TechSpot

Sirefef trojan

By hekawila
Jul 20, 2012
  1. Hi,

    PC started having problems a couple of days ago. Now every time I log in a critical error message occurs causing the computer to restart in 60 secs. Therefore most of the preliminary steps I have been unable to do.

    I anticipation of your request to use Farbar I have pasted the log below.

    Many many thanks for your help:
    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 16-07-2012 01
    Ran by SYSTEM at 20-07-2012 22:48:54
    Running from J:\
    Windows 7 Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet002

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [8120864 2009-12-03] (Realtek Semiconductor)
    HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKLM\...\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [103720 2009-06-03] (CyberLink)
    HKLM\...\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-05-04] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
    HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2587008 2012-04-04] (AVG Technologies CZ, s.r.o.)
    HKLM\...\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [488984 2007-02-07] (Logitech Inc.)
    HKLM\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide [774168 2007-02-07] ()
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Henry Desktop\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [880496 2012-05-12] (BitTorrent, Inc.)
    HKU\Henry Desktop\...\Run: [Google Update] "C:\Users\Henry Desktop\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-04-04] (Google Inc.)
    HKU\Henry Desktop\...\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid [4993024 2008-12-30] (FS2YOU)
    HKU\Test\...\Run: [Google Update] "C:\Users\Test\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-04-14] (Google Inc.)
    HKU\Test\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2009-07-13] (Microsoft Corporation)
    HKU\Test\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [880496 2012-05-12] (BitTorrent, Inc.)
    HKU\Test\...\Run: [3RVX] C:\Program Files\3RVX\3RVX.exe [159232 2008-10-13] (matt.malensek.net)
    HKU\Test\...\Run: [Radio Downloader] "C:\Program Files\Radio Downloader\Radio Downloader.exe" /hidemainwindow [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
    Startup: C:\Users\Henry Desktop\Start Menu\Programs\Startup\PS3 Media Server.lnk
    ShortcutTarget: PS3 Media Server.lnk -> C:\Program Files\PS3 Media Server\PMS.exe (PS3 Media Server)

    ================================ Services (Whitelisted) ==================

    4 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [284672 2011-01-04] (Advanced Micro Devices, Inc.)
    4 AMD Reservation Manager; "C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe" [140224 2010-06-16] (Advanced Micro Devices)
    4 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe" [5160568 2012-07-04] (AVG Technologies CZ, s.r.o.)
    4 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)
    4 BecHelperService; C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe [1737464 2010-01-28] ()
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    4 LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [105248 2007-02-06] (Logitech Inc.)
    4 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [80896 2010-09-16] ()
    4 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3048136 2012-06-19] (Skype Technologies S.A.)
    4 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-02-28] (Skype Technologies)
    4 LVPrcSrv; c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe [x]
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    4 PSI_SVC_2; "c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [x]
    2 RoxLiveShare10; "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [x]
    2 SessionLauncher; C:\Users\Test\AppData\Local\Temp\DX9\SessionLauncher.exe [x]

