - prefs.js: network.proxy.ftp_port - 8080
    FF - prefs.js: network.proxy.http - 10.0.0.1
    FF - prefs.js: network.proxy.http_port - 8080
    FF - prefs.js: network.proxy.socks - 10.0.0.1
    FF - prefs.js: network.proxy.socks_port - 8080
    FF - prefs.js: network.proxy.ssl - 10.0.0.1
    FF - prefs.js: network.proxy.ssl_port - 8080
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-btustc - c:\users\matthew.scofield\AppData\Roaming\btustc.dll
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(1960)
    c:\program files\Roxio\Drag-to-Disc\Shellex.dll
    c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\HidFind.exe
    c:\program files\TechSmith\Snagit 10\TSCHelp.exe
    c:\program files\DellTPad\Apntex.exe
    c:\windows\system32\conhost.exe
    c:\program files\TechSmith\Snagit 10\SnagPriv.exe
    c:\program files\TechSmith\Snagit 10\snagiteditor.exe
    c:\program files\Common Files\Steam\SteamService.exe
    c:\program files\windows defender\MpCmdRun.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-05 00:14:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-05 05:14
    .
    Pre-Run: 204,277,276,672 bytes free
    Post-Run: 205,339,365,376 bytes free
    .
    - - End Of File - - 415C5303F4E5C266FFE363B301C238AB
     
  11. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Looks good :)

    Any current issues?

    =====================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =====================================

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
     
  12. Matt99

    Matt99 TS Rookie Topic Starter

    Here they are. Yeah I haven't got any more warnings about the malware, it seems to be okay. Do these log files look ok?

    malware log:


    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.07.05.06

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    matthew.scofield :: AUSTIN-181 [administrator]

    7/5/2012 1:03:01 PM
    mbam-log-2012-07-05 (13-03-01).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 270636
    Time elapsed: 7 minute(s), 56 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    OTL.txt:
    OTL logfile created on: 7/5/2012 2:14:11 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\matthew.scofield\Desktop
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.96 Gb Total Physical Memory | 1.87 Gb Available Physical Memory | 63.23% Memory free
    5.92 Gb Paging File | 4.72 Gb Available in Paging File | 79.66% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 190.80 Gb Free Space | 81.93% Space Free | Partition Type: NTFS
    Drive E: | 1.89 Gb Total Space | 1.88 Gb Free Space | 99.15% Space Free | Partition Type: FAT32

    Computer Name: AUSTIN-181 | User Name: matthew.scofield | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/05 12:56:32 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\matthew.scofield\Desktop\OTL.exe
    PRC - [2012/06/28 23:55:19 | 000,529,232 | ---- | M] (Valve Corporation) -- C:\Program Files\Common Files\Steam\SteamService.exe
    PRC - [2012/06/28 23:54:52 | 007,609,560 | ---- | M] (Spotify Ltd) -- C:\Users\matthew.scofield\AppData\Roaming\Spotify\spotify.exe
    PRC - [2012/06/28 23:54:51 | 001,192,664 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
    PRC - [2012/06/18 13:15:32 | 000,008,704 | ---- | M] (Microsoft) -- C:\Program Files\Freemake\CaptureLib\CaptureLibService.exe
    PRC - [2012/03/11 23:30:16 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
    PRC - [2011/12/06 08:48:02 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    PRC - [2011/12/06 06:40:30 | 001,248,256 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    PRC - [2011/11/08 10:07:22 | 000,094,608 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 10\TscHelp.exe
    PRC - [2011/11/08 10:07:20 | 000,094,608 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 10\SnagPriv.exe
    PRC - [2011/11/08 10:07:18 | 007,397,776 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 10\SnagitEditor.exe
    PRC - [2011/11/08 10:07:16 | 007,070,608 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 10\Snagit32.exe
    PRC - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    PRC - [2011/06/23 23:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
    PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2011/02/18 15:04:44 | 001,827,616 | ---- | M] (Glance Networks, Inc.) -- C:\Program Files\Glance26\Glance.exe
    PRC - [2010/11/20 07:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/08/12 15:16:26 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    PRC - [2010/08/12 15:16:12 | 002,215,064 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    PRC - [2009/11/09 13:00:32 | 000,107,856 | ---- | M] () -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
    PRC - [2009/07/13 20:14:46 | 000,115,200 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
    PRC - [2009/02/27 10:18:32 | 000,217,088 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
    PRC - [2009/01/31 16:15:38 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
    PRC - [2009/01/31 14:43:30 | 000,049,250 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
    PRC - [2008/11/24 05:56:46 | 000,054,568 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/06/28 23:55:18 | 020,313,384 | ---- | M] () -- C:\Program Files\Steam\bin\libcef.dll
    MOD - [2012/06/28 23:55:03 | 001,099,576 | ---- | M] () -- C:\Program Files\Steam\bin\avcodec-53.dll
    MOD - [2012/06/28 23:55:03 | 000,895,312 | ---- | M] () -- C:\Program Files\Steam\bin\chromehtml.dll
    MOD - [2012/06/28 23:55:03 | 000,190,776 | ---- | M] () -- C:\Program Files\Steam\bin\avformat-53.dll
    MOD - [2012/06/28 23:55:03 | 000,123,192 | ---- | M] () -- C:\Program Files\Steam\bin\avutil-51.dll
    MOD - [2012/06/28 23:54:52 | 020,214,784 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\libcef.dll
    MOD - [2012/06/28 23:54:51 | 001,192,664 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
    MOD - [2012/05/01 19:49:31 | 001,670,144 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\3ce70b84dbb9970e1893672c5d430c80\Microsoft.VisualBasic.ni.dll
    MOD - [2012/04/05 15:31:46 | 000,008,704 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Local\Microsoft\Windows Sidebar\Gadgets\All_CPU_Meter_V3.9.gadget\GetCoreTempInfoNET.dll
    MOD - [2012/04/05 15:31:46 | 000,007,680 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Local\Microsoft\Windows Sidebar\Gadgets\All_CPU_Meter_V3.9.gadget\SystemInfo.dll
    MOD - [2012/04/05 15:31:46 | 000,006,144 | ---- | M] () -- C:\Users\matthew.scofield\AppData\Local\Microsoft\Windows Sidebar\Gadgets\All_CPU_Meter_V3.9.gadget\CoreTempReader.dll
    MOD - [2012/02/16 14:04:36 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\9866d1f6178e1cde25642f1ac293ff8d\System.Xml.ni.dll
    MOD - [2012/02/16 14:04:32 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e620323cacb5b6bfd93fd28d263440e4\System.Configuration.ni.dll
    MOD - [2012/02/16 14:04:31 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\faf4e8730ecbd07570111bb7c3b20565\System.ni.dll
    MOD - [2012/02/16 14:04:23 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
    MOD - [2011/07/28 18:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
    MOD - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    MOD - [2007/07/23 16:04:46 | 000,068,080 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2012/06/29 18:56:19 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/06/28 23:55:19 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2012/06/18 13:15:32 | 000,008,704 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files\Freemake\CaptureLib\CaptureLibService.exe -- (FreemakeVideoCapture)
    SRV - [2012/02/06 17:35:20 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2011/12/06 08:48:02 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
    SRV - [2011/12/06 06:40:30 | 001,248,256 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe -- (QBVSS)
    SRV - [2011/12/06 06:40:08 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
    SRV - [2010/08/12 15:18:40 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
    SRV - [2010/08/12 15:16:26 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
    SRV - [2009/11/09 13:02:48 | 000,120,144 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe -- (CLEARWIRERcAppSvc)
    SRV - [2009/11/09 13:00:32 | 000,107,856 | ---- | M] () [Auto | Running] -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe -- (SMSI Device Launch Service)
    SRV - [2009/11/09 13:00:20 | 000,124,240 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Clearwire\Connection Manager\ConAppsSvc.exe -- (CACLEARWIRE)
    SRV - [2009/07/13 20:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
    SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\MATTHE~1.SCO\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - [2011/02/11 16:23:34 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (npf)
    DRV - [2010/11/20 07:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
    DRV - [2010/11/20 07:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
    DRV - [2010/11/20 07:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
    DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/11/20 04:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
    DRV - [2010/11/20 04:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
    DRV - [2010/07/29 14:31:26 | 000,136,632 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)
    DRV - [2010/07/29 14:31:26 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
    DRV - [2010/07/29 14:31:26 | 000,096,920 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfpr.sys -- (epfwwfpr)
    DRV - [2009/11/09 12:47:26 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
    DRV - [2009/07/13 18:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
    DRV - [2009/05/13 10:56:28 | 000,034,080 | ---- | M] (Glance Networks, Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\glancedrv.sys -- (glancedrv)
    DRV - [2009/03/24 17:25:24 | 000,197,680 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2007/07/23 16:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLADResM.SYS -- (DLADResM)
    DRV - [2007/07/23 16:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLABMFSM.SYS -- (DLABMFSM)
    DRV - [2007/07/23 16:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
    DRV - [2007/07/23 16:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
    DRV - [2007/07/23 16:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
    DRV - [2007/07/23 16:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLABOIOM.SYS -- (DLABOIOM)
    DRV - [2007/07/23 16:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAPoolM.SYS -- (DLAPoolM)
    DRV - [2007/07/23 16:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
    DRV - [2007/07/23 15:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\Windows\System32\drivers\DLARTL_M.SYS -- (DLARTL_M)
    DRV - [2007/07/23 15:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\DLACDBHM.SYS -- (DLACDBHM)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



    IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://aus-sharept-1.austin.360training.com/default.aspx
    IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..\SearchScopes,DefaultScope = {DAB9445D-2285-4F8E-8D01-4F2028EFD0B3}
    IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..\SearchScopes\{359EC1E4-6454-497A-9303-017CC312BC68}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
    IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..\SearchScopes\{DAB9445D-2285-4F8E-8D01-4F2028EFD0B3}: "URL" = http://www.google.com/search?q={sea...ie={inputEncoding?}&oe={outputEncoding?}&rlz=
    IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.0.0.1:8080

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Yahoo"
    FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.startup.homepage: "https://www.tumblr.com/|https://app...rnote.com/Login.action?targetUrl=/Home.action"
    FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p="
    FF - prefs.js..network.proxy.ftp: "10.0.0.1"
    FF - prefs.js..network.proxy.ftp_port: 8080
    FF - prefs.js..network.proxy.http: "10.0.0.1"
    FF - prefs.js..network.proxy.http_port: 8080
    FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
    FF - prefs.js..network.proxy.share_proxy_settings: true
    FF - prefs.js..network.proxy.socks: "10.0.0.1"
    FF - prefs.js..network.proxy.socks_port: 8080
    FF - prefs.js..network.proxy.ssl: "10.0.0.1"
    FF - prefs.js..network.proxy.ssl_port: 8080
    FF - prefs.js..network.proxy.type: 0


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_257.dll ()
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
    FF - HKLM\Software\MozillaPlugins\@glance.net/GlanceClient: C:\Program Files\Glance26\npglance.dll (Glance Networks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@skyhookwireless.com/LokiPlugin,version=3.1.0.05: C:\Program Files\Skyhook Wireless\Loki ActiveX Component\versions\3.1.0.05\loki.dll (Skyhook Wireless)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\matthew.scofield\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\matthew.scofield\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\matthew.scofield\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\matthew.scofield\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\matthew.scofield\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/03/27 10:54:11 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fmdownloader@gmail.com: C:\Program Files\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\ [2012/06/25 12:49:20 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/30 13:14:15 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/30 13:14:15 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012/02/06 17:09:04 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/30 13:14:15 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/30 13:14:15 | 000,000,000 | ---D | M]

