TechSpot

Sirefef / services corruption

By danmaku
Jul 7, 2012
  1. Symptoms:

    Microsoft Security Essentials will not run. If I attempt a re installation, it will run but then prompt me to restart my machine, at which point it will enter a continuous loop of rebooting the system stating that Windows had suffered a crash and needs to reboot in sixty seconds. I have used a system restore point to successfully divert the reboot process, but MSE will not run.

    Windows Security Service is turned off: WSS will not turn on, stating that it can't be turned on. I looked into the Services menu to try to find Security Central, but it was not listed in the services menu.

    Diagnosis:
    I used a third party anti-malware tool (malwarebytes) to identify the trojan. I do not know what type of sirefef has corrupted my computer (to my best understanding, it consists of a family of different trojans/viruses/rootkits). When running the clean-up process, I was prompted to reboot my computer. However, the tool was ineffective in removing the malware.

    Any help would be greatly appreciated (although I'm wondering if it would be quicker and as effective to reinstall windows without reformatting my hard drive to prevent wasting time reinstalling everything)
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hi there. Welcome to TechSpot. Thanks for starting your own thread.

    We will take care of MSE in a little while.

    We're going to get a little idea/peek of your system...

    Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in

      msconfig
      safebootminimal
      activex
      drivers32
      netsvcs
      CreateRestorePoint
      %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5
      %AppData%\Local\
      %systemroot%\system32\sysprep
      *.xpi /md5
      %systemroot%\Downloaded Program Files\
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
      hklm\software\clients\startmenuinternet|command /rs
      hklm\software\clients\startmenuinternet|command /64 /rs
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\system32\drivers\*.sys /90
      %systemroot%\System32\config\*.sav
      %SYSTEMDRIVE%\*.exe /md5
      "%WinDir%\$NtUninstallKB*$." /30
      %systemdrive%\Program Files\Common Files\ComObjects\*.* /s
      %systemroot%\*. /mp /s
      %systemroot%\*. /rp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
      %USERPROFILE%\AppData\Local\ /s
      %systemroot%\Installer\ /s
      %systemroot%\system32\Cache\ /s
      %systemroot%\system32\config\systemprofile\Application Data /s
      %PROGRAMFILES%\*.
      %appdata%\*.*
      /md5start
      volsnap.sys
      services.exe
      userinit.exe
      afd.sys
      tcpip.sys
      netbt.sys
      ipsec.sys
      dnsrslvr.dll
      ipnathlp.dll
      netman.dll
      WMIsvc.dll
      srsvc.dll
      sr.sys
      wscsvc.dll
      wuauserv.dll
      qmgr.dll
      es.dll
      cryptsvc.dll
      svchost.exe
      rpcss.dll
      tdx.sys
      wininit.exe
      winlogon.exe
      atapi.sys
      explorer.exe
      /md5stop
    • Click the Run Scanbutton. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time
    Note: in the event that OTL fails to run, please use alternate download links to try again:

    http://oldtimer.geekstogo.com/OTL.com
    http://oldtimer.geekstogo.com/OTL.scr
     
  3. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    Here are the contents of OTL.txt

    OTL logfile created on: 7/7/2012 12:20:02 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Noah\Downloads
    64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 51.69% Memory free
    3.99 Gb Paging File | 2.53 Gb Available in Paging File | 63.39% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 465.76 Gb Total Space | 24.06 Gb Free Space | 5.17% Space Free | Partition Type: NTFS
    Drive D: | 149.05 Gb Total Space | 32.93 Gb Free Space | 22.10% Space Free | Partition Type: NTFS

    Computer Name: ARK | User Name: Noah | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/07 12:18:01 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Noah\Downloads\OTL.exe
    PRC - [2012/06/27 20:18:53 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    PRC - [2012/02/13 01:06:56 | 003,481,408 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
    PRC - [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2009/11/09 12:00:32 | 000,107,856 | ---- | M] () -- C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe
    PRC - [2008/06/03 15:54:56 | 000,446,635 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/06/27 20:18:53 | 002,042,848 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
    MOD - [2012/05/13 11:47:21 | 008,797,856 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
    MOD - [2011/03/17 01:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
    MOD - [2010/10/20 16:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2011/12/05 20:11:56 | 000,235,520 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
    SRV:64bit: - [2010/09/22 19:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
    SRV:64bit: - [2009/07/13 18:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
    SRV:64bit: - [2009/07/13 18:38:59 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\CISVC.EXE -- (CISVC)
    SRV - [2012/07/01 00:59:27 | 000,049,152 | ---- | M] (Mustek Systems) [Auto | Stopped] -- C:\Users\Noah\AppData\Local\Temp\DAT1F4C.tmp.exe -- (zmdjwsviccq)
    SRV - [2012/06/27 20:18:53 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/11/09 12:02:48 | 000,120,144 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe -- (CLEARWIRERcAppSvc)
    SRV - [2009/11/09 12:00:32 | 000,107,856 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe -- (SMSI Device Launch Service)
    SRV - [2009/11/09 12:00:20 | 000,124,240 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe -- (CACLEARWIRE)
    SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/04/04 22:40:01 | 000,711,712 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
    DRV:64bit: - [2012/04/04 22:40:01 | 000,081,952 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\tifsfilt.sys -- (tifsfilter)
    DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2012/03/03 23:03:04 | 000,564,792 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
    DRV:64bit: - [2012/02/29 23:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2011/12/05 20:45:40 | 010,720,256 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
    DRV:64bit: - [2011/12/05 20:45:40 | 010,720,256 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
    DRV:64bit: - [2011/12/05 19:12:14 | 000,327,168 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
    DRV:64bit: - [2011/12/05 12:47:30 | 000,095,248 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
    DRV:64bit: - [2011/03/10 23:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/10 23:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/20 06:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 04:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 02:37:42 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
    DRV:64bit: - [2010/07/13 10:57:08 | 000,069,736 | ---- | M] (ITE Tech. Inc. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\itecir.sys -- (itecir)
    DRV:64bit: - [2009/11/09 11:47:26 | 000,043,032 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\PCTINDIS5X64.sys -- (PCTINDIS5X64)
    DRV:64bit: - [2009/11/03 07:24:36 | 000,062,976 | ---- | M] (Beceem communications pvt ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BcmBusCtr_64.sys -- (bcmbusctr)
    DRV:64bit: - [2009/11/03 06:01:04 | 000,318,336 | ---- | M] (Beceem communications pvt ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\drxvi314_64.sys -- (bcm)
    DRV:64bit: - [2009/07/29 14:50:18 | 000,253,488 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/29 13:44:38 | 000,487,424 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA)
    DRV:64bit: - [2009/06/25 18:04:20 | 000,067,584 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimmpx64.sys -- (rimmptsk)
    DRV:64bit: - [2009/06/25 17:38:52 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rixdpx64.sys -- (rismxdp)
    DRV:64bit: - [2009/06/25 17:13:44 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimspx64.sys -- (rimsptsk)
    DRV:64bit: - [2009/06/10 13:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64) Intel(R)
    DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/06/07 01:36:46 | 000,317,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a) Broadcom NetLink (TM)
    DRV:64bit: - [2008/10/06 09:55:38 | 000,169,248 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OA001Ufd.sys -- (OA001Ufd)
    DRV:64bit: - [2008/10/02 01:04:00 | 000,317,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OA001Vid.sys -- (OA001Vid)
    DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 59 93 79 D2 C4 07 CD 01 [binary data]
    IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.useDBForOrder: true
    FF - user.js - File not found

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_235.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\Windows\system32\npDeployJava1.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@skyhookwireless.com/LokiPlugin,version=3.1.0.05: C:\Program Files (x86)\Skyhook Wireless\Loki ActiveX Component\versions\3.1.0.05\loki.dll (Skyhook Wireless)
    FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Noah\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Noah\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Noah\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Noah\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fbphotozoom@installdaddy.com: C:\Program Files (x86)\fbphotozoom\fbphotozoom13.xpi [2012/03/07 15:09:29 | 000,102,233 | ---- | M] ()
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/07 12:12:34 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/06/09 19:50:30 | 000,000,000 | ---D | M]

    [2012/07/05 22:28:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Noah\AppData\Roaming\Mozilla\Extensions
    [2012/07/07 03:26:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Noah\AppData\Roaming\Mozilla\Firefox\Profiles\41xcho6s.default\extensions
    [2012/07/07 00:50:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Noah\AppData\Roaming\Mozilla\Firefox\Profiles\kqj1upq1.default\extensions
    [2012/07/05 22:27:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2012/06/27 20:18:54 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/06/14 15:19:40 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/06/14 15:19:40 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
    O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
    O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4:64bit: - HKLM..\Run: [QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
    O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files (x86)\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
    O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe (Creative Technology Ltd.)
    O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
    O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
    O4 - HKCU..\Run: [yahoo!] C:\Users\Noah\AppData\Local\Temp\94092002225Wsy.dll (Lavasoft )
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O1364bit: - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{89FE7FE4-C48C-4C8E-A166-B311E991BE99}: DhcpNameServer = 64.13.115.12 75.94.255.12
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A789C7CC-1F9B-4C7D-B25D-CF9413FE915F}: DhcpNameServer = 192.168.0.1 205.171.3.25
    O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
    O18 - Protocol\Handler\ms-help - No CLSID value found
    O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)


    SafeBootMin:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
    SafeBootMin:64bit: Base - Driver Group
    SafeBootMin:64bit: Boot Bus Extender - Driver Group
    SafeBootMin:64bit: Boot file system - Driver Group
    SafeBootMin:64bit: File system - Driver Group
    SafeBootMin:64bit: Filter - Driver Group
    SafeBootMin:64bit: HelpSvc - Service
    SafeBootMin:64bit: MsMpSvc - Service
    SafeBootMin:64bit: PCI Configuration - Driver Group
    SafeBootMin:64bit: PNP Filter - Driver Group
    SafeBootMin:64bit: Primary disk - Driver Group
    SafeBootMin:64bit: sacsvr - Service
    SafeBootMin:64bit: SCSI Class - Driver Group
    SafeBootMin:64bit: System Bus Extender - Driver Group
    SafeBootMin:64bit: vmms - Service
    SafeBootMin:64bit: WinDefend - Service
    SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
    SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
    SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
    SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
    SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
    SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
    SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
    SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
    SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
    SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
    SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
    SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
    SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
    SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
    SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
    SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
    SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
    SafeBootMin: Base - Driver Group
    SafeBootMin: Boot Bus Extender - Driver Group
    SafeBootMin: Boot file system - Driver Group
    SafeBootMin: File system - Driver Group
    SafeBootMin: Filter - Driver Group
    SafeBootMin: HelpSvc - Service
    SafeBootMin: MsMpSvc - Service
    SafeBootMin: PCI Configuration - Driver Group
    SafeBootMin: PNP Filter - Driver Group
    SafeBootMin: Primary disk - Driver Group
    SafeBootMin: sacsvr - Service
    SafeBootMin: SCSI Class - Driver Group
    SafeBootMin: System Bus Extender - Driver Group
    SafeBootMin: vmms - Service
    SafeBootMin: WinDefend - Service
    SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
    SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
    SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
    SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
    SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
    SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
    SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
    SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
    SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
    SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
    SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
    SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
    SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
    SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
    SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
    SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
    SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

    ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
    ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /I:/UserInstall %SystemRoot%\system32\themeui.dll
    ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
    ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
    ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
    ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
    ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
    ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
    ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
    ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
    ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
    ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
    ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /I:U shell32.dll
    ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
    ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
    ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
    ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
    ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
    ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
    ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
    ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
    ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
    ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
    ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
    ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
    ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /I:/UserInstall %SystemRoot%\system32\themeui.dll
    ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
    ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
    ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
    ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
    ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
    ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
    ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
    ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
    ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
    ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
    ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
    ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /I:U shell32.dll
    ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
    ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
    ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
    ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
    ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
    ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
    ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
    ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
    ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
    ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.FFDS - C:\Program Files (x86)\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()

    NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
     
  4. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    OTL.txt (continued)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/07 02:22:02 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Roaming\Malwarebytes
    [2012/07/07 02:21:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/07 02:21:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/07/07 02:21:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/07/07 02:14:14 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
    [2012/07/07 02:14:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
    [2012/07/07 01:55:24 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.739C8873D9ECF71E
    [2012/07/07 01:55:24 | 000,050,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\xzmpqrzp.sys
    [2012/07/07 01:49:50 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.4A6442602067A050
    [2012/07/07 01:42:47 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.BF239738057945B9
    [2012/07/07 01:24:29 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\New folder
    [2012/07/07 01:24:11 | 000,000,000 | -HSD | C] -- C:\Config.Msi
    [2012/07/06 04:10:55 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\spookeedoo
    [2012/07/06 03:05:40 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Local\Zachtronics Industries
    [2012/07/06 03:04:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zachtronics Industries
    [2012/07/06 03:04:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Zachtronics Industries
    [2012/07/03 23:46:45 | 000,000,000 | ---D | C] -- C:\Windows\Ideas From the Deep
    [2012/07/03 23:46:45 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Local\Ideas From the Deep
    [2012/07/03 23:46:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Ideas From the Deep
    [2012/07/03 23:46:43 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Roaming\Ideas From the Deep
    [2012/07/03 23:46:26 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ideas From the Deep
    [2012/07/03 23:46:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ideas From the Deep
    [2012/07/01 01:03:51 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
    [2012/06/27 02:26:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SystemRequirementsLab
    [2012/06/27 02:26:43 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Roaming\SystemRequirementsLab
    [2012/06/23 20:20:12 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cave Story+
    [2012/06/23 20:18:43 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\Cave Story+
    [2012/06/23 18:16:37 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\白熊さんと灰色熊さんがエッチするだけ
    [2012/06/21 19:38:10 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\Logan comics
    [2012/06/21 17:58:46 | 000,044,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups2.dll
    [2012/06/21 17:58:45 | 002,622,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wucltux.dll
    [2012/06/21 17:58:45 | 000,057,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuauclt.exe
    [2012/06/21 17:58:27 | 000,099,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wudriver.dll
    [2012/06/21 17:58:27 | 000,038,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups.dll
    [2012/06/21 17:58:26 | 000,701,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapi.dll
    [2012/06/21 17:58:05 | 000,186,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuwebv.dll
    [2012/06/21 17:58:05 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapp.exe
    [2012/06/21 15:52:19 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\God Mode.{ED7BA470-8E54-465E-825C-99712043E01C}
    [2012/06/16 23:36:09 | 000,000,000 | ---D | C] -- C:\Users\Noah\AppData\Roaming\dvdcss
    [2012/06/14 15:25:51 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\New folder (2)
    [2012/06/13 23:27:55 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
    [2012/06/13 23:27:55 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
    [2012/06/13 23:27:54 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
    [2012/06/13 23:27:53 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
    [2012/06/13 23:27:48 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
    [2012/06/13 23:27:48 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
    [2012/06/13 23:27:47 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
    [2012/06/13 23:27:46 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
    [2012/06/13 23:27:40 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
    [2012/06/13 23:27:40 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
    [2012/06/13 23:27:39 | 002,311,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
    [2012/06/13 23:27:37 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
    [2012/06/13 23:27:36 | 000,818,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
    [2012/06/13 23:26:27 | 000,514,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\qdvd.dll
    [2012/06/13 23:26:26 | 000,366,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\qdvd.dll
    [2012/06/13 20:43:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
    [2012/06/13 17:11:18 | 000,149,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorekmts.dll
    [2012/06/13 17:11:17 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpwsx.dll
    [2012/06/13 17:11:17 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdrmemptylst.exe
    [2012/06/13 17:10:35 | 005,559,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
    [2012/06/13 17:10:30 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
    [2012/06/13 17:10:29 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
    [2012/06/13 17:10:17 | 001,462,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
    [2012/06/13 17:10:14 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
    [2012/06/13 17:09:53 | 003,216,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msi.dll
    [2012/06/12 00:13:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rome - Total War
    [2012/06/11 23:44:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Total War
    [2012/06/11 23:43:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\The Creative Assembly
    [2012/06/11 15:27:53 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\admfeb-partjun2012
    [2012/06/09 19:50:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime Alternative
    [2012/06/09 19:50:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
    [2012/06/09 19:50:27 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\Windows\SysWow64\QuickTimeVR.qtx
    [2012/06/09 19:50:27 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\Windows\SysWow64\QuickTime.qts
    [2012/06/09 19:50:26 | 000,180,224 | ---- | C] (Apple Inc.) -- C:\Windows\SysWow64\QTCF.dll
    [2012/06/09 19:50:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime Alternative
    [2012/06/08 14:53:15 | 000,000,000 | ---D | C] -- C:\Users\Noah\Desktop\Windows Users
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/07/07 12:20:54 | 000,013,792 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/07 12:20:54 | 000,013,792 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/07 12:13:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/07 12:13:29 | 1606,594,560 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/07 01:55:24 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.739C8873D9ECF71E
    [2012/07/07 01:55:24 | 000,050,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\xzmpqrzp.sys
    [2012/07/07 01:49:50 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.4A6442602067A050
    [2012/07/07 01:42:47 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.BF239738057945B9
    [2012/07/06 23:33:47 | 000,064,193 | ---- | M] () -- C:\Users\Noah\Desktop\tumblr_l14o6fSm4V1qb3mmfo1_500.jpg
    [2012/07/06 22:55:05 | 000,005,273 | ---- | M] () -- C:\Users\Noah\Desktop\gens.ini
    [2012/07/06 22:51:45 | 000,000,040 | ---- | M] () -- C:\Users\Noah\Desktop\language.dat
    [2012/07/06 21:56:03 | 000,041,208 | ---- | M] () -- C:\Users\Noah\Desktop\friday-fiver-spacechem.jpg
    [2012/07/06 18:23:32 | 000,456,749 | ---- | M] () -- C:\Users\Noah\Desktop\1329606682.fundles_sharky2.jpg
    [2012/07/06 17:30:50 | 000,036,209 | ---- | M] () -- C:\Users\Noah\Desktop\team-america-matt-damon11.jpg
    [2012/07/06 14:29:31 | 000,063,340 | ---- | M] () -- C:\Users\Noah\Desktop\large.jpg
    [2012/07/06 14:22:55 | 000,059,171 | ---- | M] () -- C:\Users\Noah\Desktop\slash0x_artaldssktch_web.jpg
    [2012/07/06 04:08:22 | 004,320,054 | ---- | M] () -- C:\Users\Noah\Desktop\mxw9npze.bmp
    [2012/07/03 03:48:01 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3241787045-3222298948-2849222198-1000UA.job
    [2012/07/02 15:48:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3241787045-3222298948-2849222198-1000Core.job
    [2012/07/01 00:59:56 | 000,000,375 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.ics
    [2012/07/01 00:59:39 | 000,140,832 | ---- | M] () -- C:\Windows\SysWow64\drivers\str.sys
    [2012/06/30 20:39:59 | 001,209,650 | ---- | M] () -- C:\Users\Noah\Desktop\Curly Christmas.zip
    [2012/06/30 17:51:14 | 000,786,792 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/06/30 17:51:14 | 000,656,786 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/06/30 17:51:14 | 000,123,378 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/06/30 17:14:07 | 035,265,753 | ---- | M] () -- C:\Users\Noah\Desktop\policech1.rar
    [2012/06/29 13:06:50 | 010,982,724 | ---- | M] () -- C:\Users\Noah\Desktop\KNKs SUMMER CARNIVAL 2K12.rar
    [2012/06/27 21:54:15 | 210,895,148 | ---- | M] () -- C:\Users\Noah\Desktop\'REARDELIVERIES.rar
    [2012/06/26 18:42:31 | 150,860,927 | ---- | M] () -- C:\Users\Noah\Desktop\Metroid Prime Galleries.rar
    [2012/06/15 01:16:31 | 000,278,486 | ---- | M] () -- C:\Users\Noah\Desktop\Tutorial_Virial_Expansion.pdf
    [2012/06/15 01:02:08 | 001,027,559 | ---- | M] () -- C:\Users\Noah\Desktop\Junji Ito - Hell Dollies [One shot].rar
    [2012/06/14 02:36:13 | 000,415,824 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2012/06/09 14:09:28 | 105,574,197 | ---- | M] () -- C:\Users\Noah\Desktop\REARDELIVERIES_NEW-PACK_(1).zip
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/07 01:28:38 | 000,001,925 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/07/06 23:33:47 | 000,064,193 | ---- | C] () -- C:\Users\Noah\Desktop\tumblr_l14o6fSm4V1qb3mmfo1_500.jpg
    [2012/07/06 22:55:05 | 000,005,273 | ---- | C] () -- C:\Users\Noah\Desktop\gens.ini
    [2012/07/06 22:51:45 | 000,000,040 | ---- | C] () -- C:\Users\Noah\Desktop\language.dat
    [2012/07/06 21:56:03 | 000,041,208 | ---- | C] () -- C:\Users\Noah\Desktop\friday-fiver-spacechem.jpg
    [2012/07/06 18:23:32 | 000,456,749 | ---- | C] () -- C:\Users\Noah\Desktop\1329606682.fundles_sharky2.jpg
    [2012/07/06 17:30:50 | 000,036,209 | ---- | C] () -- C:\Users\Noah\Desktop\team-america-matt-damon11.jpg
    [2012/07/06 14:29:31 | 000,063,340 | ---- | C] () -- C:\Users\Noah\Desktop\large.jpg
    [2012/07/06 14:22:55 | 000,059,171 | ---- | C] () -- C:\Users\Noah\Desktop\slash0x_artaldssktch_web.jpg
    [2012/07/05 22:27:14 | 000,001,156 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    [2012/07/01 01:00:01 | 000,022,016 | ---- | C] () -- C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\U\800000cb.@
    [2012/07/01 01:00:01 | 000,016,896 | ---- | C] () -- C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\U\80000000.@
    [2012/07/01 01:00:01 | 000,001,696 | ---- | C] () -- C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\U\00000001.@
    [2012/07/01 00:59:30 | 000,140,832 | ---- | C] () -- C:\Windows\SysWow64\drivers\str.sys
    [2012/06/30 20:05:32 | 004,320,054 | ---- | C] () -- C:\Users\Noah\Desktop\mxw9npze.bmp
    [2012/06/30 17:11:54 | 035,265,753 | ---- | C] () -- C:\Users\Noah\Desktop\policech1.rar
    [2012/06/29 13:06:17 | 010,982,724 | ---- | C] () -- C:\Users\Noah\Desktop\KNKs SUMMER CARNIVAL 2K12.rar
    [2012/06/27 20:35:33 | 210,895,148 | ---- | C] () -- C:\Users\Noah\Desktop\'REARDELIVERIES.rar
    [2012/06/26 18:38:09 | 150,860,927 | ---- | C] () -- C:\Users\Noah\Desktop\Metroid Prime Galleries.rar
    [2012/06/26 11:02:38 | 001,209,650 | ---- | C] () -- C:\Users\Noah\Desktop\Curly Christmas.zip
    [2012/06/23 20:18:24 | 019,341,607 | ---- | C] () -- C:\Users\Noah\Desktop\Cave Story+.exe
    [2012/06/15 01:16:31 | 000,278,486 | ---- | C] () -- C:\Users\Noah\Desktop\Tutorial_Virial_Expansion.pdf
    [2012/06/15 01:01:15 | 001,027,559 | ---- | C] () -- C:\Users\Noah\Desktop\Junji Ito - Hell Dollies [One shot].rar
    [2012/06/09 14:00:53 | 105,574,197 | ---- | C] () -- C:\Users\Noah\Desktop\REARDELIVERIES_NEW-PACK_(1).zip
    [2012/05/03 18:22:16 | 000,023,771 | ---- | C] () -- C:\Users\Noah\.recently-used.xbel
    [2012/04/27 17:29:41 | 004,590,718 | ---- | C] () -- C:\Users\Noah\FCE Ultra GX 3.2.9.zip
    [2012/04/25 17:31:47 | 004,876,778 | ---- | C] () -- C:\Users\Noah\mame-wii-v1.0.zip
    [2012/04/05 15:52:19 | 000,000,787 | ---- | C] () -- C:\Windows\Thps3.INI
    [2012/03/22 18:00:52 | 000,084,085 | ---- | C] () -- C:\Windows\War3Unin.dat
    [2012/03/22 15:25:47 | 000,000,075 | RHS- | C] () -- C:\Windows\CT4CET.bin
    [2012/03/13 01:00:34 | 880,532,885 | ---- | C] () -- C:\Users\Noah\QuickPix.rar
    [2012/03/03 02:13:38 | 000,007,605 | ---- | C] () -- C:\Users\Noah\AppData\Local\Resmon.ResmonCfg
    [2012/02/27 16:13:36 | 000,005,632 | ---- | C] () -- C:\Users\Noah\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/11 23:07:31 | 000,800,878 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2012/02/11 21:22:12 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\@
    [2012/02/11 21:22:12 | 000,002,048 | -HS- | C] () -- C:\Users\Noah\AppData\Local\{989ae601-0dc7-461e-0851-c26e7dd1b925}\@
    [2012/02/11 16:37:46 | 000,089,753 | ---- | C] () -- C:\Users\Noah\report-11-153987-0.pdf
    [2012/02/11 16:37:39 | 327,950,130 | ---- | C] () -- C:\Users\Noah\New Folder.zip
    [2012/02/11 16:37:39 | 002,801,723 | ---- | C] () -- C:\Users\Noah\Image (2).jpg
    [2012/02/11 16:37:39 | 000,221,667 | ---- | C] () -- C:\Users\Noah\mom.jpg
    [2012/02/11 16:22:56 | 026,596,272 | ---- | C] () -- C:\Users\Noah\A Game Of Thrones.rar
    [2012/02/11 16:22:55 | 041,119,131 | ---- | C] () -- C:\Users\Noah\100_2908.mov
    [2012/02/11 13:18:18 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
    [2011/12/05 23:04:00 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OpenVideo.dll
    [2011/12/05 23:03:52 | 000,054,784 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
    [2011/12/05 19:35:10 | 000,204,960 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
    [2011/12/05 19:35:10 | 000,157,152 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
    [2011/09/12 16:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

    ========== Custom Scans ==========

    < %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5 >

    < %AppData%\Local\ >

    < %systemroot%\system32\sysprep >

    < *.xpi /md5 >

    < %systemroot%\Downloaded Program Files\ >

    < HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile >

    < hklm\software\clients\startmenuinternet|command /rs >
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/06/27 20:18:51 | 000,867,072 | ---- | M] (Mozilla Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/06/27 20:18:51 | 000,867,072 | ---- | M] (Mozilla Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/06/27 20:18:51 | 000,867,072 | ---- | M] (Mozilla Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files (x86)\Mozilla Firefox\firefox.exe [2012/06/27 20:18:53 | 000,913,888 | ---- | M] (Mozilla Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -preferences [2012/06/27 20:18:53 | 000,913,888 | ---- | M] (Mozilla Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode [2012/06/27 20:18:53 | 000,913,888 | ---- | M] (Mozilla Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2012/02/11 22:13:43 | 000,074,240 | ---- | M] (Microsoft Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2012/02/11 22:13:43 | 000,074,240 | ---- | M] (Microsoft Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2012/02/11 22:13:43 | 000,074,240 | ---- | M] (Microsoft Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2012/05/17 16:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)
    HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files (x86)\Internet Explorer\iexplore.exe [2012/05/17 16:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)

    < hklm\software\clients\startmenuinternet|command /64 /rs >
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE" /HIDESHORTCUTS [2012/06/27 20:18:51 | 000,867,072 | ---- | M] (Mozilla Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE" /SHOWSHORTCUTS [2012/06/27 20:18:51 | 000,867,072 | ---- | M] (Mozilla Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\UNINSTALL\HELPER.EXE" /SETASDEFAULTAPPGLOBAL [2012/06/27 20:18:51 | 000,867,072 | ---- | M] (Mozilla Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE [2012/06/27 20:18:53 | 000,913,888 | ---- | M] (Mozilla Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE" -PREFERENCES [2012/06/27 20:18:53 | 000,913,888 | ---- | M] (Mozilla Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE" -SAFE-MODE [2012/06/27 20:18:53 | 000,913,888 | ---- | M] (Mozilla Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW [2012/02/11 22:13:40 | 000,089,088 | ---- | M] (Microsoft Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL [2012/02/11 22:13:40 | 000,089,088 | ---- | M] (Microsoft Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE [2012/02/11 22:13:40 | 000,089,088 | ---- | M] (Microsoft Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF [2012/05/17 16:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)
    64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE [2012/05/17 16:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /90 >
    [2012/07/01 00:59:39 | 000,140,832 | ---- | M] () -- C:\Windows\system32\drivers\str.sys

    < %systemroot%\System32\config\*.sav >

    < %SYSTEMDRIVE%\*.exe /md5 >
    [2007/11/07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) MD5=520A6D1CBCC9CF642C625FE814C93C58 -- C:\install.exe

    < "%WinDir%\$NtUninstallKB*$." /30 >

    < %systemdrive%\Program Files\Common Files\ComObjects\*.* /s >

    < %systemroot%\*. /mp /s >

    < %systemroot%\*. /rp /s >

    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

    < %USERPROFILE%\AppData\Local\ /s >

    < %systemroot%\Installer\ /s >

    < %systemroot%\system32\Cache\ /s >

    < %systemroot%\system32\config\systemprofile\Application Data /s >

    < %PROGRAMFILES%\*. >
    [2012/03/07 15:09:43 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\1ClickDownload
    [2012/02/11 18:25:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ACD Systems
    [2012/04/05 15:52:31 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Activision
    [2012/02/11 23:42:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Adobe
    [2012/03/21 20:19:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AGEIA Technologies
    [2012/04/25 16:40:03 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Amazon
    [2012/02/11 17:54:09 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AMD APP
    [2012/02/11 17:52:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ATI Technologies
    [2012/04/19 17:10:44 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Bethesda Softworks
    [2012/03/22 13:23:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\BIMP Lite
    [2012/04/28 14:52:06 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Calibre2
    [2012/05/09 19:58:34 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Clearwire
    [2012/02/11 18:02:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\COED11
    [2012/02/25 13:30:13 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Combined Community Codec Pack
    [2012/06/07 07:58:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Common Files
    [2012/04/30 18:00:55 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Crayon Physics Deluxe
    [2012/03/22 15:25:19 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Creative
    [2012/03/22 15:24:02 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Creative Live! Cam
    [2012/03/03 23:02:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\DAEMON Tools Lite
    [2012/03/22 15:21:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Dell
    [2012/03/22 15:25:02 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Dell Webcam
    [2012/03/07 15:09:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\fbphotozoom
    [2012/02/13 16:59:57 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\FileZilla FTP Client
    [2012/05/08 00:11:06 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\foobar2000
    [2012/04/09 15:24:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\GeMM
    [2012/02/16 21:44:47 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\GIMP-2.0
    [2012/02/11 18:21:50 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Handbrake
    [2012/07/03 23:49:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Ideas From the Deep
    [2012/03/02 13:44:21 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ImgBurn
    [2012/06/12 01:12:22 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\InstallShield Installation Information
    [2012/06/14 02:34:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Internet Explorer
    [2012/03/30 15:13:50 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\IrfanView
    [2012/02/29 11:40:05 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Java
    [2012/02/11 18:23:24 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\JetAudio
    [2012/07/07 12:59:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/02/13 12:05:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Analysis Services
    [2012/02/13 12:04:49 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Office
    [2012/07/07 12:12:34 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Security Client
    [2012/05/09 20:05:47 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Silverlight
    [2012/02/13 20:04:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
    [2012/02/13 12:06:46 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Visual Studio 8
    [2012/05/16 22:23:07 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft XNA
    [2012/02/14 02:00:19 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft.NET
    [2012/07/07 12:12:34 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox
    [2012/07/07 12:12:33 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Maintenance Service
    [2012/02/13 12:10:32 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSBuild
    [2012/02/18 19:59:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Paradox Interactive
    [2012/06/09 19:51:57 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\QuickTime Alternative
    [2009/07/13 22:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Reference Assemblies
    [2012/04/05 00:31:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Seagate
    [2012/03/21 20:19:15 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\SEGA
    [2012/05/09 19:59:50 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Skyhook Wireless
    [2012/06/07 08:01:09 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Sonic the Hedgehog 4 - Episode II
    [2012/06/27 02:26:59 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\SystemRequirementsLab
    [2012/03/14 22:33:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Telltale
    [2012/03/25 02:11:44 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Telltale Games
    [2012/06/11 23:43:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\The Creative Assembly
    [2012/07/07 02:14:13 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Trend Micro
    [2012/03/22 17:12:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Ubisoft
    [2009/07/13 21:57:06 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\Uninstall Information
    [2012/05/25 17:37:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\uTorrent
    [2012/02/11 18:11:13 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\VideoLAN
    [2012/02/11 18:24:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\VisiPics
    [2012/04/07 16:06:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Warcraft III
    [2009/07/13 22:37:47 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Defender
    [2012/02/13 20:07:19 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Live
    [2012/02/12 00:35:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Mail
    [2012/02/12 00:35:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Media Player
    [2009/07/13 22:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows NT
    [2012/02/12 00:35:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Photo Viewer
    [2012/02/12 00:35:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Portable Devices
    [2012/02/12 00:35:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Sidebar
    [2012/07/07 12:58:10 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Zachtronics Industries
     