    ========================== Drivers (Whitelisted) =============

    0 amdide; C:\Windows\System32\DRIVERS\amdide.sys [11832 2009-07-07] (Advanced Micro Devices Inc.)
    3 AtiHdmiService; C:\Windows\System32\drivers\AtiHdmi.sys [100352 2009-11-18] (ATI Technologies, Inc.)
    3 CamDrL; C:\Windows\System32\DRIVERS\Camdrl.sys [1075360 2007-02-03] (Logitech Inc.)
    3 CrystalSysInfo; \??\C:\Program Files\MediaCoder\SysInfo.sys [15152 2007-09-25] ()
    0 DasBoot; C:\Windows\system32\drivers\DasBoot.SYS [20744 2012-01-17] ()
    0 DasBootF; C:\Windows\system32\drivers\DasBootF.SYS [59272 2012-01-17] ()
    3 DroidCam; C:\Windows\System32\drivers\droidcam.sys [22656 2012-03-24] (Dev47Apps)
    3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [25088 2009-10-26] (HTC, Corporation)
    3 htcnprot; C:\Windows\System32\DRIVERS\htcnprot.sys [23040 2010-06-23] (Windows (R) Win 7 DDK provider)
    3 LVcKap; C:\Windows\System32\DRIVERS\LVcKap.sys [1691808 2007-02-06] ()
    3 LVMVDrv; C:\Windows\System32\DRIVERS\LVMVDrv.sys [1964064 2007-02-06] (Logitech Inc.)
    3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25632 2007-02-06] ()
    3 LVUSBSta; C:\Windows\System32\DRIVERS\LVUSBSta.sys [41504 2007-02-03] (Logitech Inc.)
    3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-07-19] (Malwarebytes Corporation)
    2 mdvrmng; \??\C:\Windows\system32\drivers\mdvrmng.sys [10240 2010-01-28] ()
    3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [48640 2010-03-18] (MotioninJoy)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 PRSBDrvr; C:\Windows\System32\DRIVERS\PRSBDrvr.sys [28424 2012-01-17] ()
    3 RTL8192su; C:\Windows\System32\DRIVERS\RTL8192su.sys [597536 2010-02-05] (Realtek Semiconductor Corporation )
    3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [15872 2009-07-13] (Microsoft Corporation)
    3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [61984 2009-11-24] (Microsoft Corporation)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-20 21:52 - 2012-07-20 22:11 - 00000000 ____D C:\FRST
    2012-07-20 13:25 - 2012-07-20 13:25 - 00100864 ____A (GMER) C:\ffxdrpog.sys
    2012-07-20 13:24 - 2012-07-20 13:24 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rtuppmes.sys
    2012-07-20 13:21 - 2011-07-16 13:21 - 00302592 ____A C:\Users\Henry Desktop\Desktop\gmer.exe
    2012-07-19 14:23 - 2012-01-17 12:55 - 00028424 ____A C:\Windows\System32\Drivers\PRSBDrvr.sys
    2012-07-19 14:08 - 2012-07-19 14:16 - 00193850 ____A C:\Windows\System32\PHOOKSmf2.TXT
    2012-07-19 14:06 - 2012-07-20 13:25 - 00185898 ____A C:\Windows\System32\PHOOKSmf.txt
    2012-07-19 14:04 - 2012-07-20 13:21 - 00000000 ____D C:\Windows\System32\DBBK
    2012-07-19 14:04 - 2012-07-19 14:23 - 00103218 ____A C:\Users\Henry Desktop\Desktop\yorkyt.exe.log
    2012-07-19 14:04 - 2012-07-19 14:01 - 01415784 ____A C:\Users\Henry Desktop\Desktop\yorkyt.exe
    2012-07-19 14:04 - 2012-03-22 08:17 - 00225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
    2012-07-19 14:04 - 2012-01-17 12:55 - 00059272 ____A C:\Windows\System32\Drivers\DasBootF.SYS
    2012-07-19 14:04 - 2012-01-17 12:55 - 00027528 ____A C:\Windows\System32\Drivers\DasBootK.SYS
    2012-07-19 14:04 - 2012-01-17 12:55 - 00020744 ____A C:\Windows\System32\Drivers\DasBoot.SYS
    2012-07-19 14:04 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootI.SYS
    2012-07-19 14:04 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootE.SYS
    2012-07-19 14:04 - 2010-05-03 17:37 - 00003072 ____A C:\Windows\System32\Drivers\DasBootD.SYS
    2012-07-19 13:12 - 2012-07-19 13:12 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-07-18 22:22 - 2012-07-18 22:22 - 04024320 ____A C:\Program Files\GUT1813.tmp
    2012-07-18 22:22 - 2012-07-18 22:22 - 00000000 ____D C:\Program Files\GUM1812.tmp
    2012-07-18 22:21 - 2012-07-18 22:21 - 00005543 ____A C:\Windows\System32\commonpriv.log
    2012-07-18 22:21 - 2012-07-18 22:21 - 00000000 ____A C:\Windows\System32\commonpriv.log.lock
    2012-07-18 22:12 - 2012-07-18 22:13 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-18 15:41 - 2012-07-18 15:46 - 363740113 ____A C:\Users\Test\Desktop\WI-03-HDz.mp4
    2012-07-18 15:36 - 2012-07-18 15:41 - 352755015 ____A C:\Users\Test\Desktop\WI-04-HDz.mp4
    2012-07-18 13:50 - 2012-07-18 15:01 - 213900562 ____A C:\Users\Test\Desktop\WI-03-HDz.rmvb
    2012-07-18 13:50 - 2012-07-18 14:41 - 211327234 ____A C:\Users\Test\Desktop\WI-04-HDz.rmvb
    2012-07-18 13:48 - 2012-07-18 13:54 - 38093336 ____A C:\Users\Test\Desktop\WI-02-HDz.rmvb
    2012-07-17 22:16 - 2012-07-17 23:09 - 00000000 ____D C:\Users\Test\Downloads\Witness Insecurity Epi 1 to 2
    2012-07-17 22:16 - 2012-07-17 23:01 - 281410256 ____A C:\Users\Test\Downloads\Blackout.1x03.HDTV.x264-FoV.mp4
    2012-07-17 12:41 - 2012-07-17 12:41 - 03875048 ____A (AVG Technologies) C:\Users\Test\Downloads\avg_free_stb_all_2012_2195_cnet.exe
    2012-07-16 14:05 - 2012-07-16 14:16 - 651161283 ____A C:\Users\Test\Desktop\TC-E05-TVBN.mp4