    [2012/02/17 15:44:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\matthew.scofield\AppData\Roaming\mozilla\Extensions
    [2012/07/04 13:53:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\matthew.scofield\AppData\Roaming\mozilla\Firefox\Profiles\lxi8kb6y.default\extensions
    [2012/07/02 20:04:55 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\matthew.scofield\AppData\Roaming\mozilla\Firefox\Profiles\lxi8kb6y.default\extensions\firefox@ghostery.com
    [2012/05/21 19:59:17 | 000,000,000 | ---D | M] ("TableTools2") -- C:\Users\matthew.scofield\AppData\Roaming\mozilla\Firefox\Profiles\lxi8kb6y.default\extensions\tabletools2@mingyi.org
    [2012/07/05 12:36:53 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/07/05 12:36:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
    [2012/06/25 12:49:20 | 000,000,000 | ---D | M] (Freemake Video Downloader Plugin) -- C:\PROGRAM FILES\FREEMAKE\FREEMAKE VIDEO DOWNLOADER\BROWSERPLUGIN\FIREFOX
    [2012/06/29 18:56:26 | 000,084,634 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\{0545B830-F0AA-4D7E-8820-50A4629A56FE}.XPI
    [2012/04/13 18:25:44 | 000,050,631 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\{54BB9F3F-07E5-486C-9B39-C7398B99391C}.XPI
    [2012/04/13 18:25:44 | 000,023,443 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\{68836A21-FC7D-4EA1-A065-7EFABD99D414}.XPI
    [2012/07/04 13:53:24 | 000,340,684 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\{A7C6CF7F-112C-4500-A7EA-39801A327E5F}.XPI
    [2012/05/21 19:59:12 | 001,335,949 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI
    [2012/04/13 22:31:41 | 000,038,314 | ---- | M] () (No name found) -- C:\USERS\MATTHEW.SCOFIELD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\LXI8KB6Y.DEFAULT\EXTENSIONS\FIREPICKER@THEDARKONE.XPI
    [2012/06/29 18:56:20 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2005/08/27 14:08:06 | 001,398,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll
    [2012/02/16 05:42:53 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/02/16 05:42:53 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\Application\19.0.1084.56\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\Application\19.0.1084.56\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\Application\19.0.1084.56\gcswf32.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
    CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Glance\u2122 (Enabled) = C:\Program Files\Glance26\npglance.dll
    CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
    CHR - plugin: Loki Plugin (Enabled) = C:\Program Files\Skyhook Wireless\Loki ActiveX Component\versions\3.1.0.05\loki.dll
    CHR - plugin: Unity Player (Enabled) = C:\Users\matthew.scofield\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
    CHR - plugin: Google Update (Enabled) = C:\Users\matthew.scofield\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: YouTube = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
    CHR - Extension: Freemake Video Downloader = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpegkgagfojjbcpkihigfmkojdmmimdf\1.0.0_0\
    CHR - Extension: Google Search = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
    CHR - Extension: DropinSavings = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk\1.0_0\
    CHR - Extension: Chromodoro = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\mipdbifffceniaiejmikimkmnobmefke\1.0.2_0\
    CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0\
    CHR - Extension: Gmail = C:\Users\matthew.scofield\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

    O1 HOSTS File: ([2012/07/05 00:05:33 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll (TechSmith Corporation)
    O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
    O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
    O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
    O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
    O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
    O4 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841..\Run: [Spotify] C:\Users\matthew.scofield\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
    O4 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841..\Run: [Spotify Web Helper] C:\Users\matthew.scofield\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe ()
    O4 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841..\Run: [Steam] C:\Program Files\Steam\steam.exe (Valve Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
    O7 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O15 - HKLM\..Trusted Domains: 360training.com ([aus-sharept-1.austin] http in Trusted sites)
    O15 - HKLM\..Trusted Domains: 360training.com ([crm] http in Trusted sites)
    O15 - HKLM\..Trusted Domains: 360training.com ([sharepoint] http in Trusted sites)
    O15 - HKLM\..Trusted Domains: 360training.com ([sharepoint.austin] http in Trusted sites)
    O15 - HKLM\..Trusted Domains: 360training.com ([webmail] https in Trusted sites)
    O15 - HKLM\..Trusted Domains: aus-sharept-1 ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: crm ([]http in Trusted sites)
    O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([aus-sharept-1.austin] http in Trusted sites)
    O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([crm] http in Trusted sites)
    O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([sharepoint] http in Trusted sites)
    O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([sharepoint.austin] http in Trusted sites)
    O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([webmail] https in Trusted sites)
    O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: aus-sharept-1 ([]http in Trusted sites)
    O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: crm ([]http in Trusted sites)
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
    O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = austin.360training.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{13E45424-1CD7-4313-AE31-B60EE441F0C7}: DhcpNameServer = 10.0.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2AA4A2F0-F535-4115-9367-E95401EC6A18}: NameServer = 10.0.0.247 10.0.1.100
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{635D2EDA-1D42-4280-9990-86C7ABACC5D6}: DhcpNameServer = 10.0.1.1
    O18 - Protocol\Handler\intu-help-qb5 {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/05 14:13:25 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\matthew.scofield\Desktop\OTL.exe
    [2012/07/05 13:00:00 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Malwarebytes
    [2012/07/05 12:59:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/05 12:59:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/07/05 12:59:33 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/07/05 12:59:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/07/05 12:36:44 | 000,000,000 | ---D | C] -- C:\Program Files\Java
    [2012/07/05 12:33:31 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
    [2012/07/05 00:13:16 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/07/04 23:48:36 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/07/04 23:39:00 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/07/04 23:39:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/07/04 23:39:00 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/07/04 23:37:23 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/04 23:37:03 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/07/04 16:43:11 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/07/04 15:02:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
    [2012/07/04 15:02:01 | 000,000,000 | ---D | C] -- C:\Program Files\Google
    [2012/07/03 23:00:03 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
    [2012/07/03 22:42:16 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Ugigas
    [2012/07/03 22:42:16 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Izbeu
    [2012/07/03 22:42:16 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Epyk
    [2012/07/03 22:42:01 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Local\ESET
    [2012/06/30 14:19:01 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\Documents\WebLearning
    [2012/06/30 13:18:05 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Macromedia
    [2012/06/30 13:17:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macromedia Shared
    [2012/06/30 13:17:04 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
    [2012/06/30 13:14:02 | 000,000,000 | ---D | C] -- C:\Windows\System32\QuickTime
    [2012/06/30 13:10:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Macromedia
    [2012/06/30 13:10:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Macromedia
    [2012/06/30 13:10:03 | 000,000,000 | ---D | C] -- C:\Program Files\Macromedia
    [2012/06/30 13:10:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macromedia
    [2012/06/28 21:36:27 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
    [2012/06/28 14:52:12 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Local\Macromedia
    [2012/06/25 12:49:46 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
    [2012/06/25 12:49:22 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\Documents\Freemake
    [2012/06/25 12:49:21 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Freemake
    [2012/06/25 12:49:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freemake
    [2012/06/25 12:49:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Freemake
    [2012/06/25 12:49:02 | 000,000,000 | ---D | C] -- C:\Program Files\Freemake
    [2012/06/10 16:15:16 | 000,000,000 | ---D | C] -- C:\Users\matthew.scofield\AppData\Local\Intuit