  5. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    OTL.txt (remainder)

    < %appdata%\*.* >

    < MD5 for: AFD.SYS >
    [2011/12/27 20:59:24 | 000,498,688 | ---- | M] (Microsoft Corporation) MD5=1C7857B62DE5994A75B054A9FD4C3825 -- C:\Windows\SysNative\drivers\afd.sys
    [2011/12/27 20:59:24 | 000,498,688 | ---- | M] (Microsoft Corporation) MD5=1C7857B62DE5994A75B054A9FD4C3825 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys
    [2011/12/27 21:01:36 | 000,498,176 | ---- | M] (Microsoft Corporation) MD5=36A14FD1A23F57046361733B792CA8DB -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys
    [2011/04/24 19:44:02 | 000,499,712 | ---- | M] (Microsoft Corporation) MD5=6EF20DDF3172E97D69F596FB90602F29 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_3430bc3977dfec2d\afd.sys
    [2009/07/13 16:21:42 | 000,500,224 | ---- | M] (Microsoft Corporation) MD5=B9384E03479D2506BC924C16A3DB87BC -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_33dd3439781e25f7\afd.sys
    [2011/12/27 21:01:12 | 000,499,200 | ---- | M] (Microsoft Corporation) MD5=CCA39961E76B491DDF44B1E90FC8971D -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.21115_none_34b263fe91032456\afd.sys
    [2010/11/20 02:23:34 | 000,499,712 | ---- | M] (Microsoft Corporation) MD5=D31DC7A16DEA4A9BAF179F3D6FBDB38C -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys
    [2011/04/24 19:34:03 | 000,499,200 | ---- | M] (Microsoft Corporation) MD5=D5B031C308A409A0A576BFF4CF083D30 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_3618198975057170\afd.sys
    [2011/12/27 20:59:11 | 000,499,200 | ---- | M] (Microsoft Corporation) MD5=DB9D6C6B2CD95A9CA414D045B627422E -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16937_none_34154fcd77f3bbda\afd.sys
    [2011/04/24 20:09:35 | 000,499,200 | ---- | M] (Microsoft Corporation) MD5=F4AD06143EAC303F55D0E86C40802976 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_3695e61e8e2c13d4\afd.sys
    [2011/04/24 19:44:27 | 000,499,712 | ---- | M] (Microsoft Corporation) MD5=FBFF8B7C9D116229E9208A0D1CAEB49B -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_3483491e9126fe55\afd.sys

    < MD5 for: ATAPI.SYS >
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys

    < MD5 for: CRYPTSVC.DLL >
    [2012/04/23 21:36:42 | 000,140,288 | ---- | M] (Microsoft Corporation) MD5=06E771AA596B8761107AB57E99F128D7 -- C:\Windows\SysWOW64\cryptsvc.dll
    [2012/04/23 21:36:42 | 000,140,288 | ---- | M] (Microsoft Corporation) MD5=06E771AA596B8761107AB57E99F128D7 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17827_none_77ff39f3f916c65f\cryptsvc.dll
    [2010/11/20 06:25:59 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=15597883FBE9B056F276ADA3AD87D9AF -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17514_none_d4259ed3b16ed82a\cryptsvc.dll
    [2012/04/23 21:28:22 | 000,142,336 | ---- | M] (Microsoft Corporation) MD5=21993009E0CCB9B4FA195F14D3408626 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21979_none_7854c7b7125b248c\cryptsvc.dll
    [2012/04/23 22:37:37 | 000,184,320 | ---- | M] (Microsoft Corporation) MD5=4F5414602E2544A4554D95517948B705 -- C:\Windows\SysNative\cryptsvc.dll
    [2012/04/23 22:37:37 | 000,184,320 | ---- | M] (Microsoft Corporation) MD5=4F5414602E2544A4554D95517948B705 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17827_none_d41dd577b1743795\cryptsvc.dll
    [2012/04/23 21:47:04 | 000,139,264 | ---- | M] (Microsoft Corporation) MD5=520A108A2657F4BCA7FCED9CA7D885DE -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.17008_none_762f534bfbdf7203\cryptsvc.dll
    [2009/07/13 18:40:24 | 000,175,104 | ---- | M] (Microsoft Corporation) MD5=8C57411B66282C01533CB776F98AD384 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16385_none_d1f48b0bb4805490\cryptsvc.dll
    [2009/07/13 18:15:07 | 000,135,680 | ---- | M] (Microsoft Corporation) MD5=9C231178CE4FB385F4B54B0A9080B8A4 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16385_none_75d5ef87fc22e35a\cryptsvc.dll
    [2010/11/20 05:18:24 | 000,136,192 | ---- | M] (Microsoft Corporation) MD5=A585BEBF7D054BD9618EDA0922D5484A -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17514_none_7807034ff91166f4\cryptsvc.dll
    [2012/04/23 22:22:32 | 000,186,880 | ---- | M] (Microsoft Corporation) MD5=B7337E9C9E5936355BB700AA33E0936E -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21979_none_d473633acab895c2\cryptsvc.dll
    [2012/04/23 22:36:46 | 000,183,808 | ---- | M] (Microsoft Corporation) MD5=CE8BF1423AEE47DA5275FBC8AD3BD642 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.21199_none_d2773c98cda297d3\cryptsvc.dll
    [2012/04/23 22:59:45 | 000,182,272 | ---- | M] (Microsoft Corporation) MD5=F02786B66375292E58C8777082D4396D -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.17008_none_d24deecfb43ce339\cryptsvc.dll
    [2012/04/23 21:33:53 | 000,141,312 | ---- | M] (Microsoft Corporation) MD5=F522279B4717E2BFF269C771FAC2B78E -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.21199_none_7658a1151545269d\cryptsvc.dll

    < MD5 for: DNSRSLVR.DLL >
    [2011/03/02 23:24:16 | 000,183,296 | ---- | M] (Microsoft Corporation) MD5=16835866AAA693C7D7FCEBA8FFF706E4 -- C:\Windows\SysNative\dnsrslvr.dll
    [2011/03/02 23:24:16 | 000,183,296 | ---- | M] (Microsoft Corporation) MD5=16835866AAA693C7D7FCEBA8FFF706E4 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17570_none_3fc3a19c992d2ff6\dnsrslvr.dll
    [2009/07/13 18:40:32 | 000,182,272 | ---- | M] (Microsoft Corporation) MD5=676108C4E3AA6F6B34633748BD0BEBD9 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7600.16385_none_3dd76e849c0a6a12\dnsrslvr.dll
    [2011/03/02 23:17:10 | 000,182,272 | ---- | M] (Microsoft Corporation) MD5=85CF424C74A1D5EC33533E1DBFF9920A -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7600.16772_none_3ddf452a9c04f6b8\dnsrslvr.dll
    [2011/03/02 23:12:55 | 000,183,296 | ---- | M] (Microsoft Corporation) MD5=B2205BAEAE4C178ABEB1B149751FC2B9 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.21673_none_40503f45b2481bc5\dnsrslvr.dll
    [2010/11/20 06:26:07 | 000,183,296 | ---- | M] (Microsoft Corporation) MD5=CD55F5355D8F55D44C9F4ED875705BD6 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac\dnsrslvr.dll
    [2011/03/02 23:23:37 | 000,182,272 | ---- | M] (Microsoft Corporation) MD5=D8065FA366D28746EE3D75F08ED6B2FE -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7600.20914_none_3eabc3f7b4f01eb1\dnsrslvr.dll

    < MD5 for: ES.DLL >
    [2009/07/13 18:40:50 | 000,402,944 | ---- | M] (Microsoft Corporation) MD5=4166F82BE4D24938977DD1746BE9B8A0 -- C:\Windows\SysNative\es.dll
    [2009/07/13 18:40:50 | 000,402,944 | ---- | M] (Microsoft Corporation) MD5=4166F82BE4D24938977DD1746BE9B8A0 -- C:\Windows\winsxs\amd64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.1.7600.16385_none_68e290c46b6ea6d0\es.dll
    [2009/07/13 18:15:19 | 000,271,360 | ---- | M] (Microsoft Corporation) MD5=F6916EFC29D9953D5D0DF06882AE8E16 -- C:\Windows\SysWOW64\es.dll
    [2009/07/13 18:15:19 | 000,271,360 | ---- | M] (Microsoft Corporation) MD5=F6916EFC29D9953D5D0DF06882AE8E16 -- C:\Windows\winsxs\wow64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.1.7600.16385_none_73373b169fcf68cb\es.dll

    < MD5 for: EXPLORER.EXE >
    [2011/02/25 23:23:14 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=0862495E0C825893DB75EF44FAEA8E93 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_adc24107935a7e25\explorer.exe
    [2011/02/25 22:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
    [2009/07/13 18:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe
    [2011/02/25 22:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_b8ce9756e0b786a4\explorer.exe
    [2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe
    [2011/02/25 22:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_b816eb59c7bb4020\explorer.exe
    [2011/02/24 23:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\explorer.exe
    [2011/02/24 23:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
    [2011/02/25 23:14:34 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=3B69712041F3D63605529BD66DC00C48 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
    [2010/11/20 05:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
    [2009/08/02 23:19:07 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=700073016DAC1C3D2E7E2CE4223334B6 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
    [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\SysWOW64\explorer.exe
    [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
    [2009/10/30 23:34:59 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=9AAAEC8DAC27AA17B053E6352AD233AE -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
    [2009/08/02 22:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe
    [2010/11/20 06:24:45 | 002,872,320 | ---- | M] (Microsoft Corporation) MD5=AC4C51EB24AA95B77F705AB159189E24 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
    [2009/10/30 23:38:38 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=B8EC4BD49CE8F6FC457721BFC210B67F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
    [2009/08/02 22:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe
    [2009/07/13 18:39:10 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=C235A51CB740E45FFA0EBFB9BAFCDA64 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
    [2009/10/30 23:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe
    [2011/02/25 23:26:45 | 002,870,784 | ---- | M] (Microsoft Corporation) MD5=E38899074D4951D31B4040E994DD7C8D -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_ae79ed04ac56c4a9\explorer.exe
    [2009/08/02 23:17:37 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=F170B4A061C9E026437B193B4D571799 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe

    < MD5 for: IPNATHLP.DLL >
    [2009/07/13 18:41:10 | 000,359,424 | ---- | M] (Microsoft Corporation) MD5=B95F6501A2F8B2E78C697FEC401970CE -- C:\Windows\SysNative\ipnathlp.dll
    [2009/07/13 18:41:10 | 000,359,424 | ---- | M] (Microsoft Corporation) MD5=B95F6501A2F8B2E78C697FEC401970CE -- C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\ipnathlp.dll

    < MD5 for: NETBT.SYS >
    [2010/11/20 02:23:20 | 000,261,632 | ---- | M] (Microsoft Corporation) MD5=09594D1089C523423B32A4229263F068 -- C:\Windows\SysNative\drivers\netbt.sys
    [2010/11/20 02:23:20 | 000,261,632 | ---- | M] (Microsoft Corporation) MD5=09594D1089C523423B32A4229263F068 -- C:\Windows\winsxs\amd64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_be8acdd10de3b1a6\netbt.sys
    [2009/07/13 16:21:29 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=9162B273A44AB9DCE5B44362731D062A -- C:\Windows\winsxs\amd64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_bc59ba0910f52e0c\netbt.sys

    < MD5 for: NETMAN.DLL >
    [2009/07/13 18:41:52 | 000,360,448 | ---- | M] (Microsoft Corporation) MD5=847D3AE376C0817161A14A82C8922A9E -- C:\Windows\SysNative\netman.dll
    [2009/07/13 18:41:52 | 000,360,448 | ---- | M] (Microsoft Corporation) MD5=847D3AE376C0817161A14A82C8922A9E -- C:\Windows\winsxs\amd64_microsoft-windows-netman_31bf3856ad364e35_6.1.7600.16385_none_6bb20d3d6b80d9da\netman.dll

    < MD5 for: QMGR.DLL >
    [2010/11/20 06:27:23 | 000,849,920 | ---- | M] (Microsoft Corporation) MD5=1EA7969E3271CBC59E1730697DC74682 -- C:\Windows\SysNative\qmgr.dll
    [2010/11/20 06:27:23 | 000,849,920 | ---- | M] (Microsoft Corporation) MD5=1EA7969E3271CBC59E1730697DC74682 -- C:\Windows\winsxs\amd64_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7601.17514_none_81b6ca5c101195cd\qmgr.dll
    [2009/07/13 18:41:53 | 000,848,384 | ---- | M] (Microsoft Corporation) MD5=7F0C323FE3DA28AA4AA1BDA3F575707F -- C:\Windows\winsxs\amd64_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7600.16385_none_7f85b69413231233\qmgr.dll

    < MD5 for: RPCSS.DLL >
    [2010/11/20 06:27:24 | 000,512,000 | ---- | M] (Microsoft Corporation) MD5=5C627D1B1138676C0A7AB2C2C190D123 -- C:\Windows\SysNative\rpcss.dll
    [2010/11/20 06:27:24 | 000,512,000 | ---- | M] (Microsoft Corporation) MD5=5C627D1B1138676C0A7AB2C2C190D123 -- C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
    [2009/07/13 18:41:53 | 000,509,440 | ---- | M] (Microsoft Corporation) MD5=7266972E86890E2B30C0C322E906B027 -- C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll

    < MD5 for: SERVICES.EXE >
    [2009/07/13 18:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=014A9CB92514E27C0107614DF764BC06 -- C:\Windows\SysNative\services.exe
    [2009/07/13 18:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

    < MD5 for: SVCHOST.EXE >
    [2009/07/13 18:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
    [2009/07/13 18:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
    [2009/07/13 18:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\SysNative\svchost.exe
    [2009/07/13 18:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