    2012-07-16 14:04 - 2012-07-16 14:03 - 458485249 ____A C:\Users\Test\Desktop\TC-E05-TVBN.rmvb
    2012-07-16 13:56 - 2012-07-16 14:03 - 00000000 ____D C:\Users\Test\Downloads\Tiger Cubs
    2012-07-15 14:09 - 2012-07-15 14:19 - 535306122 ____A C:\Users\Test\Desktop\TVBOXNOW-Tiger-Cubs-Ch04.mp4
    2012-07-15 08:12 - 2012-07-15 08:30 - 1464984547 ____A C:\Users\Test\Downloads\The.Four.2012.DVDRip.x264.AAC-CkreleaSe.mkv
    2012-07-15 08:11 - 2012-07-15 08:11 - 00000000 ____D C:\Users\Test\Downloads\The.Four.2012.DVDscr.x264.AC3-JYK
    2012-07-14 22:15 - 2012-07-14 22:16 - 00000000 ____D C:\Users\All Users\6C82ED420009B0E872A08290F875F020
    2012-07-12 13:55 - 2012-07-12 14:03 - 383421941 ____A C:\Users\Test\Downloads\Blackout.S01E01.HDTV.x264-TLA.mp4
    2012-07-12 13:55 - 2012-07-12 14:02 - 318454617 ____A C:\Users\Test\Downloads\Blackout.1x02.HDTV.x264-FoV.mp4
    2012-07-10 15:14 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-10 15:14 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-10 15:14 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-10 15:14 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-10 15:14 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-10 15:14 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-10 15:14 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-10 15:14 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-10 15:14 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-10 15:14 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-10 15:14 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-10 15:13 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-10 15:13 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-10 15:13 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-10 15:09 - 2012-07-10 15:09 - 00263480 ____A C:\Windows\msxml4-KB2721691-enu.LOG
    2012-07-10 15:09 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-10 13:04 - 2012-07-10 13:07 - 00000000 ____D C:\Users\Test\Downloads\Lockout {2012} DVDRIP. Jaybob
    2012-07-10 12:15 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-10 12:15 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-10 12:15 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-10 12:15 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-10 12:15 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-10 12:15 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-10 12:14 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-10 12:14 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-10 12:14 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-10 12:14 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-07-10 12:14 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-07-10 12:14 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-07-10 12:14 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-02 22:12 - 2012-07-02 22:21 - 587214217 ____A C:\Users\Test\Desktop\TVBOXNOW_Tiger_Cubs_Ch02.mp4
    2012-06-29 23:35 - 2012-06-30 06:03 - 00000000 ____D C:\Users\Test\Downloads\Nightfall.2012.BDRip.x264.AC3-theonlyh
    2012-06-25 22:08 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-25 22:08 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-25 22:08 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-25 22:08 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-25 22:07 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-25 22:07 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-25 22:07 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-25 22:07 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-25 22:07 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-25 07:04 - 2012-06-25 07:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll
    2012-06-25 02:29 - 2012-06-25 02:31 - 00000000 ____D C:\Users\Test\Desktop\MumJanice
    2012-06-24 08:44 - 2012-06-24 08:57 - 76529032 ____A C:\Users\Test\Downloads\Bobs.Burgers.S02E09.HDTV.x264-LOL.mp4
    2012-06-24 07:05 - 2012-06-24 07:21 - 328288462 ____A C:\Users\Test\Downloads\Continuum.S01E04.HDTV.x264-2HD.mp4
    2012-06-24 07:05 - 2012-06-24 07:16 - 321097571 ____A C:\Users\Test\Downloads\Continuum.S01E03.HDTV.x264-2HD.mp4
    2012-06-24 06:58 - 2012-06-24 07:14 - 292296605 ____A C:\Users\Test\Downloads\Continuum.S01E02.HDTV.x264-2HD.mp4
    2012-06-24 05:33 - 2012-06-24 05:47 - 306667368 ____A C:\Users\Test\Downloads\Continuum.S01E01.HDTV.x264-2HD.mp4
    2012-06-23 23:33 - 2012-06-23 23:48 - 00000000 ____D C:\Users\Test\Downloads\LMFAO - Sorry For Party Rocking (DeLuxe Edition) 320KB (2011) TBS
    2012-06-23 23:30 - 2012-06-24 14:29 - 00000000 ____D C:\Users\Test\Downloads\Flo_Rida-R.O.O.T.S-(RapGodFathers.com)
    2012-06-23 15:44 - 2012-06-23 21:38 - 00000000 ____D C:\Users\Test\Downloads\Flo-Rida-Mail.On.Sunday-(2008)-[NoFS]
    2012-06-22 23:13 - 2012-06-23 01:45 - 725708800 ____A C:\Users\Test\Downloads\Love.Lifting.CAN.avi
    2012-06-21 22:40 - 2012-06-21 22:47 - 00000000 ____D C:\Users\Test\Downloads\A Simple Life.2011.BDRip.AC3.x264-LooKMaNe