    ========== Files - Modified Within 30 Days ==========

    [2012/07/05 14:24:00 | 000,000,952 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841UA.job
    [2012/07/05 14:15:05 | 000,018,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/05 14:15:05 | 000,018,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/05 14:14:06 | 000,659,818 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/07/05 14:14:06 | 000,120,714 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/07/05 14:12:00 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/07/05 14:10:00 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/07/05 14:07:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/05 14:07:42 | 2385,211,392 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/05 12:56:32 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\matthew.scofield\Desktop\OTL.exe
    [2012/07/05 00:05:33 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/07/04 17:24:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2344476697-3930214085-3868020663-7841Core.job
    [2012/07/04 16:31:13 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
    [2012/07/04 11:59:08 | 000,427,264 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/06/28 21:36:21 | 242,315,789 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/06/19 10:39:58 | 000,177,090 | ---- | M] () -- C:\Users\matthew.scofield\Documents\Scofield_Resume_W7.pdf
    [2012/06/13 18:29:08 | 000,004,366 | RHS- | M] () -- C:\Users\matthew.scofield\ntuser.pol

    ========== Files Created - No Company Name ==========

    [2012/07/04 23:39:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/07/04 23:39:00 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/07/04 23:39:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/07/04 23:39:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/07/04 23:39:00 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/07/04 16:31:13 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
    [2012/07/04 15:02:11 | 000,000,906 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/07/04 15:02:10 | 000,000,902 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/06/28 21:36:21 | 242,315,789 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2012/06/19 10:39:57 | 000,177,090 | ---- | C] () -- C:\Users\matthew.scofield\Documents\Scofield_Resume_W7.pdf
    [2012/05/13 07:45:43 | 000,000,095 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
    [2012/03/12 03:31:42 | 000,007,605 | ---- | C] () -- C:\Users\matthew.scofield\AppData\Local\Resmon.ResmonCfg
    [2012/02/24 19:55:08 | 000,000,032 | R--- | C] () -- C:\ProgramData\hash.dat
    [2012/02/17 13:49:45 | 000,004,366 | RHS- | C] () -- C:\Users\matthew.scofield\ntuser.pol
    [2012/02/16 14:36:05 | 000,074,160 | RHS- | C] () -- C:\ProgramData\ntuser.pol
    [2012/02/07 17:23:59 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2012/02/07 15:01:06 | 000,000,234 | ---- | C] () -- C:\Windows\wininit.ini
    [2011/12/06 06:34:10 | 000,667,280 | ---- | C] () -- C:\Windows\System32\tx12.dll
    [2011/12/06 06:34:10 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx12_ic.ini
    [2011/12/06 06:34:10 | 000,000,186 | ---- | C] () -- C:\Windows\System32\Gsw32.exe.config
    [2011/06/10 07:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
    [2011/02/11 20:10:52 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
    [2011/02/11 20:10:50 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
    [2011/02/11 20:10:50 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
    [2011/02/11 19:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
    [2011/02/11 19:38:44 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
    [2011/02/11 16:23:34 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll

    ========== LOP Check ==========

    [2012/04/13 18:20:29 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\.purple
    [2012/04/05 15:38:34 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Audacity
    [2012/07/04 12:07:58 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Epyk
    [2012/07/04 12:44:31 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Izbeu
    [2012/04/11 16:52:54 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Notepad++
    [2012/07/05 14:15:28 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Spotify
    [2012/03/03 15:15:43 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\StreamTorrent
    [2012/02/24 19:52:09 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Three Rings Design
    [2012/07/03 22:42:16 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Ugigas
    [2012/02/22 21:25:22 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Unity
    [2009/07/13 23:53:46 | 000,008,840 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:15B79D44
    < End of report >
     
  13. Matt99

    Matt99 TS Rookie Topic Starter

    EXTRAS.TXT
    OTL Extras logfile created on: 7/5/2012 2:14:11 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\matthew.scofield\Desktop
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.96 Gb Total Physical Memory | 1.87 Gb Available Physical Memory | 63.23% Memory free
    5.92 Gb Paging File | 4.72 Gb Available in Paging File | 79.66% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 190.80 Gb Free Space | 81.93% Space Free | Partition Type: NTFS
    Drive E: | 1.89 Gb Total Space | 1.88 Gb Free Space | 99.15% Space Free | Partition Type: FAT32

    Computer Name: AUSTIN-181 | User Name: matthew.scofield | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Classes\<extension>]
    .html [@ = Notepad++_file] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
    "AllowUserPrefMerge" = 0
    "Enabled" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\360training\LCMSClient\LCMS.UI.exe:*:enabled:LCMS" = C:\Program Files\360training\LCMSClient\LCMS.UI.exe:*:enabled:LCMS
    "c:\Program Files\Bold Software\operatorclient.exe:*:enabled:Bold Chat" = c:\Program Files\Bold Software\operatorclient.exe:*:enabled:Bold Chat -- (Bold Software, LLC)
    "C:\Program Files\DameWare Development\DameWare NT Utilities\DWRCC.exe:*:enabled:DameWare" = C:\Program Files\DameWare Development\DameWare NT Utilities\DWRCC.exe:*:enabled:DameWare
    "C:\Program Files\Glance25\Glance.exe:*:enabled:Glance" = C:\Program Files\Glance25\Glance.exe:*:enabled:Glance
    "C:\program files\microsoft office\office14\outlook.exe:*:enabled: Outlook 2010" = C:\program files\microsoft office\office14\outlook.exe:*:enabled: Outlook 2010
    "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe:*:enabled:SQL Management Studio" = C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe:*:enabled:SQL Management Studio
    "C:\Program Files\Nortel Networks\i2050SoftwarePhone\i2050.exe:*:enabled:Soft Phone" = C:\Program Files\Nortel Networks\i2050SoftwarePhone\i2050.exe:*:enabled:Soft Phone
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NBNmSrvc.exe:*:enabled:NBNMSRVC" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NBNmSrvc.exe:*:enabled:NBNMSRVC
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\ngen.exe:*:enabled:Symposium Ngen" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\ngen.exe:*:enabled:Symposium Ngen
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICAGSSM.exe:*:enabled:Symposium - Call Center Ops - Agent Skillset Assignment Matrix" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICAGSSM.exe:*:enabled:Symposium - Call Center Ops - Agent Skillset Assignment Matrix
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcapr.exe:*:enabled:Symposium Agent Call Presentation Class" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcapr.exe:*:enabled:Symposium Agent Call Presentation Class
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicgcer.exe:*:enabled:NICLT_CLNICGCER" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicgcer.exe:*:enabled:NICLT_CLNICGCER
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgmprs.exe:*:enabled:SSCC Import" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgmprs.exe:*:enabled:SSCC Import
    "C:\program files\nortel networks\symposium express call center\client\en\bin\nicgrdsp.exe:*:enabled:Symposium Real Time Display (GP)" = C:\program files\nortel networks\symposium express call center\client\en\bin\nicgrdsp.exe:*:enabled:Symposium Real Time Display (GP)
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicm1ac.exe:*:enabled:Symposium Configuration - Activity Codes" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicm1ac.exe:*:enabled:Symposium Configuration - Activity Codes
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRPTOM.exe:*:enabled:Symposium - Call Center Ops - Report Manager" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRPTOM.exe:*:enabled:Symposium - Call Center Ops - Report Manager
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTDSP.exe:*:enabled:Symposium - Call Center Ops - Real Time Display" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTDSP.exe:*:enabled:Symposium - Call Center Ops - Real Time Display
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTMGR.exe:*:enabled:Symposium - Call Center Ops - Real Time Display Manager" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTMGR.exe:*:enabled:Symposium - Call Center Ops - Real Time Display Manager
    "c:\Program Files\Nortel\GRTD\grtd.exe:*:enabled:GRTD" = c:\Program Files\Nortel\GRTD\grtd.exe:*:enabled:GRTD
    "C:\Program Files\Nortel\IP Softphone 2050\i2050.exe:*:enabled:Soft Phone" = C:\Program Files\Nortel\IP Softphone 2050\i2050.exe:*:enabled:Soft Phone
    "c:\Program Files\Pidgin\pidgin.exe:*:enabled:pidgin" = c:\Program Files\Pidgin\pidgin.exe:*:enabled:pidgin -- (The Pidgin developer community)
    "C:\Program Files\Spark\Spark.exe:*:enabled:Spark" = C:\Program Files\Spark\Spark.exe:*:enabled:Spark
    "C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe:*:enabled:SVN" = C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe:*:enabled:SVN
    "C:\Windows\System32\dwrcs.exe:*:Enabled:Damware client" = C:\Windows\System32\dwrcs.exe:*:Enabled:Damware client