    < MD5 for: TCPIP.SYS >
    [2011/04/24 22:28:24 | 001,893,248 | ---- | M] (Microsoft Corporation) MD5=1F748D5439B65E0BEBD92F65048F030D -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20951_none_0fb918de99201ffb\tcpip.sys
    [2011/09/29 10:41:37 | 001,912,176 | ---- | M] (Microsoft Corporation) MD5=3810F06A4D74A7D62641EE73D6B3C660 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21828_none_11c6e9949627e69c\tcpip.sys
    [2010/11/20 06:33:57 | 001,924,480 | ---- | M] (Microsoft Corporation) MD5=509383E505C973ED7534A06B3D19688D -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37\tcpip.sys
    [2012/03/30 03:19:17 | 001,877,872 | ---- | M] (Microsoft Corporation) MD5=5EFD096DEF47F8B88EF591DA92143440 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.21178_none_0faa5514992a39a7\tcpip.sys
    [2011/04/24 22:32:22 | 001,896,832 | ---- | M] (Microsoft Corporation) MD5=61DC720BB065D607D5823F13D2A64321 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16802_none_0f668bf97fd90dd3\tcpip.sys
    [2012/03/30 04:09:53 | 001,895,280 | ---- | M] (Microsoft Corporation) MD5=624C5B3AA4C99B3184BB922D9ECE3FF0 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16986_none_0f140fa780164fde\tcpip.sys
    [2010/04/09 04:06:28 | 001,898,376 | ---- | M] (Microsoft Corporation) MD5=7FC877A25796D8ADF539E64703FCA7E1 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16569_none_0f2ca8c580036f65\tcpip.sys
    [2012/03/30 03:26:36 | 001,901,424 | ---- | M] (Microsoft Corporation) MD5=885B202006EE17AE99B9FBCEC9AF88C9 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21954_none_11a27a8e9643d23a\tcpip.sys
    [2009/07/13 18:45:55 | 001,898,576 | ---- | M] (Microsoft Corporation) MD5=912107716BAB424C7870E8E6AF5E07E1 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16385_none_0f1303f98017479d\tcpip.sys
    [2011/04/24 22:33:51 | 001,923,968 | ---- | M] (Microsoft Corporation) MD5=92CE29D95AC9DD2D0EE9061D551BA250 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17603_none_114de9497cfe9316\tcpip.sys
    [2010/04/09 00:56:29 | 001,892,232 | ---- | M] (Microsoft Corporation) MD5=A9C0F786AC1F736891D05CE0A1D29DEB -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20687_none_0f9ea52499331463\tcpip.sys
    [2011/09/29 09:17:51 | 001,886,064 | ---- | M] (Microsoft Corporation) MD5=AC3E29880DB5659532A1AA3439304A43 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.21060_none_0fad20ca992955d7\tcpip.sys
    [2012/03/30 04:35:47 | 001,918,320 | ---- | M] (Microsoft Corporation) MD5=ACB82BDA8F46C84F465C1AFA517DC4B9 -- C:\Windows\SysNative\drivers\tcpip.sys
    [2012/03/30 04:35:47 | 001,918,320 | ---- | M] (Microsoft Corporation) MD5=ACB82BDA8F46C84F465C1AFA517DC4B9 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17802_none_114ceccb7cff740d\tcpip.sys
    [2011/04/24 23:16:34 | 001,927,552 | ---- | M] (Microsoft Corporation) MD5=B77977AEB2FF159D01DB08A309989C5F -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21712_none_11cbb5de9625357a\tcpip.sys
    [2011/09/29 09:24:44 | 001,897,328 | ---- | M] (Microsoft Corporation) MD5=F18F56EFC0BFB9C87BA01C37B27F4DA5 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16889_none_0f170e9f80139ebc\tcpip.sys
    [2011/09/29 09:29:28 | 001,923,952 | ---- | M] (Microsoft Corporation) MD5=FC62769E7BFF2896035AEED399108162 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17697_none_10f09b257d43f3eb\tcpip.sys

    < MD5 for: TDX.SYS >
    [2009/07/13 16:21:15 | 000,099,840 | ---- | M] (Microsoft Corporation) MD5=079125C4B17B01FCAEEBCE0BCB290C0F -- C:\Windows\winsxs\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_4632b9f2f5c6af5e\tdx.sys
    [2010/11/20 02:21:56 | 000,119,296 | ---- | M] (Microsoft Corporation) MD5=DDAD5A7AB24D8B65F8D724F5C20FD806 -- C:\Windows\SysNative\drivers\tdx.sys
    [2010/11/20 02:21:56 | 000,119,296 | ---- | M] (Microsoft Corporation) MD5=DDAD5A7AB24D8B65F8D724F5C20FD806 -- C:\Windows\winsxs\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_4863cdbaf2b532f8\tdx.sys

    < MD5 for: USERINIT.EXE >
    [2010/11/20 05:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\SysWOW64\userinit.exe
    [2010/11/20 05:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
    [2009/07/13 18:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
    [2009/07/13 18:39:48 | 000,030,208 | ---- | M] (Microsoft Corporation) MD5=6F8F1376A13114CC10C0E69274F5A4DE -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_381dabbceb60feb2\userinit.exe
    [2010/11/20 06:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\SysNative\userinit.exe
    [2010/11/20 06:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe

    < MD5 for: VOLSNAP.SYS >
    [2010/11/20 06:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\SysNative\drivers\volsnap.sys
    [2010/11/20 06:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\SysNative\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys
    [2010/11/20 06:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_73dcbcf012b4850e\volsnap.sys
    [2009/07/13 18:45:55 | 000,294,992 | ---- | M] (Microsoft Corporation) MD5=58F82EED8CA24B461441F9C3E4F0BF5C -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_71aba92815c60174\volsnap.sys

    < MD5 for: WININIT.EXE >
    [2009/07/13 18:39:52 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=94355C28C1970635A31B3FE52EB7CEBA -- C:\Windows\SysNative\wininit.exe
    [2009/07/13 18:39:52 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=94355C28C1970635A31B3FE52EB7CEBA -- C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe
    [2009/07/13 18:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\SysWOW64\wininit.exe
    [2009/07/13 18:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

    < MD5 for: WINLOGON.EXE >
    [2010/11/20 06:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\SysNative\winlogon.exe
    [2010/11/20 06:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
    [2009/07/13 18:39:52 | 000,389,120 | ---- | M] (Microsoft Corporation) MD5=132328DF455B0028F13BF0ABEE51A63A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe
    [2009/10/28 00:01:57 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=A93D41A4D4B0D91C072D11DD8AF266DE -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_cc522fd507b468f8\winlogon.exe
    [2009/10/27 23:24:40 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=DA3E2A6FA9660CC75B471530CE88453A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad\winlogon.exe

    < MD5 for: WMISVC.DLL >
    [2009/07/13 18:41:56 | 000,242,688 | ---- | M] (Microsoft Corporation) MD5=19B07E7E8915D701225DA41CB3877306 -- C:\Windows\SysNative\wbem\WMIsvc.dll
    [2009/07/13 18:41:56 | 000,242,688 | ---- | M] (Microsoft Corporation) MD5=19B07E7E8915D701225DA41CB3877306 -- C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7600.16385_none_fca7ad7710a22535\WMIsvc.dll
    [2009/07/13 18:41:56 | 000,242,688 | ---- | M] (Microsoft Corporation) MD5=19B07E7E8915D701225DA41CB3877306 -- C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_fed8c13f0d90a8cf\WMIsvc.dll

    < MD5 for: WSCSVC.DLL >
    [2010/12/20 23:09:08 | 000,097,280 | ---- | M] (Microsoft Corporation) MD5=34D280957E8681E4BD9492B3F1FC27B9 -- C:\Windows\winsxs\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.1.7600.20862_none_76d192b6e4d9ed67\wscsvc.dll
    [2010/12/20 23:16:27 | 000,097,280 | ---- | M] (Microsoft Corporation) MD5=8F9F3969933C02DA96EB0F84576DB43E -- C:\Windows\winsxs\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.1.7600.16723_none_767435e5cb9af730\wscsvc.dll
    [2009/07/13 18:41:58 | 000,097,280 | ---- | M] (Microsoft Corporation) MD5=E8B1FE6669397D1772D8196DF0E57A9E -- C:\Windows\SysNative\wscsvc.dll
    [2009/07/13 18:41:58 | 000,097,280 | ---- | M] (Microsoft Corporation) MD5=E8B1FE6669397D1772D8196DF0E57A9E -- C:\Windows\winsxs\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.1.7600.16385_none_76354f59cbc9dce8\wscsvc.dll
    [2009/07/13 18:41:58 | 000,097,280 | ---- | M] (Microsoft Corporation) MD5=E8B1FE6669397D1772D8196DF0E57A9E -- C:\Windows\winsxs\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.1.7601.17514_none_78666321c8b86082\wscsvc.dll

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 85 bytes -> C:\ProgramData:$SS_DESCRIPTOR_LVVWVBGV0VFBTLX4D06YH7LVUTPXGJMBKE1R0WT1VH7E24F7PHCTVF4VMVFVVX4VM
    @Alternate Data Stream - 160 bytes -> C:\Users\Noah\Image (2).jpg:3or4kl4x13tuuug3Byamue2s4b

    < End of report >
     
  6. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    Extras.txt

    OTL Extras logfile created on: 7/7/2012 12:20:02 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Noah\Downloads
    64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 51.69% Memory free
    3.99 Gb Paging File | 2.53 Gb Available in Paging File | 63.39% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 465.76 Gb Total Space | 24.06 Gb Free Space | 5.17% Space Free | Partition Type: NTFS
    Drive D: | 149.05 Gb Total Space | 32.93 Gb Free Space | 22.10% Space Free | Partition Type: NTFS

    Computer Name: ARK | User Name: Noah | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [Browse with XnView] -- "C:\Users\Noah\Desktop\XnView-win-small\XnView\xnview.exe" "%1"
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [Browse with XnView] -- "C:\Users\Noah\Desktop\XnView-win-small\XnView\xnview.exe" "%1"
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== Firewall Settings ==========

    ========== Authorized Applications List ==========


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{077AA014-B568-4FF8-B360-9ACE1A1F4571}" = CLEAR Connection Manager
    "{0D98B285-0777-B3B7-7A3D-9C85422203B9}" = ccc-utility64
    "{1111706F-666A-4037-7777-210648764D10}" = JavaFX 2.1.0 (64-bit)
    "{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector
    "{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
    "{2222706F-666A-4037-7777-210648764D10}" = JavaFX 2.1.0 SDK (64-bit)
    "{26A24AE4-039D-4CA4-87B4-2F86417004FF}" = Java(TM) 7 Update 4 (64-bit)
    "{418A8D89-B9AA-B872-5927-3D1A052CEAA8}" = AMD Media Foundation Decoders
    "{45CB0703-D49C-31B2-0DBD-FDD98D7DEF7A}" = AMD Drag and Drop Transcoding
    "{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
    "{64A3A4F4-B792-11D6-A78A-00B0D0170040}" = Java SE Development Kit 7 Update 4 (64-bit)
    "{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
    "{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
    "{87CF757E-C1F1-4D22-865C-00C6950B5258}" = Quickset64
    "{8924F1FE-8AC5-C2AE-59EF-C5D65B226933}" = AMD Catalyst Install Manager
    "{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
    "{90140000-0011-0000-1000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
    "{90140000-0011-0000-1000-0000000FF1CE}_Office14.PROPLUS_{7BC9B5EB-125A-4E9B-97E1-8D85B5E960B8}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0015-0409-1000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
    "{90140000-0015-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0016-0409-1000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
    "{90140000-0016-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0018-0409-1000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
    "{90140000-0018-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0019-0409-1000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
    "{90140000-0019-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001A-0409-1000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
    "{90140000-001A-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001B-0409-1000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
    "{90140000-001B-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0409-1000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
    "{90140000-001F-0409-1000-0000000FF1CE}_Office14.PROPLUS_{0242505C-4E90-407F-9299-B5B275F50D86}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-040C-1000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
    "{90140000-001F-040C-1000-0000000FF1CE}_Office14.PROPLUS_{B51389C8-2890-4633-81D8-47D2A7402274}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0C0A-1000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
    "{90140000-001F-0C0A-1000-0000000FF1CE}_Office14.PROPLUS_{1779650B-2E44-4A19-8DF6-3866D645764A}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002C-0409-1000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
    "{90140000-002C-0409-1000-0000000FF1CE}_Office14.PROPLUS_{270CA0B9-9881-44DB-BC3B-37C7E66A044A}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0043-0000-1000-0000000FF1CE}" = Microsoft Office Office 32-bit Components 2010
    "{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUS_{E8B6D35B-0B6F-4DCE-9493-859BF3809A7F}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0043-0409-1000-0000000FF1CE}" = Microsoft Office Shared 32-bit MUI (English) 2010
    "{90140000-0043-0409-1000-0000000FF1CE}_Office14.PROPLUS_{FCD1C311-8B02-4DBD-BA46-1079C629577E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0044-0409-1000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
    "{90140000-0044-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-006E-0409-1000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
    "{90140000-006E-0409-1000-0000000FF1CE}_Office14.PROPLUS_{516CA4A9-98E6-4F77-A863-CBD8487368E4}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00A1-0409-1000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
    "{90140000-00A1-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00BA-0409-1000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
    "{90140000-00BA-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0115-0409-1000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
    "{90140000-0115-0409-1000-0000000FF1CE}_Office14.PROPLUS_{516CA4A9-98E6-4F77-A863-CBD8487368E4}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0117-0409-1000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
    "{90140000-0117-0409-1000-0000000FF1CE}_Office14.PROPLUS_{EC583796-6BBB-47DD-B9CE-B5DA12D71135}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{96F70DF8-160F-4F9C-9B9E-2A9B439B4EB9}" = Broadcom Gigabit NetLink Controller
    "{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
    "{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    "{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
    "{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
    "Creative OA001" = Integrated Webcam Driver (1.04.01.1009)
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Microsoft Security Client" = Microsoft Security Essentials
    "Office14.PROPLUS" = Microsoft Office Professional Plus 2010
    "WinRAR archiver" = WinRAR 4.10 beta 2 (64-bit)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{06870F63-4D1C-171F-9552-368D3890D92F}" = CCC Help French
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{14CE04AF-0EBC-B865-382F-1FB466CAC301}" = CCC Help English
    "{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1DBC5882-96E2-3A01-A32C-9B6F6EF6CF25}" = CCC Help Korean
    "{1F36B20F-7408-EC75-2825-E9FE81B0339D}" = CCC Help Norwegian
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}_is1" = Fallout New Vegas
    "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
    "{27614800-84A9-484E-9CCB-43ED2F1205F5}" = Chessmaster Grandmaster Edition
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{2B818257-E6C7-4841-8C29-C5C9A982BCE5}" = RICOH Media Driver ver.2.07.01.00
    "{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}" = Microsoft XNA Framework Redistributable 4.0
    "{30DAAF05-3679-C10C-953C-BB422FCDF557}" = CCC Help Swedish
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{428536FB-25A0-8531-75EF-D7A7C340B0A4}" = Catalyst Pro Control Center
    "{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4BA6B7C9-65AE-BE8B-687A-6F1A2D7F9705}" = CCC Help Czech
    "{4C8E1E1B-175F-AF47-8B21-E12C7C8B5D40}" = CCC Help Thai
    "{4EAF46A2-DB90-6B67-F640-5CC876A2B5C4}" = CCC Help Greek
    "{51D386C4-0227-46A9-AC45-61F0A50E7AFF}" = Rome - Total War
    "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
    "{5D5B8455-50E0-F94A-4C82-0F9303BB4C0E}" = CCC Help Danish
    "{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6C1804BC-094F-431A-BEA5-37A837958029}" = Rome - Total War - Alexander
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{7765BB73-D985-42C9-C7EE-AB434D59429F}" = CCC Help Chinese Traditional
    "{7ADFB885-8E98-6AAE-8687-D6EFB5127F6B}" = Catalyst Control Center Graphics Previews Common
    "{7F7C616E-6971-77D9-7D59-82DC35DF81AC}" = CCC Help Russian
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{8DE7A656-A244-47C6-BB05-D412820FDA3C}" = calibre
    "{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}" = Microsoft Games for Windows - LIVE Redistributable
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{943A8D28-80D6-41DC-AE94-81FEB42041BF}" = System Requirements Lab CYRI
    "{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
    "{975C3A93-2491-3D44-A071-F6CBF153E46D}" = Google Talk Plugin
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9FA5B08F-9162-BCCB-AFAC-28DF1751BEC3}" = Catalyst Control Center Localization All
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
    "{AF859F36-5F97-F6EC-A617-62771A8B4FDC}" = CCC Help Finnish
    "{BB095F3E-0A7D-7DD4-B2A8-47CB12E416B0}" = CCC Help Japanese
    "{BC71B06F-BFAE-6A73-091C-F18ACF00A04C}" = CCC Help Italian
    "{BDCBA80C-A3BD-9DA5-E43F-EBBBE779C032}" = CCC Help Hungarian
    "{C3D9307F-4759-4704-BA7E-6B0C8F482A8C}_is1" = Sam & Max 302 The Tomb of Sammun-Mak 1.0
    "{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{CEEA6219-8792-3E40-D361-4FB5F0FBBB0F}" = CCC Help Portuguese
    "{CF053286-7F4C-CAFB-616B-58EC562BB28E}" = CCC Help Chinese Standard
    "{D0106CC2-E34B-4FA3-B6B6-91F0ACEA2CC3}" = Hearts of Iron III
    "{D07BB56A-7DB4-4564-A1F9-EBCE75FBE3C6}" = Catalyst Control Center InstallProxy
    "{D3689EED-3943-9E90-1D65-D2246EB58AD1}" = CCC Help Turkish
    "{D37FE0E3-B1A9-4E41-AB5D-DA62E04D2C42}" = Alpha Protocol
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{DBA5EE42-A143-A658-9F86-C611BFDBEFCA}" = CCC Help Dutch
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}" = COWON Media Center - jetAudio Basic VX
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E19490CD-5380-4F37-B0A7-624D635605DC}" = Catalyst Control Center - Branding
    "{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
    "{EAF0F475-CFE2-9F4D-F26A-875FF09AD40E}" = CCC Help Spanish
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F1F1CCD6-34FE-81C6-CE0C-F22695E6409F}" = CCC Help German
    "{F20AE04A-3FDC-4A14-A90B-85DEE2812030}" = Sam & Max Season 1
    "{F71A71E1-285C-95CE-A8F7-231E3827138E}" = CCC Help Polish
    "{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}" = Barbarian Invasion
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "1ClickDownload" = 1ClickDownload
    "7-Zip" = 7-Zip 9.20
    "Activision_THPS2UninstallKey" = Tony Hawk's Pro Skater 2
    "Advanced Audio FX Engine" = Advanced Audio FX Engine
    "Advanced Video FX Engine" = Advanced Video FX Engine
    "Beyond the Alley of the Dolls" = Sam and Max - The Devil's Playhouse - Beyond the Alley of the Dolls
    "BIMPLite" = BIMP Lite 1.62
    "CDisplayEx_is1" = CDisplayEx 1.8
    "Combined Community Codec Pack_is1" = Combined Community Codec Pack 2011-11-11
    "Concise Oxford English Dictionary (Eleventh Edition)" = Concise Oxford English Dictionary (Eleventh Edition)
    "Crayon Physics Deluxe_is1" = Crayon Physics Deluxe - release 53
    "Crusader Kings II_is1" = Crusader Kings II
    "DAEMON Tools Lite" = DAEMON Tools Lite
    "Dell Webcam Central" = Dell Webcam Central
    "Episode 201 - Ice Station Santa" = Sam and Max - Season Two - Sam and Max Episode 201 - Ice Station Santa
    "Episode 202 - Moai Better Blues" = Sam and Max - Season Two - Sam and Max Episode 202 - Moai Better Blues
    "Episode 203 - Night of the Raving Dead" = Sam and Max - Season Two - Sam and Max Episode 203 - Night of the Raving Dead
    "Episode 204 - Chariots of the Dogs" = Sam and Max - Season Two - Sam and Max Episode 204 - Chariots of the Dogs
    "Episode 205 - What's New, Beelzebub?" = Sam and Max - Season Two - Sam and Max Episode 205 - What's New, Beelzebub?
    "foobar2000" = foobar2000 v0.9.4.2
    "Generic Mod Manager_is1" = Fallout Mod Manager 0.13.21
    "HandBrake" = HandBrake 0.9.5
    "Hearts of Iron III Sprite Packs" = Hearts of Iron III Sprite Packs
    "ImgBurn" = ImgBurn
    "InstallShield_{27614800-84A9-484E-9CCB-43ED2F1205F5}" = Chessmaster Grandmaster Edition
    "IrfanView" = IrfanView (remove only)
    "Loki ActiveX Control" = Loki ActiveX Control
    "Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
    "Sonic Ep 1" = Sonic Ep 1
    "The City That Dares Not Sleep" = Sam and Max - The Devil's Playhouse - The City That Dares Not Sleep
    "The Penal Zone" = Sam and Max - The Devil's Playhouse - The Penal Zone
    "They Stole Max's Brain!" = Sam and Max - The Devil's Playhouse - They Stole Max's Brain!
    "Tony Hawk's Pro Skater 3®" = Tony Hawk's Pro Skater 3®
    "uTorrent" = µTorrent
    "VisiPics_is1" = VisiPics V1.30
    "VLC media player" = VLC media player 2.0.1
    "Warcraft III" = Warcraft III
    "WinGimp-2.0_is1" = GIMP 2.6.11
    "WinLiveSuite" = Windows Live Essentials