    ============ 3 Months Modified Files ========================

    2012-07-20 13:25 - 2012-07-20 13:25 - 00100864 ____A (GMER) C:\ffxdrpog.sys
    2012-07-20 13:25 - 2012-07-19 14:06 - 00185898 ____A C:\Windows\System32\PHOOKSmf.txt
    2012-07-20 13:24 - 2012-07-20 13:24 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rtuppmes.sys
    2012-07-20 13:24 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-07-20 13:23 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-20 13:23 - 2009-07-13 20:39 - 00202449 ____A C:\Windows\setupact.log
    2012-07-19 14:23 - 2012-07-19 14:04 - 00103218 ____A C:\Users\Henry Desktop\Desktop\yorkyt.exe.log
    2012-07-19 14:16 - 2012-07-19 14:08 - 00193850 ____A C:\Windows\System32\PHOOKSmf2.TXT
    2012-07-19 14:07 - 2011-04-14 12:21 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1004UA.job
    2012-07-19 14:01 - 2012-07-19 14:04 - 01415784 ____A C:\Users\Henry Desktop\Desktop\yorkyt.exe
    2012-07-19 13:42 - 2010-10-03 09:48 - 00287232 __ASH C:\Users\Henry Desktop\Thumbs.db
    2012-07-19 13:31 - 2010-04-08 10:32 - 06241792 __ASH C:\Users\Henry Desktop\Desktop\Thumbs.db
    2012-07-19 13:12 - 2012-07-19 13:12 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-07-19 13:07 - 2011-04-14 12:21 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1004Core.job
    2012-07-18 22:26 - 2010-04-04 14:45 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1001UA.job
    2012-07-18 22:26 - 2010-04-04 14:45 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1001Core.job
    2012-07-18 22:22 - 2012-07-18 22:22 - 04024320 ____A C:\Program Files\GUT1813.tmp
    2012-07-18 22:21 - 2012-07-18 22:21 - 00005543 ____A C:\Windows\System32\commonpriv.log
    2012-07-18 22:21 - 2012-07-18 22:21 - 00000000 ____A C:\Windows\System32\commonpriv.log.lock
    2012-07-18 22:20 - 2010-02-16 08:03 - 00038296 ____A C:\Windows\PFRO.log
    2012-07-18 22:13 - 2012-02-01 23:36 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-18 22:13 - 2010-04-04 14:35 - 01217789 ____A C:\Windows\WindowsUpdate.log
    2012-07-18 22:12 - 2010-02-15 08:52 - 00752288 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-18 22:09 - 2009-07-13 20:34 - 00009920 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-18 22:09 - 2009-07-13 20:34 - 00009920 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-18 15:47 - 2012-04-27 12:39 - 00055214 ____A C:\MP4debug.log
    2012-07-18 15:46 - 2012-07-18 15:41 - 363740113 ____A C:\Users\Test\Desktop\WI-03-HDz.mp4
    2012-07-18 15:41 - 2012-07-18 15:36 - 352755015 ____A C:\Users\Test\Desktop\WI-04-HDz.mp4
    2012-07-18 15:01 - 2012-07-18 13:50 - 213900562 ____A C:\Users\Test\Desktop\WI-03-HDz.rmvb
    2012-07-18 14:41 - 2012-07-18 13:50 - 211327234 ____A C:\Users\Test\Desktop\WI-04-HDz.rmvb
    2012-07-18 13:54 - 2012-07-18 13:48 - 38093336 ____A C:\Users\Test\Desktop\WI-02-HDz.rmvb
    2012-07-17 23:01 - 2012-07-17 22:16 - 281410256 ____A C:\Users\Test\Downloads\Blackout.1x03.HDTV.x264-FoV.mp4
    2012-07-17 12:54 - 2011-12-23 01:08 - 00000939 ____A C:\Users\Public\Desktop\AVG 2012.lnk
    2012-07-17 12:41 - 2012-07-17 12:41 - 03875048 ____A (AVG Technologies) C:\Users\Test\Downloads\avg_free_stb_all_2012_2195_cnet.exe
    2012-07-16 14:16 - 2012-07-16 14:05 - 651161283 ____A C:\Users\Test\Desktop\TC-E05-TVBN.mp4
    2012-07-16 14:03 - 2012-07-16 14:04 - 458485249 ____A C:\Users\Test\Desktop\TC-E05-TVBN.rmvb
    2012-07-15 14:19 - 2012-07-15 14:09 - 535306122 ____A C:\Users\Test\Desktop\TVBOXNOW-Tiger-Cubs-Ch04.mp4
    2012-07-15 08:30 - 2012-07-15 08:12 - 1464984547 ____A C:\Users\Test\Downloads\The.Four.2012.DVDRip.x264.AAC-CkreleaSe.mkv
    2012-07-14 22:26 - 2010-04-04 14:46 - 00002448 ____A C:\Users\Henry Desktop\Desktop\Google Chrome.lnk
    2012-07-12 14:03 - 2012-07-12 13:55 - 383421941 ____A C:\Users\Test\Downloads\Blackout.S01E01.HDTV.x264-TLA.mp4
    2012-07-12 14:02 - 2012-07-12 13:55 - 318454617 ____A C:\Users\Test\Downloads\Blackout.1x02.HDTV.x264-FoV.mp4
    2012-07-11 22:05 - 2011-04-14 12:22 - 00002403 ____A C:\Users\Test\Desktop\Google Chrome.lnk
    2012-07-10 22:06 - 2009-07-13 20:33 - 00462472 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-10 15:13 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
    2012-07-10 15:09 - 2012-07-10 15:09 - 00263480 ____A C:\Windows\msxml4-KB2721691-enu.LOG
    2012-07-10 15:09 - 2010-02-16 02:43 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-08 13:00 - 2010-04-15 10:48 - 00000400 ____A C:\Windows\Tasks\SmartDefrag.job
    2012-07-08 02:41 - 2011-10-09 08:41 - 00000004 ____A C:\authres.html
    2012-07-03 04:46 - 2011-04-04 13:58 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-02 22:21 - 2012-07-02 22:12 - 587214217 ____A C:\Users\Test\Desktop\TVBOXNOW_Tiger_Cubs_Ch02.mp4
    2012-06-30 07:03 - 2009-07-13 20:53 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-06-25 07:04 - 2012-06-25 07:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll
    2012-06-24 08:57 - 2012-06-24 08:44 - 76529032 ____A C:\Users\Test\Downloads\Bobs.Burgers.S02E09.HDTV.x264-LOL.mp4
    2012-06-24 08:27 - 2011-05-19 12:19 - 00398848 __ASH C:\Users\Test\Thumbs.db
    2012-06-24 07:21 - 2012-06-24 07:05 - 328288462 ____A C:\Users\Test\Downloads\Continuum.S01E04.HDTV.x264-2HD.mp4
    2012-06-24 07:16 - 2012-06-24 07:05 - 321097571 ____A C:\Users\Test\Downloads\Continuum.S01E03.HDTV.x264-2HD.mp4
    2012-06-24 07:14 - 2012-06-24 06:58 - 292296605 ____A C:\Users\Test\Downloads\Continuum.S01E02.HDTV.x264-2HD.mp4
    2012-06-24 05:47 - 2012-06-24 05:33 - 306667368 ____A C:\Users\Test\Downloads\Continuum.S01E01.HDTV.x264-2HD.mp4
    2012-06-23 01:45 - 2012-06-22 23:13 - 725708800 ____A C:\Users\Test\Downloads\Love.Lifting.CAN.avi
    2012-06-16 06:33 - 2012-06-16 06:33 - 00217658 ____A C:\Users\Test\Desktop\Phones4U.xps
    2012-06-16 06:33 - 2012-06-16 06:33 - 00217658 ____A C:\Users\Public\Documents\phones4u.xps
    2012-06-11 21:20 - 2012-06-11 14:22 - 1662391690 ____A C:\Users\Test\Downloads\Floating.City.720p.X264.AAC.FDZone.dead.mkv