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
    "Enabled" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
    "135:TCP:*:Enable port for Spiceworks" = 135:TCP:*:Enable port for Spiceworks
    "445:TCP:*:Enable port for Spiceworks" = 445:TCP:*:Enable port for Spiceworks
    "137:UDP:*:enabled:production-Name Services" = 137:UDP:*:enabled:production-Name Services
    "138:UDP:*:enabled:production-Datagram Services" = 138:UDP:*:enabled:production-Datagram Services
    "139::TCP:*:enabled:production-Session Services" = 139::TCP:*:enabled:production-Session Services
    "1433:TCP:*:enabled:MS SQL server" = 1433:TCP:*:enabled:MS SQL server
    "1723:TCP:enabled:VPN Server" = 1723:TCP:enabled:VPN Server
    "20:TCP:*:enabled:FTP" = 20:TCP:*:enabled:FTP
    "21:TCP:*:enabled:FTP" = 21:TCP:*:enabled:FTP
    "22:TCP:enabled:SSH" = 22:TCP:enabled:SSH
    "3000:TCP:*:enabled:Nortel Meridian Link Services (MLS)" = 3000:TCP:*:enabled:Nortel Meridian Link Services (MLS)
    "3306:TCP:enabled:Database Server" = 3306:TCP:enabled:Database Server
    "3307:TCP:enabled:Database Server" = 3307:TCP:enabled:Database Server
    "443:TCP:*:enabled:HTTPS" = 443:TCP:*:enabled:HTTPS
    "5000:TCP:*:enabled:Symposium Call Center Server Database" = 5000:TCP:*:enabled:Symposium Call Center Server Database
    "50000:TCP:enabled:Database Server" = 50000:TCP:enabled:Database Server
    "50000:UDP:enabled:Database Server" = 50000:UDP:enabled:Database Server
    "5001:TCP:*:enabled:Symposium Call Center Server Database" = 5001:TCP:*:enabled:Symposium Call Center Server Database
    "5002:TCP:*:enabled:Symposium Call Center Server Database" = 5002:TCP:*:enabled:Symposium Call Center Server Database
    "5003:TCP:*:enabled:Symposium Call Center Server Database" = 5003:TCP:*:enabled:Symposium Call Center Server Database
    "5222:TCP:*:enabled:Openfire Server" = 5222:TCP:*:enabled:Openfire Server
    "5223:TCP:*:enabled:Spark" = 5223:TCP:*:enabled:Spark
    "5938:TCP:*:enabled:teamviewer" = 5938:TCP:*:enabled:teamviewer
    "80:TCP:*:enabled:Web Server" = 80:TCP:*:enabled:Web Server
    "8080:TCP:*:enabled:Web Server" = 8080:TCP:*:enabled:Web Server
    "81:TCP:*:enabled:production-Web Service Troubleshoot" = 81:TCP:*:enabled:production-Web Service Troubleshoot
    "879:TCP:*:enabled:SVN Server" = 879:TCP:*:enabled:SVN Server
    "879:UDP:*:enabled:SVN Server" = 879:UDP:*:enabled:SVN Server

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings]
    "AllowOutboundDestinationUnreachable" = 0
    "AllowOutboundSourceQuench" = 0
    "AllowRedirect" = 0
    "AllowInboundEchoRequest" = 1
    "AllowInboundRouterRequest" = 0
    "AllowOutboundTimeExceeded" = 0
    "AllowOutboundParameterProblem" = 0
    "AllowInboundTimestampRequest" = 0
    "AllowInboundMaskRequest" = 0
    "AllowOutboundPacketTooBig" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
    "Enabled" = 1
    "RemoteAddresses" = 10.0.0.112

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
    "Enabled" = 1
    "RemoteAddresses" = *

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
    "Enabled" = 1
    "RemoteAddresses" = *