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "87df300ab8d6247f" = TownseedAlpha
    "FileZilla Client" = FileZilla Client 3.5.3
    "Warcraft III" = Warcraft III: All Products

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 7/2/2012 9:42:03 AM | Computer Name = ARK | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc3c1 Faulting module name: mshtml.dll, version: 9.0.8112.16446, time
    stamp: 0x4fb5b675 Exception code: 0xc0000005 Fault offset: 0x00000000002ea2ca Faulting
    process id: 0x134 Faulting application start time: 0x01cd5857a5f3a7fa Faulting application
    path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\system32\mshtml.dll
    Report
    Id: b41e21b9-c44b-11e1-861a-002219e38c54

    Error - 7/3/2012 7:41:05 AM | Computer Name = ARK | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\ATI\CIM\Bin64\SetACL64.exe".
    Dependent
    Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 7/4/2012 9:27:30 PM | Computer Name = ARK | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\ATI\CIM\Bin64\SetACL64.exe".
    Dependent
    Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 7/5/2012 9:03:20 AM | Computer Name = ARK | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc3c1 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
    stamp: 0x4ec4aa8e Exception code: 0xc0000005 Fault offset: 0x0000000000053332 Faulting
    process id: 0xea0 Faulting application start time: 0x01cd5aae4a43d201 Faulting application
    path: C:\Windows\system32\svchost.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: cad2fc41-c6a1-11e1-861a-002219e38c54

    Error - 7/6/2012 8:18:35 AM | Computer Name = ARK | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\ATI\CIM\Bin64\SetACL64.exe".
    Dependent
    Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 7/7/2012 3:30:45 AM | Computer Name = ARK | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files\ATI\CIM\Bin64\SetACL64.exe".
    Dependent
    Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 7/7/2012 4:23:41 AM | Computer Name = ARK | Source = Microsoft Security Client Setup | ID = 100
    Description = HRESULT:0x8004FF03 Description:Cannot complete the Microsoft Security
    Essentials Setup Wizard. An error has prevented the Security Essentials setup wizard
    from completing successfully. Please restart your computer and try again. Error
    code:0x8004FF03.

    Error - 7/7/2012 4:52:04 AM | Computer Name = ARK | Source = Microsoft-Windows-CAPI2 | ID = 512
    Description = The Cryptographic Services service failed to initialize the VSS backup
    "System Writer" object. Details: Could not query the status of the EventSystem service.

    System
    Error: The RPC server is unavailable. .

    Error - 7/7/2012 6:27:13 AM | Computer Name = ARK | Source = Microsoft-Windows-CAPI2 | ID = 257
    Description = The Cryptographic Services service failed to initialize the Catalog
    Database. The ESENT error was: -550.

    Error - 7/7/2012 3:14:01 PM | Computer Name = ARK | Source = System Restore | ID = 8210
    Description =

    [ System Events ]
    Error - 7/7/2012 3:28:21 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:28:26 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:28:55 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:30:33 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:35:04 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:36:03 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:36:08 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:36:37 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:36:42 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.

    Error - 7/7/2012 3:41:50 PM | Computer Name = ARK | Source = ACPI | ID = 327693
    Description = : The embedded controller (EC) did not respond within the specified
    timeout period. This may indicate that there is an error in the EC hardware or
    firmware or that the BIOS is accessing the EC incorrectly. You should check with
    your computer manufacturer for an upgraded BIOS. In some situations, this error
    may cause the computer to function incorrectly.


    < End of report >
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Please make sure to download the 64-bit version.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
     
  8. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    Would it be acceptable to run the program from a secondary hard drive (that doesn't have windows installed on any partition) within my computer? Or from a SD card?
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Either one should work, yes. I have heard others try it, and success happens! :)
     
  10. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    Scan result of Farbar Recovery Scan Tool Version: 07-07-2012 04
    Ran by SYSTEM at 07-07-2012 13:58:56
    Running from D:\
    Windows 7 Professional (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
    HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [342528 2009-06-19] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-12-05] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2 [446635 2008-06-03] (Creative Technology Ltd.)
    HKLM-x32\...\Run: [Clearwire Connection Manager] "C:\Program Files (x86)\Clearwire\Connection Manager\ClearwireCM.exe" -a [54608 2009-12-01] (ClearwireCM)
    HKU\Noah\...\Run: [Google Update] "C:\Users\Noah\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-13] (Google Inc.)
    HKU\Noah\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3481408 2012-02-13] (DT Soft Ltd)
    HKU\Noah\...\Run: [yahoo!] C:\Windows\system32\rundll32.exe C:\Users\Noah\AppData\Local\Temp\94092002225Wsy.dll,Sets [23167488 2012-03-22] (Lavasoft )
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25

    ==================== Services (Whitelisted) ======

    3 CACLEARWIRE; "C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe" /n "CACLEARWIRE" [124240 2009-11-09] (SmithMicro Inc.)
    3 CLEARWIRERcAppSvc; "C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe" /n "CLEARWIRERcAppSvc" [120144 2009-11-09] (SmithMicro Inc.)
    4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    2 SMSI Device Launch Service; "C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe" /n "SMSI Device Launch Service" [107856 2009-11-09] ()
    3 vds; C:\Windows\System32\vds.exe [533504 2010-11-20] (Microsoft Corporation)
    2 zmdjwsviccq; "C:\Users\Noah\AppData\Local\Temp\DAT1F4C.tmp.exe" --SERVICE [49152 2012-06-30] (Mustek Systems)