    2012-06-11 18:40 - 2012-07-10 15:09 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-10 00:25 - 2012-06-10 00:24 - 17623196 ____A C:\Users\Test\Desktop\LengMoCN_Charmaine_Fong-Dun_U_Dare-CDS-CPOP-2011-iUKoO.zip
    2012-06-08 20:41 - 2012-07-10 12:14 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 21:05 - 2012-07-10 12:15 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 21:05 - 2012-07-10 12:14 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 21:03 - 2012-07-10 12:14 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-03 01:05 - 2012-06-03 00:48 - 1576748279 ____A C:\Users\Test\Downloads\Marrying.Mr.Perfect.2012.BRRip.x264.AC3-theonlyh.mkv
    2012-06-02 14:19 - 2012-06-25 22:08 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-25 22:08 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-25 22:08 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-25 22:07 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-25 22:07 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-25 22:08 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-25 22:07 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 06:19 - 2012-06-25 22:07 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:12 - 2012-06-25 22:07 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-10 15:13 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-10 15:13 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-10 15:14 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-10 15:14 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-10 15:14 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:25 - 2012-07-10 15:13 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:23 - 2012-07-10 15:14 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-10 15:14 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-10 15:14 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-10 15:14 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-10 15:14 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-10 15:14 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-10 15:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-10 15:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 20:45 - 2012-07-10 12:15 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 20:45 - 2012-07-10 12:15 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 20:40 - 2012-07-10 12:15 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 20:40 - 2012-07-10 12:15 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 20:39 - 2012-07-10 12:15 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-30 04:12 - 2012-05-30 04:12 - 00194387 ____A C:\Users\Test\Downloads\photo.htm
    2012-05-26 05:49 - 2012-05-26 03:52 - 274980726 ____A C:\Users\Test\Desktop\TVBOXNOW-Master-Of-Play-Ch03.rmvb
    2012-05-26 04:37 - 2012-05-26 03:52 - 274942217 ____A C:\Users\Test\Desktop\TVBOXNOW Master Of Play Ch04.rmvb
    2012-05-26 04:12 - 2012-05-26 04:06 - 501066736 ____A C:\Users\Henry Desktop\Desktop\TVBOXNOW Master Of Play Ch02.AVI
    2012-05-26 04:06 - 2012-05-26 04:00 - 424804536 ____A C:\Users\Henry Desktop\Desktop\TVBOXNOW-Master-Of-Play-Ch01.AVI
    2012-05-18 15:49 - 2012-05-17 22:53 - 376082111 ____A C:\Users\Test\Downloads\Missing.2012.S01E10.HDTV.x264-LOL.mp4
    2012-05-18 15:46 - 2012-05-17 22:55 - 266599476 ____A C:\Users\Test\Downloads\Touch.S01E10.HDTV.x264-LOL.mp4
    2012-05-18 10:11 - 2012-05-18 10:11 - 00001092 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2012-05-16 01:48 - 2012-05-16 01:48 - 00428180 ____A C:\Users\Test\Desktop\Attachments_2012_05_16.zip
    2012-05-14 13:15 - 2012-05-14 13:12 - 79766350 ____A C:\Users\Test\Downloads\Bobs.Burgers.S02E08.HDTV.x264-LOL.mp4
    2012-05-12 23:04 - 2010-04-05 03:13 - 00000917 ____A C:\Users\Public\Desktop\礣orrent.lnk
    2012-05-10 22:25 - 2012-05-10 22:17 - 236401318 ____A C:\Users\Test\Downloads\Touch.S01E09.HDTV.x264-LOL.mp4
    2012-05-08 22:29 - 2012-05-08 21:04 - 316594668 ____A C:\Users\Test\Downloads\Missing.2012.S01E09.HDTV.x264-LOL.mp4
    2012-05-08 21:21 - 2012-05-08 21:07 - 261137980 ____A C:\Users\Test\Downloads\Touch.S01E08.HDTV.x264-LOL.mp4
    2012-05-08 21:14 - 2012-05-08 21:07 - 286470184 ____A C:\Users\Test\Downloads\Missing.2012.S01E08.HDTV.x264-LOL.mp4
    2012-05-08 21:11 - 2012-05-08 21:08 - 93288502 ____A C:\Users\Test\Downloads\Bobs.Burgers.S02E06.HDTV.x264-LOL.mp4
    2012-04-29 00:48 - 2011-04-11 22:50 - 00123520 ____A C:\Users\Test\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-04-28 08:02 - 2010-04-04 14:38 - 00123520 ____A C:\Users\Henry Desktop\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-04-27 19:17 - 2012-06-12 21:19 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-27 15:31 - 2012-04-08 02:23 - 00002038 ____A C:\Users\Public\Desktop\Logitech QuickCam.lnk
    2012-04-27 12:39 - 2012-04-27 12:39 - 00001037 ____A C:\Users\Test\Desktop\WinAVI MP4 Converter.lnk
    2012-04-27 12:39 - 2012-04-27 12:39 - 00001037 ____A C:\Users\Henry Desktop\Desktop\WinAVI MP4 Converter.lnk
    2012-04-27 02:06 - 2012-04-27 02:06 - 00001418 ____A C:\Windows\xpsp1hfm.log
    2012-04-27 02:04 - 2010-02-16 07:13 - 00104603 ____A C:\Windows\DirectX.log
    2012-04-27 01:53 - 2012-04-27 01:53 - 00000807 ____A C:\Windows\MSI30-KB884016.log
    2012-04-25 20:45 - 2012-06-12 21:19 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 20:45 - 2012-06-12 21:19 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 20:41 - 2012-06-12 21:19 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-23 20:36 - 2012-07-10 12:14 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 20:36 - 2012-07-10 12:14 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 20:36 - 2012-07-10 12:14 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 13:34 - 2012-04-23 13:00 - 510922263 ____A C:\Users\Test\Downloads\The.Amazing.Race.S20E09.HDTV.x264-2HD.mp4
    2012-04-22 01:37 - 2010-12-09 00:12 - 00002503 ____A C:\Users\Public\Desktop\Skype.lnk