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
    "AllowUserPrefMerge" = 0
    "Enabled" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\360training\LCMSClient\LCMS.UI.exe:*:enabled:LCMS" = C:\Program Files\360training\LCMSClient\LCMS.UI.exe:*:enabled:LCMS
    "C:\Program Files\Bold Software\operatorclient.exe:*:enabled:Bold Chat" = C:\Program Files\Bold Software\operatorclient.exe:*:enabled:Bold Chat -- (Bold Software, LLC)
    "C:\Program Files\DameWare Development\DameWare NT Utilities\DWRCC.exe:*:enabled:DameWare" = C:\Program Files\DameWare Development\DameWare NT Utilities\DWRCC.exe:*:enabled:DameWare
    "C:\Program Files\Glance25\Glance.exe:*:enabled:Glance" = C:\Program Files\Glance25\Glance.exe:*:enabled:Glance
    "C:\program files\microsoft office\office14\outlook.exe:*:enabled: Outlook 2010" = C:\program files\microsoft office\office14\outlook.exe:*:enabled: Outlook 2010
    "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe:*:enabled:SQL Management Studio" = C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\ssms.exe:*:enabled:SQL Management Studio
    "C:\Program Files\Nortel Networks\i2050SoftwarePhone\i2050.exe:*:enabled:Softphone" = C:\Program Files\Nortel Networks\i2050SoftwarePhone\i2050.exe:*:enabled:Softphone
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NBNmSrvc.exe:*:enabled:NBNMSRVC" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NBNmSrvc.exe:*:enabled:NBNMSRVC
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\ngen.exe:*:enabled:Symposium Ngen" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\ngen.exe:*:enabled:Symposium Ngen
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICAGSSM.exe:*:enabled:Symposium – Call Center Ops – Agent Skillset Assignment Matrix" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICAGSSM.exe:*:enabled:Symposium – Call Center Ops – Agent Skillset Assignment Matrix
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcapr.exe:*:enabled:Symposium Agent Call Presentation Class" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcapr.exe:*:enabled:Symposium Agent Call Presentation Class
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcer.exe:*:enabled:NICLT_CLNICGCER" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgcer.exe:*:enabled:NICLT_CLNICGCER
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgmprs.exe:*:enabled:SSCC Import" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\nicgmprs.exe:*:enabled:SSCC Import
    "C:\program files\nortel networks\symposium express call center\client\en\bin\nicgrdsp.exe:*:enabled:Symposium Real Time Display (GP)" = C:\program files\nortel networks\symposium express call center\client\en\bin\nicgrdsp.exe:*:enabled:Symposium Real Time Display (GP)
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicm1ac.exe:*:enabled:Symposium Configuration - Activity Codes" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\Nicm1ac.exe:*:enabled:Symposium Configuration - Activity Codes
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRPTOM.exe:*:enabled:Symposium - Call Center Ops - Report Manager" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRPTOM.exe:*:enabled:Symposium - Call Center Ops - Report Manager
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTDSP.exe:*:enabled:Symposium - Call Center Ops - Real Time Display" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTDSP.exe:*:enabled:Symposium - Call Center Ops - Real Time Display
    "C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTMGR.exe:*:enabled:Symposium - Call Center Ops - Real Time Display Manager" = C:\Program Files\Nortel Networks\Symposium Express Call Center\Client\en\bin\NICRTMGR.exe:*:enabled:Symposium - Call Center Ops - Real Time Display Manager
    "C:\Program Files\Nortel\GRTD\grtd.exe:*:enabled:GRTD" = C:\Program Files\Nortel\GRTD\grtd.exe:*:enabled:GRTD
    "C:\Program Files\Nortel\IP Softphone 2050\i2050.exe:*:enabled:Softphone" = C:\Program Files\Nortel\IP Softphone 2050\i2050.exe:*:enabled:Softphone
    "C:\Program Files\Pidgin\pidgin.exe:*:enabled:pidgin" = C:\Program Files\Pidgin\pidgin.exe:*:enabled:pidgin -- (The Pidgin developer community)
    "C:\Program Files\Spark\Spark.exe:*:enabled:Spark" = C:\Program Files\Spark\Spark.exe:*:enabled:Spark
    "C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe:*:enabled:SVN" = C:\Program Files\TortoiseSVN\bin\TortoiseProc.exe:*:enabled:SVN
    "C:\Windows\System32\dwrcs.exe:*:Enabled:Damware client" = C:\Windows\System32\dwrcs.exe:*:Enabled:Damware client

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
    "Enabled" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List]
    "135:TCP:*:Enable port for Spiceworks" = 135:TCP:*:Enable port for Spiceworks
    "445:TCP:*:Enable port for Spiceworks" = 445:TCP:*:Enable port for Spiceworks
    "137:UDP:*:enabled:production-Name Services" = 137:UDP:*:enabled:production-Name Services
    "138:UDP:*:enabled:production-Name Services" = 138:UDP:*:enabled:production-Name Services
    "139:UDP:*:enabled:production-Name Services" = 139:UDP:*:enabled:production-Name Services
    "1433:TCP:*:enabled:Microsoft SQL Server" = 1433:TCP:*:enabled:Microsoft SQL Server
    "1723:TCP:enabled:VPN Server" = 1723:TCP:enabled:VPN Server
    "20:TCP:*:enabled:FTP" = 20:TCP:*:enabled:FTP
    "21:TCP:*:enabled:FTP" = 21:TCP:*:enabled:FTP
    "22:TCP:*:enabled:SSH" = 22:TCP:*:enabled:SSH
    "3000:TCP:*:enabled:Nortel Meridian Link Services (MLS)" = 3000:TCP:*:enabled:Nortel Meridian Link Services (MLS)
    "3306:TCP:*:enabled:Database Server" = 3306:TCP:*:enabled:Database Server
    "3307:TCP:*:enabled:Database Server" = 3307:TCP:*:enabled:Database Server
    "443:TCP:*:enabled:HTTPS" = 443:TCP:*:enabled:HTTPS
    "5000:TCP:*:enabled:Symposium Call Center Server Database" = 5000:TCP:*:enabled:Symposium Call Center Server Database
    "50000:TCP:enabled:Database Server" = 50000:TCP:enabled:Database Server
    "50000:UDP:enabled:Database Server" = 50000:UDP:enabled:Database Server
    "5001:TCP:*:enabled:Symposium Call Center Server Database" = 5001:TCP:*:enabled:Symposium Call Center Server Database
    "5002:TCP:*:enabled:Symposium Call Center Server Database" = 5002:TCP:*:enabled:Symposium Call Center Server Database
    "5003:TCP:*:enabled:Symposium Call Center Server Database" = 5003:TCP:*:enabled:Symposium Call Center Server Database
    "5222:TCP:enabled:Openfire Server" = 5222:TCP:enabled:Openfire Server
    "5223:TCP:*:enabled:Spark" = 5223:TCP:*:enabled:Spark
    "5938:TCP:*:enabled:teamviewer" = 5938:TCP:*:enabled:teamviewer
    "80:TCP:*:enabled:Web Server" = 80:TCP:*:enabled:Web Server
    "8080:TCP:*:enabled:Web Server" = 8080:TCP:*:enabled:Web Server
    "81:TCP:*:enabled:production-Web Service Troubleshoot" = 81:TCP:*:enabled:production-Web Service Troubleshoot
    "879:TCP:*:enabled:SVN Server" = 879:TCP:*:enabled:SVN Server
    "879:UDP:*:enabled:SVN Server" = 879:UDP:*:enabled:SVN Server