    ========================== Drivers (Whitelisted) =============

    3 bcm; C:\Windows\System32\DRIVERS\drxvi314_64.sys [318336 2009-11-03] (Beceem communications pvt ltd.)
    3 bcmbusctr; C:\Windows\System32\DRIVERS\BcmBusCtr_64.sys [62976 2009-11-03] (Beceem communications pvt ltd.)
    3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [43032 2009-11-09] (Smith Micro Inc.)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [564792 2012-03-03] (Duplex Secure Ltd.)
    2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [81952 2012-04-04] (Acronis)
    0 timounter; C:\Windows\System32\DRIVERS\timntr.sys [711712 2012-04-04] (Acronis)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-07 13:47 - 2012-07-07 13:47 - 00052983 ____A C:\FRST.txt
    2012-07-07 12:28 - 2012-07-07 12:53 - 00000000 ____D C:\FRST
    2012-07-07 12:19 - 2012-07-07 12:19 - 01432863 ____A C:\Users\Noah\Desktop\FRST64.exe
    2012-07-07 11:43 - 2012-07-07 11:43 - 00059342 ____A C:\Users\Noah\Downloads\Extras.Txt
    2012-07-07 11:41 - 2012-07-07 11:41 - 00180694 ____A C:\Users\Noah\Downloads\OTL.Txt
    2012-07-07 11:17 - 2012-07-07 11:18 - 00595968 ____A (OldTimer Tools) C:\Users\Noah\Downloads\OTL.exe
    2012-07-07 02:46 - 2012-07-07 02:50 - 00072787 ____A C:\Users\Noah\Downloads\yorkyt.exe.log
    2012-07-07 01:22 - 2012-07-07 01:22 - 00000000 ____D C:\Users\Noah\AppData\Roaming\Malwarebytes
    2012-07-07 01:21 - 2012-07-07 11:59 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-07 01:21 - 2012-07-07 01:21 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-07-07 01:14 - 2012-07-07 01:14 - 00000000 ____D C:\Program Files (x86)\Trend Micro
    2012-07-07 01:13 - 2012-07-07 01:13 - 01402880 ____A C:\Users\Noah\Downloads\HiJackThis.msi
    2012-07-07 00:55 - 2012-07-07 00:55 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.739C8873D9ECF71E
    2012-07-07 00:55 - 2012-07-07 00:55 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\xzmpqrzp.sys
    2012-07-07 00:49 - 2012-07-07 00:49 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A6442602067A050
    2012-07-07 00:42 - 2012-07-07 00:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BF239738057945B9
    2012-07-07 00:24 - 2012-07-07 00:27 - 00000000 ____D C:\Users\Noah\Desktop\New folder
    2012-07-07 00:20 - 2012-07-07 00:21 - 12621696 ____A (Microsoft Corporation) C:\Users\Noah\Downloads\mseinstall.exe
    2012-07-06 21:55 - 2012-07-06 21:55 - 00005273 ____A C:\Users\Noah\Desktop\gens.ini
    2012-07-06 21:51 - 2012-07-06 21:51 - 00000040 ____A C:\Users\Noah\Desktop\language.dat
    2012-07-06 03:10 - 2012-07-06 03:12 - 00000000 ____D C:\Users\Noah\Desktop\spookeedoo
    2012-07-06 02:05 - 2012-07-06 02:05 - 00000000 ____D C:\Users\Noah\AppData\Local\Zachtronics Industries
    2012-07-06 02:04 - 2012-07-07 11:58 - 00000000 ____D C:\Program Files (x86)\Zachtronics Industries
    2012-07-05 21:56 - 2012-07-05 21:56 - 12060905 ____A C:\Users\Noah\Downloads\1077105.12322077.zip
    2012-07-05 16:02 - 2012-07-05 16:02 - 16577248 ____A (Mozilla) C:\Users\Noah\Downloads\Firefox Setup 13.0.1.exe
    2012-07-05 11:39 - 2012-07-05 11:40 - 11095214 ____A C:\Users\Noah\Downloads\Gekiuma.rar
    2012-07-05 11:24 - 2012-07-05 11:37 - 24647405 ____A C:\Users\Noah\Downloads\Mazeruna Kiken2.zip
    2012-07-05 11:06 - 2012-07-05 11:07 - 01856727 ____A C:\Users\Noah\Downloads\Gyakuten Yuukai.zip
    2012-07-04 14:42 - 2012-07-04 14:43 - 17594146 ____A C:\Users\Noah\Downloads\K.cbr
    2012-07-04 13:05 - 2012-07-04 13:09 - 157165879 ____A C:\Users\Noah\Downloads\wer21y.zip
    2012-07-04 00:22 - 2012-07-04 00:41 - 200000000 ____A C:\Users\Noah\Downloads\Sora.part1.rar
    2012-07-04 00:22 - 2012-07-04 00:39 - 140164579 ____A C:\Users\Noah\Downloads\Sora.part2.rar
    2012-07-04 00:20 - 2012-07-04 00:41 - 209715200 ____A C:\Users\Noah\Downloads\Sazae 2.part1.rar
    2012-07-04 00:20 - 2012-07-04 00:34 - 84291830 ____A C:\Users\Noah\Downloads\Solce.rar
    2012-07-04 00:20 - 2012-07-04 00:24 - 19277437 ____A C:\Users\Noah\Downloads\Sazae 2.part2.rar
    2012-07-04 00:19 - 2012-07-04 00:24 - 27933442 ____A C:\Users\Noah\Downloads\C80R27.rar
    2012-07-04 00:11 - 2012-07-04 00:28 - 100431872 ____A C:\Users\Noah\Downloads\AR+ARS.part01.rar
    2012-07-04 00:11 - 2012-07-04 00:23 - 84090444 ____A C:\Users\Noah\Downloads\AR+ARS.part02.rar
    2012-07-04 00:10 - 2012-07-04 00:38 - 209715200 ____A C:\Users\Noah\Downloads\BT.part2.rar
    2012-07-04 00:10 - 2012-07-04 00:38 - 209715200 ____A C:\Users\Noah\Downloads\BT.part1.rar
    2012-07-04 00:10 - 2012-07-04 00:36 - 156741578 ____A C:\Users\Noah\Downloads\BB.rar
    2012-07-04 00:09 - 2012-07-04 00:39 - 209715200 ____A C:\Users\Noah\Downloads\BT.part3.rar
    2012-07-04 00:09 - 2012-07-04 00:36 - 209715200 ____A C:\Users\Noah\Downloads\BT.part4.rar
    2012-07-04 00:08 - 2012-07-04 00:34 - 209715200 ____A C:\Users\Noah\Downloads\BT.part5.rar
    2012-07-04 00:08 - 2012-07-04 00:31 - 166385894 ____A C:\Users\Noah\Downloads\BT.part6.rar
    2012-07-03 22:46 - 2012-07-03 22:49 - 00000000 ____D C:\Program Files (x86)\Ideas From the Deep
    2012-07-03 22:46 - 2012-07-03 22:46 - 00000000 ____D C:\Windows\Ideas From the Deep
    2012-07-03 22:46 - 2012-07-03 22:46 - 00000000 ____D C:\Users\Noah\AppData\Roaming\Ideas From the Deep
    2012-07-03 22:46 - 2012-07-03 22:46 - 00000000 ____D C:\Users\Noah\AppData\Local\Ideas From the Deep
    2012-07-03 22:46 - 2012-07-03 22:46 - 00000000 ____D C:\Users\All Users\Ideas From the Deep
    2012-07-03 22:23 - 2012-07-03 22:24 - 12699429 ____A C:\Users\Noah\Downloads\NE.rar
    2012-07-02 21:02 - 2012-07-02 21:02 - 02226708 ____A C:\Users\Noah\Downloads\Unknow.rar
    2012-07-02 18:38 - 2012-07-02 18:41 - 10045980 ____A C:\Users\Noah\Downloads\NMY_CG.zip
    2012-07-01 22:20 - 2012-07-01 22:29 - 21515413 ____A C:\Users\Noah\Downloads\mpt_manual.zip
    2012-07-01 14:31 - 2012-07-01 14:31 - 16852491 ____A C:\Users\Noah\Downloads\1009033.18389272.zip
    2012-07-01 00:03 - 2012-07-07 11:12 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-06-30 23:59 - 2012-06-30 23:59 - 00140832 ____A C:\Windows\SysWOW64\Drivers\str.sys
    2012-06-30 23:18 - 2012-06-30 23:18 - 06823842 ____A C:\Users\Noah\Downloads\Tuba.zip
    2012-06-30 19:05 - 2012-07-06 03:08 - 04320054 ____A C:\Users\Noah\Desktop\mxw9npze.bmp
    2012-06-30 16:13 - 2012-06-30 16:14 - 15948549 ____A C:\Users\Noah\Downloads\Ginza.rar
    2012-06-30 16:11 - 2012-06-30 16:14 - 35265753 ____A C:\Users\Noah\Desktop\policech1.rar
    2012-06-30 14:16 - 2012-06-30 14:16 - 05083513 ____A C:\Users\Noah\Downloads\1073458.5126162.zip
    2012-06-29 12:06 - 2012-06-29 12:06 - 10982724 ____A C:\Users\Noah\Desktop\KNKs SUMMER CARNIVAL 2K12.rar
    2012-06-28 17:31 - 2012-06-29 06:12 - 00000000 ____D C:\Users\Noah\Downloads\L Part 2
    2012-06-27 20:34 - 2012-06-27 20:35 - 38186082 ____A C:\Users\Noah\Downloads\1018052.39178237.zip
    2012-06-27 01:26 - 2012-06-27 01:26 - 00000000 ____D C:\Users\Noah\AppData\Roaming\SystemRequirementsLab
    2012-06-27 01:26 - 2012-06-27 01:26 - 00000000 ____D C:\Program Files (x86)\SystemRequirementsLab
    2012-06-26 17:38 - 2012-06-26 17:42 - 150860927 ____A C:\Users\Noah\Desktop\Metroid Prime Galleries.rar
    2012-06-26 10:05 - 2012-06-27 10:20 - 00000000 ____D C:\Users\Noah\Downloads\2005
    2012-06-26 10:02 - 2012-06-30 19:39 - 01209650 ____A C:\Users\Noah\Desktop\Curly Christmas.zip
    2012-06-25 13:14 - 2012-06-25 13:14 - 00067268 ____A C:\Users\Noah\Downloads\greensleeves.zip
    2012-06-25 10:43 - 2012-06-25 10:43 - 00014861 ____A C:\Users\Noah\Downloads\873785.htm
    2012-06-24 17:32 - 2012-06-24 22:45 - 00000000 ____D C:\Users\Noah\Downloads\Beavis and Butthead Complete Season 8 HD Mp4
    2012-06-24 17:28 - 2012-06-24 17:29 - 42720513 ____A C:\Users\Noah\Downloads\The Art of Moebius.zip
    2012-06-24 06:42 - 2012-06-24 06:45 - 31366006 ____A C:\Users\Noah\Downloads\Metallic Memories.zip
    2012-06-23 23:34 - 2012-06-24 00:49 - 00000000 ____D C:\Users\Noah\Downloads\Junji Ito
    2012-06-23 19:18 - 2012-07-07 11:12 - 00000000 ____D C:\Users\Noah\Desktop\Cave Story+
    2012-06-23 19:18 - 2011-11-23 20:26 - 19341607 ____A C:\Users\Noah\Desktop\Cave Story+.exe
    2012-06-23 19:13 - 2012-06-23 19:14 - 07674594 ____A C:\Users\Noah\Downloads\0882848186.rar
    2012-06-23 19:04 - 2012-06-23 19:04 - 00014634 ____A C:\Users\Noah\Downloads\842500.htm
    2012-06-23 17:16 - 2012-06-22 08:58 - 00000000 ____D C:\Users\Noah\Desktop\??????????????????
    2012-06-23 17:15 - 2012-06-23 17:15 - 08625261 ____A C:\Users\Noah\Downloads\??????????????????.rar
    2012-06-23 12:06 - 2012-06-23 12:06 - 13848424 ____A C:\Users\Noah\Downloads\????!.zip
    2012-06-21 16:58 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 16:58 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 16:58 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 16:58 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 16:58 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 16:58 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 16:58 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 16:58 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 16:58 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-21 14:52 - 2012-06-21 14:52 - 00000000 ____D C:\Users\Noah\Desktop\God Mode.{ED7BA470-8E54-465E-825C-99712043E01C}
    2012-06-17 20:14 - 2012-06-17 20:14 - 03518651 ____A C:\Users\Noah\Downloads\ca.rar
    2012-06-17 17:43 - 2012-06-17 17:43 - 00052535 ____A C:\Users\Noah\Downloads\5.htm
    2012-06-16 22:36 - 2012-06-23 01:47 - 00000000 ____D C:\Users\Noah\AppData\Roaming\dvdcss
    2012-06-15 00:01 - 2012-06-15 00:02 - 01027559 ____A C:\Users\Noah\Desktop\Junji Ito - Hell Dollies [One shot].rar
    2012-06-14 14:25 - 2012-06-21 23:53 - 00000000 ____D C:\Users\Noah\Desktop\New folder (2)
    2012-06-13 22:27 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-13 22:27 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-13 22:27 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-13 22:27 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-13 22:27 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-13 22:27 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-13 22:27 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-13 22:27 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-13 22:27 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-13 22:27 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-13 22:27 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-13 22:27 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-13 22:27 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-13 22:27 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-13 22:27 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-13 22:27 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-13 22:27 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-13 22:27 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-13 22:27 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-13 22:27 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-13 22:27 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-13 22:27 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-13 22:27 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-13 22:27 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-13 22:27 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-13 22:27 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-13 22:27 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-13 22:27 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-13 22:26 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
    2012-06-13 22:26 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
    2012-06-13 17:29 - 2012-06-13 17:29 - 01110476 ____A C:\Users\Noah\Downloads\7z920.exe
    2012-06-13 16:35 - 2012-06-13 16:37 - 37388889 ____A C:\Users\Noah\Downloads\992954.66253599.zip
    2012-06-13 16:11 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-06-13 16:11 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-06-13 16:11 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-06-13 16:10 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-13 16:10 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-06-13 16:10 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-06-13 16:10 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-06-13 16:10 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-06-13 16:10 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-13 16:10 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-06-13 16:10 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-06-13 16:10 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-06-13 16:10 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-06-13 16:10 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-06-13 16:10 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-06-13 16:09 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-06-13 16:09 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
    2012-06-09 18:50 - 2012-06-09 18:51 - 00000000 ____D C:\Program Files (x86)\QuickTime Alternative
    2012-06-09 18:50 - 2012-06-09 18:50 - 00000000 ____D C:\Users\All Users\Apple Computer
    2012-06-09 18:50 - 2010-03-17 12:53 - 00180224 ____A (Apple Inc.) C:\Windows\SysWOW64\QTCF.dll
    2012-06-09 18:50 - 2010-03-17 12:53 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
    2012-06-09 18:50 - 2010-03-17 12:53 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
    2012-06-07 22:55 - 2012-06-07 22:57 - 08955566 ____A C:\Users\Noah\Downloads\index.cfm

    ============ 3 Months Modified Files ========================

    2012-07-07 13:47 - 2012-07-07 13:47 - 00052983 ____A C:\FRST.txt
    2012-07-07 12:55 - 2009-07-13 20:45 - 00013792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-07 12:55 - 2009-07-13 20:45 - 00013792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-07 12:50 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-07 12:50 - 2009-07-13 20:51 - 00038517 ____A C:\Windows\setupact.log
    2012-07-07 12:19 - 2012-07-07 12:19 - 01432863 ____A C:\Users\Noah\Desktop\FRST64.exe
    2012-07-07 11:48 - 2012-02-13 16:36 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3241787045-3222298948-2849222198-1000UA.job
    2012-07-07 11:43 - 2012-07-07 11:43 - 00059342 ____A C:\Users\Noah\Downloads\Extras.Txt
    2012-07-07 11:41 - 2012-07-07 11:41 - 00180694 ____A C:\Users\Noah\Downloads\OTL.Txt
    2012-07-07 11:18 - 2012-07-07 11:17 - 00595968 ____A (OldTimer Tools) C:\Users\Noah\Downloads\OTL.exe
    2012-07-07 11:06 - 2012-02-11 12:19 - 01912701 ____A C:\Windows\WindowsUpdate.log
    2012-07-07 02:50 - 2012-07-07 02:46 - 00072787 ____A C:\Users\Noah\Downloads\yorkyt.exe.log
    2012-07-07 01:13 - 2012-07-07 01:13 - 01402880 ____A C:\Users\Noah\Downloads\HiJackThis.msi
    2012-07-07 00:55 - 2012-07-07 00:55 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.739C8873D9ECF71E
    2012-07-07 00:55 - 2012-07-07 00:55 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\xzmpqrzp.sys
    2012-07-07 00:49 - 2012-07-07 00:49 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A6442602067A050
    2012-07-07 00:42 - 2012-07-07 00:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BF239738057945B9
    2012-07-07 00:21 - 2012-07-07 00:20 - 12621696 ____A (Microsoft Corporation) C:\Users\Noah\Downloads\mseinstall.exe
    2012-07-06 21:55 - 2012-07-06 21:55 - 00005273 ____A C:\Users\Noah\Desktop\gens.ini
    2012-07-06 21:51 - 2012-07-06 21:51 - 00000040 ____A C:\Users\Noah\Desktop\language.dat
    2012-07-06 03:08 - 2012-06-30 19:05 - 04320054 ____A C:\Users\Noah\Desktop\mxw9npze.bmp
    2012-07-05 21:56 - 2012-07-05 21:56 - 12060905 ____A C:\Users\Noah\Downloads\1077105.12322077.zip
    2012-07-05 16:02 - 2012-07-05 16:02 - 16577248 ____A (Mozilla) C:\Users\Noah\Downloads\Firefox Setup 13.0.1.exe
    2012-07-05 11:40 - 2012-07-05 11:39 - 11095214 ____A C:\Users\Noah\Downloads\Gekiuma.rar
    2012-07-05 11:37 - 2012-07-05 11:24 - 24647405 ____A C:\Users\Noah\Downloads\Mazeruna Kiken2.zip
    2012-07-05 11:07 - 2012-07-05 11:06 - 01856727 ____A C:\Users\Noah\Downloads\Gyakuten Yuukai.zip
    2012-07-04 14:43 - 2012-07-04 14:42 - 17594146 ____A C:\Users\Noah\Downloads\K.cbr
    2012-07-04 13:09 - 2012-07-04 13:05 - 157165879 ____A C:\Users\Noah\Downloads\wer21y.zip
    2012-07-04 00:41 - 2012-07-04 00:22 - 200000000 ____A C:\Users\Noah\Downloads\Sora.part1.rar
    2012-07-04 00:41 - 2012-07-04 00:20 - 209715200 ____A C:\Users\Noah\Downloads\Sazae 2.part1.rar
    2012-07-04 00:39 - 2012-07-04 00:22 - 140164579 ____A C:\Users\Noah\Downloads\Sora.part2.rar
    2012-07-04 00:39 - 2012-07-04 00:09 - 209715200 ____A C:\Users\Noah\Downloads\BT.part3.rar
    2012-07-04 00:38 - 2012-07-04 00:10 - 209715200 ____A C:\Users\Noah\Downloads\BT.part2.rar
    2012-07-04 00:38 - 2012-07-04 00:10 - 209715200 ____A C:\Users\Noah\Downloads\BT.part1.rar
    2012-07-04 00:36 - 2012-07-04 00:10 - 156741578 ____A C:\Users\Noah\Downloads\BB.rar
    2012-07-04 00:36 - 2012-07-04 00:09 - 209715200 ____A C:\Users\Noah\Downloads\BT.part4.rar
    2012-07-04 00:34 - 2012-07-04 00:20 - 84291830 ____A C:\Users\Noah\Downloads\Solce.rar
    2012-07-04 00:34 - 2012-07-04 00:08 - 209715200 ____A C:\Users\Noah\Downloads\BT.part5.rar
    2012-07-04 00:31 - 2012-07-04 00:08 - 166385894 ____A C:\Users\Noah\Downloads\BT.part6.rar
    2012-07-04 00:28 - 2012-07-04 00:11 - 100431872 ____A C:\Users\Noah\Downloads\AR+ARS.part01.rar
    2012-07-04 00:24 - 2012-07-04 00:20 - 19277437 ____A C:\Users\Noah\Downloads\Sazae 2.part2.rar
    2012-07-04 00:24 - 2012-07-04 00:19 - 27933442 ____A C:\Users\Noah\Downloads\C80R27.rar
    2012-07-04 00:23 - 2012-07-04 00:11 - 84090444 ____A C:\Users\Noah\Downloads\AR+ARS.part02.rar
    2012-07-03 22:24 - 2012-07-03 22:23 - 12699429 ____A C:\Users\Noah\Downloads\NE.rar
    2012-07-02 21:02 - 2012-07-02 21:02 - 02226708 ____A C:\Users\Noah\Downloads\Unknow.rar
    2012-07-02 18:41 - 2012-07-02 18:38 - 10045980 ____A C:\Users\Noah\Downloads\NMY_CG.zip
    2012-07-02 14:48 - 2012-02-13 16:36 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3241787045-3222298948-2849222198-1000Core.job
    2012-07-01 22:29 - 2012-07-01 22:20 - 21515413 ____A C:\Users\Noah\Downloads\mpt_manual.zip
    2012-07-01 18:37 - 2012-07-01 18:37 - 02945062 ____A C:\Users\Noah\Downloads\[ENG] Transfer Student.rar
    2012-07-01 14:31 - 2012-07-01 14:31 - 16852491 ____A C:\Users\Noah\Downloads\1009033.18389272.zip
    2012-06-30 23:59 - 2012-06-30 23:59 - 00140832 ____A C:\Windows\SysWOW64\Drivers\str.sys
    2012-06-30 23:59 - 2012-05-23 17:14 - 00000375 ____A C:\Windows\System32\Drivers\etc\hosts.ics
    2012-06-30 23:18 - 2012-06-30 23:18 - 06823842 ____A C:\Users\Noah\Downloads\Tuba.zip
    2012-06-30 19:39 - 2012-06-26 10:02 - 01209650 ____A C:\Users\Noah\Desktop\Curly Christmas.zip
    2012-06-30 16:51 - 2009-07-13 21:13 - 00786792 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-06-30 16:14 - 2012-06-30 16:13 - 15948549 ____A C:\Users\Noah\Downloads\Ginza.rar
    2012-06-30 16:14 - 2012-06-30 16:11 - 35265753 ____A C:\Users\Noah\Desktop\policech1.rar
    2012-06-30 14:16 - 2012-06-30 14:16 - 05083513 ____A C:\Users\Noah\Downloads\1073458.5126162.zip
    2012-06-27 20:35 - 2012-06-27 20:34 - 38186082 ____A C:\Users\Noah\Downloads\1018052.39178237.zip
    2012-06-26 17:42 - 2012-06-26 17:38 - 150860927 ____A C:\Users\Noah\Desktop\Metroid Prime Galleries.rar
    2012-06-25 13:14 - 2012-06-25 13:14 - 00067268 ____A C:\Users\Noah\Downloads\greensleeves.zip
    2012-06-25 10:43 - 2012-06-25 10:43 - 00014861 ____A C:\Users\Noah\Downloads\873785.htm
    2012-06-24 17:29 - 2012-06-24 17:28 - 42720513 ____A C:\Users\Noah\Downloads\The Art of Moebius.zip
    2012-06-24 06:45 - 2012-06-24 06:42 - 31366006 ____A C:\Users\Noah\Downloads\Metallic Memories.zip
    2012-06-23 19:14 - 2012-06-23 19:13 - 07674594 ____A C:\Users\Noah\Downloads\0882848186.rar
    2012-06-23 19:04 - 2012-06-23 19:04 - 00014634 ____A C:\Users\Noah\Downloads\842500.htm
    2012-06-23 17:15 - 2012-06-23 17:15 - 08625261 ____A C:\Users\Noah\Downloads\??????????????????.rar
    2012-06-23 12:06 - 2012-06-23 12:06 - 13848424 ____A C:\Users\Noah\Downloads\????!.zip
    2012-06-17 20:14 - 2012-06-17 20:14 - 03518651 ____A C:\Users\Noah\Downloads\ca.rar
    2012-06-17 17:43 - 2012-06-17 17:43 - 00052535 ____A C:\Users\Noah\Downloads\5.htm
    2012-06-14 14:30 - 2009-07-13 21:08 - 00026888 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-06-14 01:36 - 2009-07-13 20:45 - 00415824 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-13 22:39 - 2012-02-11 20:59 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-13 17:29 - 2012-06-13 17:29 - 01110476 ____A C:\Users\Noah\Downloads\7z920.exe
    2012-06-13 16:37 - 2012-06-13 16:35 - 37388889 ____A C:\Users\Noah\Downloads\992954.66253599.zip
    2012-06-11 23:01 - 2012-02-12 01:48 - 00364442 ____A C:\Windows\DirectX.log
    2012-06-07 22:57 - 2012-06-07 22:55 - 08955566 ____A C:\Users\Noah\Downloads\index.cfm
    2012-06-07 00:05 - 2012-06-06 19:59 - 00001095 ____A C:\Users\Guest\Desktop\Hellsinker Manual.lnk
    2012-06-07 00:05 - 2012-06-06 19:59 - 00000958 ____A C:\Users\Guest\Desktop\Hellsinker Pad Configuration.lnk
    2012-06-07 00:05 - 2012-06-06 19:59 - 00000924 ____A C:\Users\Guest\Desktop\Hellsinker English.lnk
    2012-06-02 14:19 - 2012-06-21 16:58 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 16:58 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 16:58 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 14:19 - 2012-06-21 16:58 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 16:58 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 16:58 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 16:58 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 16:58 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:15 - 2012-06-21 16:58 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-23 18:01 - 2012-05-23 18:01 - 00189384 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
    2012-05-23 18:01 - 2012-05-23 18:01 - 00188872 ____A (Oracle Corporation) C:\Windows\System32\java.exe
    2012-05-23 17:57 - 2012-05-23 17:55 - 10627812 ____A C:\Users\Noah\Downloads\SuperOneClickv2.3.3-ShortFuse.zip
    2012-05-23 17:54 - 2012-05-23 17:48 - 96813000 ____A (Oracle Corporation) C:\Users\Noah\Downloads\jdk-7u4-windows-x64.exe
    2012-05-23 17:45 - 2012-05-23 17:43 - 37456234 ____A (Google Inc.) C:\Users\Noah\Downloads\installer_r18-windows.exe
    2012-05-23 17:32 - 2012-05-23 17:32 - 00178540 ____A C:\Users\Noah\Downloads\ZT-180 Adhoc Switcher.apk
    2012-05-18 19:35 - 2012-05-18 19:35 - 00153612 ____A C:\Users\Noah\Downloads\jsawyer_fnv_mod.zip
    2012-05-18 19:15 - 2012-05-18 19:15 - 00322752 ____A C:\Users\Noah\Downloads\SFSD.dol
    2012-05-18 19:15 - 2012-05-18 19:15 - 00177772 ____A C:\Users\Noah\Downloads\SimpleFSDumper0.42.zip
    2012-05-18 18:46 - 2012-03-03 01:13 - 00007605 ____A C:\Users\Noah\AppData\Local\Resmon.ResmonCfg
    2012-05-17 18:47 - 2012-06-13 22:27 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-13 22:27 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-13 22:27 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-13 22:27 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-13 22:27 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-13 22:27 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-13 22:27 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-13 22:27 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-13 22:27 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-13 22:27 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-13 22:27 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-13 22:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-13 22:27 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-13 22:27 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-13 22:27 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-13 22:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-13 22:27 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-13 22:27 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-13 22:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-13 22:27 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-13 22:27 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-13 22:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-13 22:27 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-13 22:27 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-13 22:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-13 22:27 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-13 22:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-13 22:27 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-14 17:32 - 2012-06-13 16:10 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-13 10:47 - 2012-04-02 14:59 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-05-13 10:47 - 2012-02-11 22:37 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-05-13 10:13 - 2012-05-13 10:13 - 00109208 ____A C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-05-13 10:12 - 2012-05-13 10:12 - 00000020 __ASH C:\Users\Guest\ntuser.ini
    2012-05-09 19:00 - 2012-05-09 18:59 - 00102576 ____A C:\drivers.log
    2012-05-04 16:48 - 2012-05-04 16:48 - 02596401 ____A C:\Users\Noah\Downloads\notes_se.zip
    2012-05-04 03:06 - 2012-06-13 16:10 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 03:00 - 2012-06-13 22:26 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
    2012-05-04 02:03 - 2012-06-13 16:10 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-13 16:10 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-05-04 01:59 - 2012-06-13 22:26 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
    2012-05-03 17:22 - 2012-05-03 17:22 - 00023771 ____A C:\Users\Noah\.recently-used.xbel
    2012-05-01 10:45 - 2012-02-11 16:59 - 00015522 ____A C:\Windows\PFRO.log
    2012-05-01 01:22 - 2012-02-11 22:10 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-05-01 01:22 - 2012-02-11 22:07 - 00800878 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-04-30 21:40 - 2012-06-13 16:10 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:55 - 2012-06-13 16:10 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-27 16:29 - 2012-04-27 16:29 - 04590718 ____A C:\Users\Noah\FCE Ultra GX 3.2.9.zip
    2012-04-25 21:41 - 2012-06-13 16:11 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 21:41 - 2012-06-13 16:11 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 21:34 - 2012-06-13 16:11 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-25 15:40 - 2012-04-25 15:38 - 00101680 ____A (Amazon.com, Inc.) C:\Windows\System32\stkMonitor.dll
    2012-04-23 21:37 - 2012-06-13 16:10 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 21:37 - 2012-06-13 16:10 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 21:37 - 2012-06-13 16:10 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 20:36 - 2012-06-13 16:10 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 20:36 - 2012-06-13 16:10 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 20:36 - 2012-06-13 16:10 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-04-13 15:10 - 2012-04-13 15:10 - 00000374 ____A C:\Users\Noah\Downloads\Read Me.txt
    2012-04-13 00:47 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
    2012-04-09 19:41 - 2012-04-09 19:40 - 00275864 ____A C:\Windows\Minidump\040912-34367-01.dmp
    2012-04-09 19:40 - 2012-04-02 17:22 - 326010306 ____A C:\Windows\MEMORY.DMP