    ZeroAccess:
    C:\Windows\Installer\{75bd8795-729e-3e2a-6b32-659cf4473ab0}
    C:\Windows\Installer\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\@
    C:\Windows\Installer\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\L
    C:\Windows\Installer\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\U
    C:\Windows\Installer\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\L\00000004.@

    ZeroAccess:
    C:\Users\Test\AppData\Local\{75bd8795-729e-3e2a-6b32-659cf4473ab0}
    C:\Users\Test\AppData\Local\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\@
    C:\Users\Test\AppData\Local\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\L
    C:\Users\Test\AppData\Local\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\n
    C:\Users\Test\AppData\Local\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 17%
    Total physical RAM: 4094.3 MB
    Available physical RAM: 3381.31 MB
    Total Pagefile: 4092.58 MB
    Available Pagefile: 3516.69 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1969.62 MB

    ======================= Partitions =========================

    1 Drive c: (Boot) (Fixed) (Total:910.41 GB) (Free:108.97 GB) NTFS
    2 Drive e: (Recover) (Fixed) (Total:20 GB) (Free:9.75 GB) NTFS
    4 Drive g: (LSI_DVD_RECORDER_VOLUME) (CDROM) (Total:1.54 GB) (Free:0 GB) UDF
    7 Drive j: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT
    8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    9 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 Online 966 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 910 GB 101 MB
    Partition 3 Primary 20 GB 910 GB
    Partition 4 OEM 1025 MB 930 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C Boot NTFS Partition 910 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E Recover NTFS Partition 20 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 4
    Type : 12
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 NTFS Partition 1025 MB Healthy Hidden

    ==================================================================================

    Partitions of Disk 4:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 965 MB 16 KB

    ==================================================================================

    Disk: 4
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 7 J FAT Removable 965 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-08 01:17

    ======================= End Of Log ==========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
     
  3. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    Here you go:
    Farbar Recovery Scan Tool Version: 16-07-2012 01
    Ran by SYSTEM at 2012-07-21 08:57:34
    Running from J:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2012-07-20 13:24] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===
     
  4. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  5. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    Here's the text from combofix:

    ComboFix 12-07-21.01 - Henry Desktop 21/07/2012 19:14:03.1.4 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.936.86.1033.18.3326.2340 [GMT 1:00]
    执行位置: c:\users\Henry Desktop\Desktop\ComboFix.exe
    * 成功创造新还原点
    .
    .
    ((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\MotioninJoy_040002_x86.exe
    c:\programdata\32562952
    c:\programdata\windows
    c:\programdata\Windows\dumd.dat
    c:\programdata\Windows\xdor.dat
    c:\users\Henry Desktop\AppData\Local\Temp\jna8303329142370067353.dll
    c:\users\Henry Desktop\Overheard .mpg
    c:\users\Henry Desktop\Xpadder [5.7].exe
    c:\users\HENRYD~1\AppData\Local\Temp\jna8303329142370067353.dll
    c:\users\Test\001.jpg
    c:\users\Test\AppData\Roaming\Puamqy
    c:\users\Test\AppData\Roaming\Puamqy\imop.kez
    c:\users\Test\AppData\Roaming\Puamqy\imop.tmp
    c:\windows\iun6002.exe
    .
    .
    ((((((((((((((((((((((((( 2012-06-21 至 2012-07-21 的新的档案 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-21 18:07 . 2012-07-21 18:07 -------- d-----w- c:\users\Henry Desktop\AppData\Roaming\AVG2012
    2012-07-21 18:00 . 2012-07-21 18:26 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F8AB8A44-2CCE-4441-8A37-CB7188B00DB6}\offreg.dll
    2012-07-21 05:52 . 2012-07-21 06:11 -------- d-----w- C:\FRST
    2012-07-20 21:25 . 2012-07-20 21:25 100864 ----a-w- C:\ffxdrpog.sys
    2012-07-19 22:23 . 2012-01-17 20:55 28424 ----a-w- c:\windows\system32\drivers\PRSBDrvr.sys
    2012-07-19 22:04 . 2012-07-21 18:27 -------- d-----w- c:\windows\system32\DBBK
    2012-07-19 22:04 . 2012-03-22 16:17 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
    2012-07-19 22:04 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
    2012-07-19 22:04 . 2012-01-17 20:55 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
    2012-07-19 22:04 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
    2012-07-19 22:04 . 2012-01-17 20:55 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
    2012-07-19 22:04 . 2012-01-17 20:55 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
    2012-07-19 22:04 . 2010-05-04 01:37 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
    2012-07-19 21:12 . 2012-07-19 21:12 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-07-19 06:22 . 2012-07-19 06:22 -------- d-----w- c:\program files\GUM1812.tmp
    2012-07-19 06:22 . 2012-07-19 06:22 4024320 ----a-w- c:\program files\GUT1813.tmp
    2012-07-19 06:14 . 2012-02-09 13:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00C69F50-0872-4932-ACC5-0627A6F474A5}\gapaengine.dll
    2012-07-19 06:13 . 2012-07-16 01:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F8AB8A44-2CCE-4441-8A37-CB7188B00DB6}\mpengine.dll
    2012-07-19 06:12 . 2012-07-19 06:13 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-15 06:15 . 2012-07-15 06:16 -------- d-----w- c:\programdata\6C82ED420009B0E872A08290F875F020
    2012-07-10 23:13 . 2012-06-02 08:25 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-07-10 23:09 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
    2012-07-10 20:15 . 2012-06-02 04:45 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-10 20:15 . 2012-06-02 04:45 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-07-10 20:15 . 2012-06-02 04:40 369336 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-07-10 20:15 . 2012-06-02 04:40 225280 ----a-w- c:\windows\system32\schannel.dll
    2012-07-10 20:15 . 2012-06-02 04:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
    2012-07-10 20:15 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-26 06:08 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-26 06:08 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-26 06:08 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-26 06:08 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-26 06:07 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-26 06:07 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-26 06:07 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-26 06:07 . 2012-06-02 14:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-26 06:07 . 2012-06-02 14:12 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-25 15:04 . 2012-06-25 15:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-03 12:46 . 2011-04-04 21:58 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-28 03:17 . 2012-06-13 05:19 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-26 04:45 . 2012-06-13 05:19 58880 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-04-26 04:45 . 2012-06-13 05:19 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-04-26 04:41 . 2012-06-13 05:19 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-04-21 01:19 . 2012-05-18 18:11 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *注意* 空白与合法缺省登录将不会被显示
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-05-13 880496]
    "Grid Service"="c:\program files\GridService\peer.exe" [2008-12-30 4993024]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-03 8120864]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\users\Henry Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    PS3 Media Server.lnk - c:\program files\PS3 Media Server\PMS.exe [2012-4-6 432785]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux2"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Evernote Clipper.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Evernote Clipper.lnk
    backup=c:\windows\pss\Evernote Clipper.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Test^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
    2010-03-06 02:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
    2010-02-22 03:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
    2007-05-31 08:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x]
    R2 SessionLauncher;SessionLauncher;c:\users\Test\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
    R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
    R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
    R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 PRSBDrvr;PRSBDrvr;c:\windows\system32\DRIVERS\PRSBDrvr.sys [x]
    R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
    R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
    R4 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [x]
    R4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
    R4 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
    R4 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [x]
    R4 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [x]
    R4 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
    R4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
    R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 DasBoot;Panda AntiMalware Support;c:\windows\\SystemRoot\system32\drivers\DasBoot.SYS [x]
    S0 DasBootF;Panda AntiMalware Support MF;c:\windows\\SystemRoot\system32\drivers\DasBootF.SYS [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]
    S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 DroidCam;DroidCam Virtual Audio;c:\windows\system32\drivers\droidcam.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    .
    ‘计划任务’ 文件夹 里的内容
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1001Core.job
    - c:\users\Henry Desktop\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-04 22:45]
    .
    2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1001UA.job
    - c:\users\Henry Desktop\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-04 22:45]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1004Core.job
    - c:\users\Test\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-14 20:21]
    .
    2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1004UA.job
    - c:\users\Test\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-14 20:21]
    .
    2012-07-08 c:\windows\Tasks\SmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-04-15 15:48]
    .
    .
    ------- 而外的扫描 -------
    .
    uStart Page = hxxp://www.aldi.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    IE: {{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/710-72741-17534-1/4
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath -
    .
    .
    ------- 文件类型 -------
    .
    txtfile=c:\windows\notepad.exe %1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
    MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
    MSConfigStartUp-DU Meter - c:\program files\DU Meter\DUMeter.exe
    MSConfigStartUp-TomTomHOME - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
    MSConfigStartUp-WY7I7JZFVGVX7E1EALSOMKUG - c:\svchost.exe\2608DF01F33.exe
    AddRemove-AndreaMosaic - c:\windows\iun6002.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ 其他运行进程 ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe
    c:\program files\Java\jre6\bin\javaw.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\windows\System32\rundll32.exe
    .
    **************************************************************************
    .
    完成时间: 2012-07-21 19:35:18 - 电脑已重新启动
    ComboFix-quarantined-files.txt 2012-07-21 18:35
    .
    Pre-Run: 167,543,586,816 bytes free
    Post-Run: 171,976,753,152 bytes free
    .
    - - End Of File - - 1BBB45D997E07DACF39DBD40C560B3C2
     
  6. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Looks good :)

    Any current issues?