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings]
    "AllowOutboundDestinationUnreachable" = 0
    "AllowOutboundSourceQuench" = 0
    "AllowRedirect" = 0
    "AllowInboundEchoRequest" = 1
    "AllowInboundRouterRequest" = 0
    "AllowOutboundTimeExceeded" = 0
    "AllowOutboundParameterProblem" = 0
    "AllowInboundTimestampRequest" = 0
    "AllowInboundMaskRequest" = 0
    "AllowOutboundPacketTooBig" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings]
    "Enabled" = 1
    "RemoteAddresses" = 10.0.0.112

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint]
    "Enabled" = 1
    "RemoteAddresses" = *

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
    "Enabled" = 1
    "RemoteAddresses" = *

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{DBC9C6DD-4DED-4C8C-B9F3-329A89128501}C:\users\matthew.scofield\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\matthew.scofield\appdata\roaming\spotify\spotify.exe |
    "UDP Query User{7755449C-50BE-4936-9144-CE1ADF926708}C:\users\matthew.scofield\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\matthew.scofield\appdata\roaming\spotify\spotify.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
    "{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
    "{077AA014-B568-4FF8-B360-9ACE1A1F4571}" = CLEAR Connection Manager
    "{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
    "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
    "{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{2181214D-1954-4C60-91FD-EEA7EBB32022}" = QuickBooks Premier: Accountant Edition 2012
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{25E202D1-D8E7-46AF-B4B0-157D9993A93E}" = QuickBooks
    "{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 33
    "{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8
    "{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
    "{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4B9535BF-CC90-4158-AF32-CAF57A8820CA}" = Macromedia Contribute 3.11
    "{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}" = Macromedia Fireworks 8
    "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
    "{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
    "{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder
    "{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
    "{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
    "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00B0-0409-0000-0000000FF1CE}" = Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{91057632-CA70-413C-B628-2D3CDBBB906B}" = Macromedia Flash Player 8 Plugin
    "{92D194E7-AEF9-4A9E-8620-8F3AE712E3F7}" = Snagit 10.0.2
    "{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
    "{975C3A93-2491-3D44-A071-F6CBF153E46D}" = Google Talk Plugin
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AA241315-157C-420F-B168-15055DCFA40D}" = Bold Software v7.10
    "{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1
    "{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
    "{D02EDDE7-B5C5-40A2-AF57-73A3278F4EEB}" = ESET NOD32 Antivirus
    "{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Audacity_is1" = Audacity 2.0
    "DivX Setup" = DivX Setup
    "Easy CD-DA Extractor 16" = Easy CD-DA Extractor 16
    "ExamDiff_is1" = ExamDiff 1.9 (Build 1.9.0.0)
    "Freemake Video Downloader_is1" = Freemake Video Downloader
    "Glance_is1" = Glance 2.6
    "LAME_is1" = LAME v3.99.3 (for Windows)
    "Loki ActiveX Control" = Loki ActiveX Control
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
    "Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "Notepad++" = Notepad++
    "Pidgin" = Pidgin
    "PROPLUS" = Microsoft Office Professional Plus 2007
    "Steam App 8930" = Sid Meier's Civilization V
    "WinPcapInst" = WinPcap 4.1.2

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome
    "Puzzle Pirates" = Puzzle Pirates
    "Spotify" = Spotify
    "UnityWebPlayer" = Unity Web Player

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 7/4/2012 7:58:06 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 7/4/2012 8:07:45 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 7/4/2012 8:55:41 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 7/4/2012 9:04:43 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 7/4/2012 10:12:49 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 7/5/2012 2:09:01 AM | Computer Name = AUSTIN-181.austin.360training.com | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\Clearwire\Connection
    Manager\OemDriverManager64.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 7/5/2012 1:32:58 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Application Error | ID = 1000
    Description = Faulting application name: Snagit32.exe, version: 10.0.2.21, time
    stamp: 0x4eb943d4 Faulting module name: Snagit32.exe, version: 10.0.2.21, time stamp:
    0x4eb943d4 Exception code: 0xc0000005 Fault offset: 0x000d5992 Faulting process id:
    0x824 Faulting application start time: 0x01cd5a6e994e0645 Faulting application path:
    C:\Program Files\TechSmith\Snagit 10\Snagit32.exe Faulting module path: C:\Program
    Files\TechSmith\Snagit 10\Snagit32.exe Report Id: 75b8c625-c6c7-11e1-be3e-0024e8de82bd

    Error - 7/5/2012 1:33:04 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Application Error | ID = 1000
    Description = Faulting application name: Snagit32.exe, version: 10.0.2.21, time
    stamp: 0x4eb943d4 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
    stamp: 0x4ec49b60 Exception code: 0xc0150010 Fault offset: 0x00083fbe Faulting process
    id: 0x824 Faulting application start time: 0x01cd5a6e994e0645 Faulting application
    path: C:\Program Files\TechSmith\Snagit 10\Snagit32.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: 7932b7ad-c6c7-11e1-be3e-0024e8de82bd

    Error - 7/5/2012 2:10:16 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    Error - 7/5/2012 2:10:21 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-CAPI2 | ID = 4107
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file. .

    [ System Events ]
    Error - 7/5/2012 1:58:03 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 7/5/2012 1:58:03 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 7/5/2012 1:58:04 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 7/5/2012 3:07:53 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = NETLOGON | ID = 5719
    Description = This computer was not able to set up a secure session with a domain
    controller
    in domain AUSTIN due to the following: %%1311 This may lead to authentication problems.
    Make sure that this computer is connected to the network. If the problem persists,
    please
    contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller
    for the specified domain, it sets up the secure session to the primary domain controller
    emulator in the specified domain. Otherwise, this computer sets up the secure session
    to any domain controller in the specified domain.

    Error - 7/5/2012 3:08:17 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-GroupPolicy | ID = 1129
    Description = The processing of Group Policy failed because of lack of network connectivity
    to a domain controller. This may be a transient condition. A success message would
    be generated once the machine gets connected to the domain controller and Group
    Policy has succesfully processed. If you do not see a success message for several
    hours, then contact your administrator.

    Error - 7/5/2012 3:10:03 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Microsoft-Windows-GroupPolicy | ID = 1129
    Description = The processing of Group Policy failed because of lack of network connectivity
    to a domain controller. This may be a transient condition. A success message would
    be generated once the machine gets connected to the domain controller and Group
    Policy has succesfully processed. If you do not see a success message for several
    hours, then contact your administrator.