    ZeroAccess:
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\@
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\L
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\n
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\U
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\U\00000001.@
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\U\80000000.@
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925}\U\800000cb.@

    ZeroAccess:
    C:\Users\Noah\AppData\Local\{989ae601-0dc7-461e-0851-c26e7dd1b925}
    C:\Users\Noah\AppData\Local\{989ae601-0dc7-461e-0851-c26e7dd1b925}\@
    C:\Users\Noah\AppData\Local\{989ae601-0dc7-461e-0851-c26e7dd1b925}\L
    C:\Users\Noah\AppData\Local\{989ae601-0dc7-461e-0851-c26e7dd1b925}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 24%
    Total physical RAM: 2042.89 MB
    Available physical RAM: 1546.07 MB
    Total Pagefile: 2042.89 MB
    Available Pagefile: 1537.97 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: (New Volume) (Fixed) (Total:465.76 GB) (Free:23.68 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: () (Fixed) (Total:149.05 GB) (Free:32.93 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 1024 KB
    Disk 1 Online 149 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 465 GB 31 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C New Volume NTFS Partition 465 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 149 GB 1024 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D NTFS Partition 149 GB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-06-29 00:32

    ======================= End Of Log ==========================
     
  11. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    Are multiple malware removal specialists allowed to comment or offer advice on a particular problem (although I think I could understand if they can't)? I'd like to get this resolved as soon as I can. Thanks
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    We'll get it resolved quickly. Whether or not another specialist helps (usually not the case), it will take just as long as anyone else. Usually 2-3 days, if that.

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  13. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    Here are the contents of the fixlog. I haven't used combofix yet.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 07-07-2012 04
    Ran by SYSTEM at 2012-07-07 23:33:03 Run:1
    Running from D:\

    ==============================================

    C:\Windows\System32\services.exe.739C8873D9ECF71E moved successfully.
    C:\Windows\System32\Drivers\xzmpqrzp.sys moved successfully.
    C:\Windows\System32\services.exe.4A6442602067A050 moved successfully.
    C:\Windows\System32\services.exe.BF239738057945B9 moved successfully.
    C:\Windows\SysWOW64\Drivers\str.sys moved successfully.
    C:\Windows\Installer\{989ae601-0dc7-461e-0851-c26e7dd1b925} moved successfully.
    C:\Users\Noah\AppData\Local\{989ae601-0dc7-461e-0851-c26e7dd1b925} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====

    I'm still experiencing the same symptoms, however (cannot turn on windows security services). Should I follow the combofix instructions?
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Yes, please run ComboFix. It should help cure a few issues. ;)
     
  15. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    Here is the combofix log. Nothing appears to have been fixed after running the utility, though.

    ComboFix12-07-07.04 - Noah 8/2012 Sun 3:26.2.2 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.932.81.1033.18.2043.1128 [GMT -7:00]
    Running from: c:\users\Noah\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-08 to 2012-07-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-08 10:37 . 2012-07-08 10:37 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-07-08 10:37 . 2012-07-08 10:37 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-07 20:28 . 2012-07-07 20:53 -------- d-----w- C:\FRST
    2012-07-07 09:22 . 2012-07-07 09:22 -------- d-----w- c:\users\Noah\AppData\Roaming\Malwarebytes
    2012-07-07 09:21 . 2012-07-07 09:21 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-07 09:21 . 2012-07-07 19:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-07 09:14 . 2012-07-07 09:14 -------- d-----w- c:\program files (x86)\Trend Micro
    2012-07-06 10:05 . 2012-07-06 10:05 -------- d-----w- c:\users\Noah\AppData\Local\Zachtronics Industries
    2012-07-06 10:04 . 2012-07-07 19:58 -------- d-----w- c:\program files (x86)\Zachtronics Industries
    2012-07-04 06:46 . 2012-07-04 06:46 -------- d-----w- c:\windows\Ideas From the Deep
    2012-07-04 06:46 . 2012-07-04 06:46 -------- d-----w- c:\users\Noah\AppData\Local\Ideas From the Deep
    2012-07-04 06:46 . 2012-07-04 06:46 -------- d-----w- c:\programdata\Ideas From the Deep
    2012-07-04 06:46 . 2012-07-04 06:46 -------- d-----w- c:\users\Noah\AppData\Roaming\Ideas From the Deep
    2012-07-04 06:46 . 2012-07-04 06:49 -------- d-----w- c:\program files (x86)\Ideas From the Deep
    2012-07-01 08:03 . 2012-07-07 19:12 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-06-30 01:28 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F86D456D-3ABC-43A0-A449-F65ED505B636}\mpengine.dll
    2012-06-28 03:00 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-06-28 03:00 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine(25).dll
    2012-06-27 09:26 . 2012-06-27 09:26 -------- d-----w- c:\program files (x86)\SystemRequirementsLab
    2012-06-27 09:26 . 2012-06-27 09:26 -------- d-----w- c:\users\Noah\AppData\Roaming\SystemRequirementsLab
    2012-06-22 00:58 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-22 00:58 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-22 00:58 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-22 00:58 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-22 00:58 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-22 00:58 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-22 00:58 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-22 00:58 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-22 00:58 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-17 06:36 . 2012-06-23 09:47 -------- d-----w- c:\users\Noah\AppData\Roaming\dvdcss
    2012-06-14 06:26 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
    2012-06-14 06:26 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
    2012-06-14 00:11 . 2012-02-09 21:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-06-14 00:11 . 2012-02-09 21:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5C5A0937-C32B-4C21-A8AD-7E909BE2F183}\gapaengine.dll
    2012-06-14 00:11 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-06-14 00:11 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-06-14 00:11 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-06-14 00:10 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
    2012-06-14 00:10 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-06-14 00:10 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-06-14 00:10 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-06-14 00:10 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
    2012-06-14 00:10 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-14 00:10 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-14 00:10 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-14 00:10 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-14 00:10 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-14 00:10 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-14 00:10 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-14 00:09 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
    2012-06-14 00:09 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
    2012-06-12 07:07 . 2002-12-05 21:12 692224 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
    2012-06-12 07:07 . 2002-12-05 21:10 155648 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
    2012-06-12 07:07 . 2002-12-02 22:22 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
    2012-06-12 07:07 . 2002-12-02 20:33 57344 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
    2012-06-12 07:07 . 2002-12-02 20:33 237568 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
    2012-06-12 07:07 . 2012-06-12 07:07 282756 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
    2012-06-12 07:07 . 2012-06-12 07:07 163972 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
    2012-06-12 06:43 . 2012-06-12 06:43 -------- d-----w- c:\program files (x86)\The Creative Assembly
    2012-06-12 06:42 . 2006-02-07 22:44 65024 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
    2012-06-12 06:42 . 2006-02-07 22:40 204800 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
    2012-06-12 06:42 . 2006-02-07 22:40 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
    2012-06-12 06:42 . 2006-02-07 22:40 274432 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
    2012-06-12 06:42 . 2005-11-14 06:19 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
    2012-06-12 06:42 . 2006-02-07 22:45 757760 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
    2012-06-12 06:42 . 2012-06-12 06:42 331908 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
    2012-06-12 06:42 . 2012-06-12 06:42 200836 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
    2012-06-10 02:50 . 2012-06-10 02:50 -------- d-----w- c:\programdata\Apple Computer
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
    2012-06-10 02:50 . 2010-03-17 20:53 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-06-10 02:50 . 2010-03-17 20:53 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-06-10 02:50 . 2010-03-17 20:53 180224 ----a-w- c:\windows\SysWow64\QTCF.dll
    2012-06-10 02:50 . 2012-06-10 02:51 -------- d-----w- c:\program files (x86)\QuickTime Alternative
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-13 18:47 . 2012-04-02 22:59 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-05-13 18:47 . 2012-02-12 06:37 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-04-25 23:40 . 2012-04-25 23:38 101680 ----a-w- c:\windows\system32\stkMonitor.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-08_08.16.33 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-14 05:10 . 2012-07-08 10:40 38324 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2012-02-12 00:44 . 2012-07-08 10:40 11788 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3241787045-3222298948-2849222198-1000_UserData.bin
    + 2012-02-12 10:50 . 2012-07-08 10:37 7494 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    - 2012-07-08 08:15 . 2012-07-08 08:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-07-08 10:38 . 2012-07-08 10:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-08 08:15 . 2012-07-08 08:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-07-08 10:38 . 2012-07-08 10:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 05:01 . 2012-07-08 08:14 385968 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-07-08 10:37 385968 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2012-02-12 05:33 . 2012-07-08 08:14 61351418 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3241787045-3222298948-2849222198-1000-12288.dat
    + 2012-02-12 05:33 . 2012-07-08 10:37 61351418 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3241787045-3222298948-2849222198-1000-12288.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-02-13 3481408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-06 343168]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
    "Clearwire Connection Manager"="c:\program files (x86)\Clearwire\Connection Manager\ClearwireCM.exe" [2009-12-01 54608]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 zmdjwsviccq;zmdjwsviccq;c:\users\Noah\AppData\Local\Temp\DAT1F4C.tmp.exe [x]
    R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314_64.sys [2009-11-03 318336]
    R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr_64.sys [2009-11-03 62976]
    R3 CACLEARWIRE;Clearwire Con App Svc;c:\program files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe [2009-11-09 124240]
    R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files (x86)\Clearwire\Connection Manager\RcAppSvc.exe [2009-11-09 120144]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-28 113120]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [2009-11-09 43032]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-02-12 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-06 235520]
    S2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe [2009-11-09 107856]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-12-06 10720256]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-12-06 327168]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-12-05 95248]
    S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-07-13 69736]
    S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-07 317480]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
    S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-10-06 169248]
    S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-10-02 317760]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3241787045-3222298948-2849222198-1000Core.job
    - c:\users\Noah\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-14 00:36]
    .
    2012-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3241787045-3222298948-2849222198-1000UA.job
    - c:\users\Noah\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-14 00:36]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 342528]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\users\Noah\AppData\Roaming\Mozilla\Firefox\Profiles\41xcho6s.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Episode 205 - What's New, Beelzebub? - c:\program files (x86)\Telltale Games\Sam and Max - Season Two\Uninstall Episode 205 - What's New
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3241787045-3222298948-2849222198-1000\Software\SecuROM\License information*]
    "datasecu"=hex:18,83,62,ca,04,95,17,6e,e7,1b,ca,71,d9,59,93,d2,a1,14,ba,a5,24,
    b4,6b,5d,45,2c,f2,43,a3,4a,81,46,04,29,58,0a,8c,94,ce,20,e4,5a,fb,aa,f9,0c,\
    "rkeysecu"=hex:5e,de,30,37,de,aa,2e,56,76,3d,a5,a3,bb,28,f3,d4
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-07-08 03:52:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-08 10:52
    ComboFix2.txt 2012-07-08 08:29
    .
    Pre-Run: 46,221,217,792 bytes free
    Post-Run: 45,929,713,664 bytes free
    .
    - - End Of File - - 9846B56E6C926FC0C626C493AFE21EF1
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Re-running ComboFix

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.

    Fixing Security Center

    ERUNT - Emergency Recovery Utility NT
    • Please download ERUNT...by Lars Hederer. Save it to your desktop.
    • Double-click erunt-setup-exe to start the install process. Follow the install prompts.
    • Use the default install settings...say "NO" to the section that asks you to add ERUNT to the Start-Up folder. Enable this option later if desired.
    • Start ERUNT by opting to start the program at the end of setup -or- double click the desktop icon.
    • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
    • Make sure that at least the first two check boxes are selected.
    • Click on OK ... Then click on "YES" to create the folder.
    Run:
    • Please navigate to Start >> All Programs >> ERUNT. Click on OK within the pop-up menu.
    • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
      • System registry.
      • Current user registry.
    • Next click on "OK"... at the prompt... reply "Yes".
      After a short duration the Registry backup is complete! pop-up message will appear.
    • Now click on "OK". A registry backup has now been created.

    If you did not complete this step, DO NOT continue with the other steps below and post back to tell me.

    Please copy and paste the following in to Notepad:

    Then, click File > Save as
    Save it as fixSec.reg
    Choose Save as type: All Files.
    Click Save.

    Once saved, double-click on the file and merge it in to the Registry.

    Reboot your computer.

    Once done, please post the ComboFix log, and update me on the situation with the Windows Security Center Service.
     
  17. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    Here's the new scan log

    ComboFix 12-07-08.01 - Noah 8/2012 Sun 13:44:47.3.2 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.932.81.1033.18.2043.974 [GMT -7:00]
    Running from: c:\users\Noah\Desktop\ComboFix.exe
    Command switches used :: c:\users\Noah\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\drivers\etc\hosts.ics
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-08 to 2012-07-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-08 20:55 . 2012-07-08 20:55 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-07-08 20:55 . 2012-07-08 20:55 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-08 17:18 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-07 20:28 . 2012-07-07 20:53 -------- d-----w- C:\FRST
    2012-07-07 09:22 . 2012-07-07 09:22 -------- d-----w- c:\users\Noah\AppData\Roaming\Malwarebytes
    2012-07-07 09:21 . 2012-07-07 09:21 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-07 09:21 . 2012-07-08 17:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-07 09:14 . 2012-07-07 09:14 -------- d-----w- c:\program files (x86)\Trend Micro
    2012-07-06 10:05 . 2012-07-06 10:05 -------- d-----w- c:\users\Noah\AppData\Local\Zachtronics Industries
    2012-07-06 10:04 . 2012-07-07 19:58 -------- d-----w- c:\program files (x86)\Zachtronics Industries
    2012-07-04 06:46 . 2012-07-04 06:46 -------- d-----w- c:\windows\Ideas From the Deep
    2012-07-04 06:46 . 2012-07-04 06:46 -------- d-----w- c:\users\Noah\AppData\Local\Ideas From the Deep
    2012-07-04 06:46 . 2012-07-04 06:46 -------- d-----w- c:\programdata\Ideas From the Deep
    2012-07-04 06:46 . 2012-07-04 06:46 -------- d-----w- c:\users\Noah\AppData\Roaming\Ideas From the Deep
    2012-07-04 06:46 . 2012-07-04 06:49 -------- d-----w- c:\program files (x86)\Ideas From the Deep
    2012-07-01 08:03 . 2012-07-07 19:12 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-06-30 01:28 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F86D456D-3ABC-43A0-A449-F65ED505B636}\mpengine.dll
    2012-06-28 03:00 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-06-28 03:00 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine(25).dll
    2012-06-27 09:26 . 2012-06-27 09:26 -------- d-----w- c:\program files (x86)\SystemRequirementsLab
    2012-06-27 09:26 . 2012-06-27 09:26 -------- d-----w- c:\users\Noah\AppData\Roaming\SystemRequirementsLab
    2012-06-22 00:58 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-22 00:58 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-22 00:58 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-22 00:58 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-22 00:58 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-22 00:58 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-22 00:58 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-22 00:58 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-22 00:58 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-17 06:36 . 2012-06-23 09:47 -------- d-----w- c:\users\Noah\AppData\Roaming\dvdcss
    2012-06-14 06:26 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
    2012-06-14 06:26 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
    2012-06-14 00:11 . 2012-02-09 21:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-06-14 00:11 . 2012-02-09 21:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5C5A0937-C32B-4C21-A8AD-7E909BE2F183}\gapaengine.dll
    2012-06-14 00:11 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-06-14 00:11 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-06-14 00:11 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-06-14 00:10 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
    2012-06-14 00:10 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-06-14 00:10 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-06-14 00:10 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-06-14 00:10 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
    2012-06-14 00:10 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-14 00:10 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-14 00:10 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-14 00:10 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-14 00:10 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-14 00:10 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-14 00:10 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-14 00:09 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
    2012-06-14 00:09 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
    2012-06-12 07:07 . 2002-12-05 21:12 692224 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
    2012-06-12 07:07 . 2002-12-05 21:10 155648 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
    2012-06-12 07:07 . 2002-12-02 22:22 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
    2012-06-12 07:07 . 2002-12-02 20:33 57344 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
    2012-06-12 07:07 . 2002-12-02 20:33 237568 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
    2012-06-12 07:07 . 2012-06-12 07:07 282756 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
    2012-06-12 07:07 . 2012-06-12 07:07 163972 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
    2012-06-12 06:43 . 2012-06-12 06:43 -------- d-----w- c:\program files (x86)\The Creative Assembly
    2012-06-12 06:42 . 2006-02-07 22:44 65024 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
    2012-06-12 06:42 . 2006-02-07 22:40 204800 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
    2012-06-12 06:42 . 2006-02-07 22:40 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
    2012-06-12 06:42 . 2006-02-07 22:40 274432 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
    2012-06-12 06:42 . 2005-11-14 06:19 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
    2012-06-12 06:42 . 2006-02-07 22:45 757760 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
    2012-06-12 06:42 . 2012-06-12 06:42 331908 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
    2012-06-12 06:42 . 2012-06-12 06:42 200836 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
    2012-06-10 02:50 . 2012-06-10 02:50 -------- d-----w- c:\programdata\Apple Computer
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
    2012-06-10 02:50 . 2010-04-16 17:00 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
    2012-06-10 02:50 . 2010-03-17 20:53 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-06-10 02:50 . 2010-03-17 20:53 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-06-10 02:50 . 2010-03-17 20:53 180224 ----a-w- c:\windows\SysWow64\QTCF.dll
    2012-06-10 02:50 . 2012-06-10 02:51 -------- d-----w- c:\program files (x86)\QuickTime Alternative
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-13 18:47 . 2012-04-02 22:59 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-05-13 18:47 . 2012-02-12 06:37 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-04-25 23:40 . 2012-04-25 23:38 101680 ----a-w- c:\windows\system32\stkMonitor.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-08_08.16.33 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-14 05:10 . 2012-07-08 21:00 38340 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2012-02-12 00:44 . 2012-07-08 21:00 11844 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3241787045-3222298948-2849222198-1000_UserData.bin
    + 2012-02-12 10:50 . 2012-07-08 20:56 7494 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    + 2012-07-08 20:57 . 2012-07-08 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-08 08:15 . 2012-07-08 08:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-08 08:15 . 2012-07-08 08:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-07-08 20:57 . 2012-07-08 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 05:01 . 2012-07-08 08:14 385968 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-07-08 20:56 385968 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-02-12 05:33 . 2012-07-08 20:56 61892112 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3241787045-3222298948-2849222198-1000-12288.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-02-13 3481408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-06 343168]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
    "Clearwire Connection Manager"="c:\program files (x86)\Clearwire\Connection Manager\ClearwireCM.exe" [2009-12-01 54608]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 zmdjwsviccq;zmdjwsviccq;c:\users\Noah\AppData\Local\Temp\DAT1F4C.tmp.exe [x]
    R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314_64.sys [2009-11-03 318336]
    R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr_64.sys [2009-11-03 62976]
    R3 CACLEARWIRE;Clearwire Con App Svc;c:\program files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe [2009-11-09 124240]
    R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files (x86)\Clearwire\Connection Manager\RcAppSvc.exe [2009-11-09 120144]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-28 113120]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [2009-11-09 43032]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-02-12 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-12-06 235520]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
    S2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe [2009-11-09 107856]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-12-06 10720256]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-12-06 327168]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-12-05 95248]
    S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-07-13 69736]
    S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-07 317480]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
    S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-10-06 169248]
    S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-10-02 317760]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMPROTECTOR
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3241787045-3222298948-2849222198-1000Core.job
    - c:\users\Noah\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-14 00:36]
    .
    2012-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3241787045-3222298948-2849222198-1000UA.job
    - c:\users\Noah\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-14 00:36]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 342528]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\users\Noah\AppData\Roaming\Mozilla\Firefox\Profiles\41xcho6s.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Episode 205 - What's New, Beelzebub? - c:\program files (x86)\Telltale Games\Sam and Max - Season Two\Uninstall Episode 205 - What's New
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3241787045-3222298948-2849222198-1000\Software\SecuROM\License information*]
    "datasecu"=hex:18,83,62,ca,04,95,17,6e,e7,1b,ca,71,d9,59,93,d2,a1,14,ba,a5,24,
    b4,6b,5d,45,2c,f2,43,a3,4a,81,46,04,29,58,0a,8c,94,ce,20,e4,5a,fb,aa,f9,0c,\
    "rkeysecu"=hex:5e,de,30,37,de,aa,2e,56,76,3d,a5,a3,bb,28,f3,d4
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-07-08 14:13:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-08 21:13
    ComboFix2.txt 2012-07-08 08:29
    .
    Pre-Run: 67,820,683,264 bytes free
    Post-Run: 67,543,003,136 bytes free
    .
    - - End Of File - - 647B16739BFDA82CF926AA26DE4046BD
     
  18. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    I backed up the registry using ERUNT but I cannot amend it using the fixSec.reg file I made from the copy/paste box posted. I am the administrator of this computer and am logged in as such so I don't think the error is related to permission settings (which I checked)
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Please open OTL -- Click the None button and paste this in the Custom Scans box:

    Then click Run Scan. It shall launch a log. Please post it in your next reply.
     
  20. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    OTL logfile created on: 7/9/2012 2:06:08 AM - Run 2
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Noah\Desktop
    64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 0.92 Gb Available Physical Memory | 45.94% Memory free
    3.99 Gb Paging File | 1.18 Gb Available in Paging File | 29.58% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 465.76 Gb Total Space | 67.11 Gb Free Space | 14.41% Space Free | Partition Type: NTFS
    Drive D: | 149.05 Gb Total Space | 37.73 Gb Free Space | 25.32% Space Free | Partition Type: NTFS
    Drive E: | 3.09 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive M: | 698.63 Gb Total Space | 618.55 Gb Free Space | 88.54% Space Free | Partition Type: NTFS

    Computer Name: ARK | User Name: Noah | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

    ========== Custom Scans ==========

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center >
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    < HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc >
    "Type" = 32
    "Start" = 2
    "ErrorControl" = 1
    "ImagePath" = %SystemRoot%\System32\svchost.exe -k netsvcs -- [2009/07/13 18:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation)
    "DependOnService" = RpcSswinmgmt [binary data]
    "ObjectName" = LocalSystem
    "RequiredPrivileges" = SeChangeNotifyPrivilegeSeImpersonatePrivilege [binary data]
    "DelayedAutoStart" = 1
    "FailureActions" = 80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 C0 D4 01 00 01 00 00 00 E0 93 04 00 00 00 00 00 00 00 00 00 [binary data]
    "Description" = Monitors system security settings and configurations.
    "DisplayName" = Security Center
    "ServiceSidType" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]

    < HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv >
    "DisplayName" = @%systemroot%\system32\drivers\luafv.sys,-100
    "Group" = FSFilter Virtualization
    "ImagePath" = \SystemRoot\system32\drivers\luafv.sys
    "Description" = @%systemroot%\system32\drivers\luafv.sys,-101
    "ErrorControl" = 1
    "Start" = 2
    "Type" = 2
    "DependOnService" = FltMgr [binary data]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Instances]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Parameters]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Enum]

    < End of report >
     
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Ah, I see the issue. :)

    Fixing Security Center Service - Windows 7

    IMPORTANT!! Copy ALL data from the box below, make sure not to miss any part of it.

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
     
  22. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    All processes killed
    ========== REGISTRY ==========
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"DisplayName"|"@%SystemRoot%\\System32\\wscsvc.dll,-200" /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"ErrorControl"|dword:00000001 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"ImagePath"|hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,72,00,69,00,63,00,74,00,65,00,64,00,00,00 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"Start"|dword:00000002 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"Type"|dword:00000020 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"Description"|"@%SystemRoot%\\System32\\wscsvc.dll,-201" /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"DependOnService"|hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00,69,00,6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"ObjectName"|"NT AUTHORITY\\LocalService" /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"ServiceSidType"|dword:00000001 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"RequiredPrivileges"|hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"DelayedAutoStart"|dword:00000001 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\\"FailureActions"|hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters\\"ServiceDllUnloadOnStop"|dword:00000001 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters\\"ServiceDll"|hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 /E : value set successfully!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security\\"Security"|hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28,00,15,00,00,00,01,06,00,00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 /E : value set successfully!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33237 bytes
    ->FireFox cache emptied: 32880109 bytes
    ->Flash cache emptied: 764 bytes

    User: Noah
    ->Temp folder emptied: 101548 bytes
    ->Temporary Internet Files folder emptied: 112080620 bytes
    ->Java cache emptied: 702274 bytes
    ->FireFox cache emptied: 261313304 bytes
    ->Flash cache emptied: 8241 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 608 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 102971623 bytes
    RecycleBin emptied: 44505872 bytes

    Total Files Cleaned = 529.00 mb


    OTL by OldTimer - Version 3.2.53.1 log created on 07092012_214719

    Files\Folders moved on Reboot...
    C:\Users\Noah\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...
    File C:\Users\Noah\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

    Registry entries deleted on Reboot...
     
  23. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    I ran a quick scan using Malwarebytes Anti-Malware and didn't find any apparent malware (0 hits). The services menu now lists the Security Center and MSE seems to be running fine.
     
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Awesome!

    If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Please download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start
      button to begin the process. Depending on how often you clean temp
      files, execution time should be anywhere from a few seconds to a minute
      or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  25. danmaku

    danmaku TS Rookie Topic Starter Posts: 17

    For some reason, MSE won't update its definitions (error code and I can't turn on Windows Defender (attempting to do so sends me into system32. I also cannot download windows updates. (are critical registry files missing?)

    Here is the log.

    wii Results of screen317's Security Check version 0.99.42
    Windows 7 Service Pack 1 x64 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    (On Access scanning disabled!)
    Error obtaining update status for antivirus!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.61.0.1400
    Java(TM) 6 Update 31
    Java version out of Date!
    Adobe Flash Player 11.2.202.235 Flash Player out of Date!
    Adobe Reader X (10.1.2)
    Mozilla Firefox (13.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...