    Error - 7/5/2012 3:11:39 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 7/5/2012 3:11:40 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 7/5/2012 3:11:40 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.

    Error - 7/5/2012 3:11:41 PM | Computer Name = AUSTIN-181.austin.360training.com | Source = Disk | ID = 262155
    Description = The driver detected a controller error on \Device\Harddisk1\DR1.


    < End of report >
     
  14. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.0.0.1:8080
      O15 - HKLM\..Trusted Domains: 360training.com ([aus-sharept-1.austin] http in Trusted sites)
      O15 - HKLM\..Trusted Domains: 360training.com ([crm] http in Trusted sites)
      O15 - HKLM\..Trusted Domains: 360training.com ([sharepoint] http in Trusted sites)
      O15 - HKLM\..Trusted Domains: 360training.com ([sharepoint.austin] http in Trusted sites)
      O15 - HKLM\..Trusted Domains: 360training.com ([webmail] https in Trusted sites)
      O15 - HKLM\..Trusted Domains: aus-sharept-1 ([]http in Trusted sites)
      O15 - HKLM\..Trusted Domains: crm ([]http in Trusted sites)
      O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([aus-sharept-1.austin] http in Trusted sites)
      O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([crm] http in Trusted sites)
      O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([sharepoint] http in Trusted sites)
      O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([sharepoint.austin] http in Trusted sites)
      O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: 360training.com ([webmail] https in Trusted sites)
      O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: aus-sharept-1 ([]http in Trusted sites)
      O15 - HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\..Trusted Domains: crm ([]http in Trusted sites)
      [2012/07/04 12:07:58 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Epyk
      [2012/07/04 12:44:31 | 000,000,000 | ---D | M] -- C:\Users\matthew.scofield\AppData\Roaming\Izbeu
      @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:15B79D44
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please, run F-Secure Online Scanner

    • Disable your Antivirus program.
    • Checkmark I have read and accepted the license terms.
    • Click on Run Check button.
    • Quick scan (recommended) option will come pre-checked. Don't change it.
    • Click on Start button.
    • When scan is done, in Step 3: Clean the files, leave all settings as they're.
    • Click Next button.
    • Click Full report... button.
    • Copy report's content and paste it into your next reply.
     
  15. Matt99

    Matt99 TS Rookie Topic Starter

    Okay here's what OTL log looks like:


    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
    The security check program just opened then closed real quick, each time I ran it, no log was produced.
    FSS log:
    Farbar Service Scanner Version: 02-07-2012
    Ran by matthew.scofield (administrator) on 06-07-2012 at 14:03:39
    Running from "C:\Users\matthew.scofield\Desktop"
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.
    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    System Restore:
    ============
    System Restore Disabled Policy:
    ========================
    Action Center:
    ============
    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    Windows Autoupdate Disabled Policy:
    ============================
    Windows Defender:
    ==============
    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit
    **** End of log ****
    Fsecure:
    2 malware found

    TrackingCookie.2o7 (spyware)
    • System (Disinfected)
    TrackingCookie.Atdmt (spyware)
    • System (Disinfected)

    Statistics

    Scanned:
    • Files: 4207
    • System: 4207
    • Not scanned: 0
    Actions:
    • Disinfected: 2
    • Renamed: 0
    • Deleted: 0
    • Not cleaned: 0
    • Submitted: 0

    Options

    Scanning engines:
     
  16. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    OTL fix log is incorrect.
    Please redo.
     
  17. Matt99

    Matt99 TS Rookie Topic Starter

    Here ya go. Everything good?

    All processes killed
    ========== OTL ==========
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKU\S-1-5-21-2344476697-3930214085-3868020663-7841\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\aus-sharept-1.austin\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\crm\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\sharepoint\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\sharepoint.austin\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\webmail\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aus-sharept-1\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crm\ not found.
    Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\aus-sharept-1.austin\ not found.
    Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\crm\ not found.
    Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\sharepoint\ not found.
    Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\sharepoint.austin\ not found.
    Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\360training.com\webmail\ not found.
    Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aus-sharept-1\ not found.
    Registry key HKEY_USERS\S-1-5-21-2344476697-3930214085-3868020663-7841\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crm\ not found.
    Folder C:\Users\matthew.scofield\AppData\Roaming\Epyk\ not found.
    Folder C:\Users\matthew.scofield\AppData\Roaming\Izbeu\ not found.
    Unable to delete ADS C:\ProgramData\TEMP:15B79D44 .
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: matthew.scofield
    ->Temp folder emptied: 491333464 bytes
    ->Temporary Internet Files folder emptied: 77731262 bytes
    ->Java cache emptied: 29631 bytes
    ->FireFox cache emptied: 20288299 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 2521 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: ronnie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: suzie.sands
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3224 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 1637064 bytes

    Total Files Cleaned = 564.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: matthew.scofield
    ->Java cache emptied: 0 bytes

    User: Public

    User: ronnie
    ->Java cache emptied: 0 bytes

    User: suzie.sands

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: matthew.scofield
    ->Flash cache emptied: 0 bytes

    User: Public

    User: ronnie
    ->Flash cache emptied: 0 bytes

    User: suzie.sands

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.53.1 log created on 07062012_200533
    Files\Folders moved on Reboot...
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
     
  18. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    I still need Security Check log.
     
  19. Matt99

    Matt99 TS Rookie Topic Starter

    It ran this time, here you go. Look good?

    Results of screen317's Security Check version 0.99.24
    Windows 7 Service Pack 1 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    ESET NOD32 Antivirus
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 33
    Adobe Flash Player 11.3.300.262
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````
     
  20. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  21. Matt99

    Matt99 TS Rookie Topic Starter

    Here is the final log, it seems all is good. Thank you very much for your help, I'll be happy to make a donation shortly, thanks alot Broni.

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: matthew.scofield
    ->Temp folder emptied: 116884 bytes
    ->Temporary Internet Files folder emptied: 238790497 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 6629 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: ronnie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: suzie.sands
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5944 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 595968 bytes

    Total Files Cleaned = 228.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: matthew.scofield
    ->Flash cache emptied: 0 bytes

    User: Public

    User: ronnie
    ->Flash cache emptied: 0 bytes

    User: suzie.sands

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: matthew.scofield
    ->Java cache emptied: 0 bytes

    User: Public

    User: ronnie
    ->Java cache emptied: 0 bytes

    User: suzie.sands

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.53.1 log created on 07082012_140646
    Files\Folders moved on Reboot...
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
     
  22. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Way to go!! [​IMG]
    Good luck and stay safe :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.