    What is your AV program?

    ======================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    Thanks a million.

    Working ok so far. Was using AVG but I think I want to change now....any you recommend?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    AVG is a fine program.
    If you uninstalled it prior to running Combofix reinstall it and proceed with other steps from my previous reply.
     
  9. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    So happy that #I can use my computer again, I forgot to follow the rest of the steps. Anyway here's the MBAM log:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.18.12

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Test :: HENRYDESKTOP-PC [administrator]

    23/07/2012 22:04:30
    mbam-log-2012-07-23 (22-04-30).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 212689
    Time elapsed: 7 minute(s), 27 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  10. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    OTL Extras logfile created on: 23/07/2012 22:28:36 - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Test\Desktop
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    3.25 Gb Total Physical Memory | 2.16 Gb Available Physical Memory | 66.35% Memory free
    6.50 Gb Paging File | 5.04 Gb Available in Paging File | 77.60% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 910.41 Gb Total Space | 155.06 Gb Free Space | 17.03% Space Free | Partition Type: NTFS
    Drive D: | 20.00 Gb Total Space | 9.75 Gb Free Space | 48.77% Space Free | Partition Type: NTFS
    Drive E: | 1.54 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive J: | 1.54 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: HENRYDESKTOP-PC | User Name: Test | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .html [@ = Opera.HTML] -- C:\Program Files\Opera 11.00 beta\Opera.exe (Opera Software)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "AntiVirusDisableNotify" = 0
    "AntiVirusOverride" = 1
    "FirewallDisableNotify" = 0
    "FirewallOverride" = 1
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{029F015E-949B-494A-8C9C-A45E82AAC4E2}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{287A8CF9-7359-41E3-B50F-42AC8DD3D3B8}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
    "{307EE002-49D7-428F-81E1-DF028368E20B}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
    "{4442C33B-C2C4-434E-A758-39F925CFF4D4}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{4E6FB4D5-C6F8-4D0A-9705-8D3B8D6881CF}" = protocol=17 | dir=in | app=c:\program files\gridservice\peer.exe |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{5D5BD06B-3D90-4554-B3C0-0E2E54872BE0}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{86E61FB3-2C54-4888-858A-CC50B6C0A4C8}" = protocol=6 | dir=in | app=c:\program files\gridservice\peer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{B6838EC0-4FEE-417B-985B-018316E474D7}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{CEC66D86-B399-4AFE-8F8B-92971503F2D7}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{D69D26D5-FFA7-4DCE-AACF-C3D4EB512194}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{60372B8B-B9AC-4BA9-A915-74A587D2E319}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
    "UDP Query User{3286D69D-BCE9-480B-9C57-723E4E32BD1E}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "_{806422F8-8E0A-494A-A369-0F34F1B89160}" = CorelDRAW Essentials 4 - Extra Content
    "_{C0237AA4-1BFB-46EA-860D-7B0EB365CA13}" = CorelDRAW Essentials 4
    "{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
    "{07B62101-7EBD-434A-94B1-B38063BE5516}" = CorelDRAW Essentials 4 - PHOTO-PAINT
    "{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
    "{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
    "{0AAFCFAF-5544-EEAF-189B-C85B138112D1}" = ATI Catalyst Install Manager
    "{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
    "{0ED4216F-3540-4D6B-8199-1C8DDEA3924B}" = CorelDRAW Essentials 4 - Lang DE
    "{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
    "{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
    "{11083C7A-D0D6-4DA4-8C3A-74B8389EC07B}" = ATI Catalyst Registration
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
    "{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
    "{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    "{19AC095C-3520-4999-AA15-93B6D0248A50}" = CorelDRAW Essentials 4 - Content
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}" = mkv2vob
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
    "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
    "{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver
    "{32BC62C5-32B9-F838-ADD4-CFEF544C6888}" = ccc-core-static
    "{330DAC67-5B62-452A-A0E4-6B4A5923940F}_is1" = MotioninJoy ds3 driver version 0.4.0002
    "{34A9406E-1994-4C20-AC72-04CFA2B24545}" = CorelDRAW Essentials 4 - Lang EN
    "{3576C335-958D-4D60-A812-F68F9A2796AF}" = CorelDRAW Essentials 4 - Lang IT
    "{3AAAAA09-1385-4632-AFF3-6A9D3B4634EC}" = Mouse Gestures for Internet Explorer (x86)
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3CB1AEE0-0B27-F3C8-0582-67976480E480}" = AMD Fuel
    "{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
    "{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
    "{3F15E203-BC3E-3597-84CD-EDF99546C917}" = Google Talk Plugin
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
    "{42442BC6-5A92-4BC2-9E0C-3D359D548A21}_is1" = Pazera Free MP4 to AVI Converter 1.6
    "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
    "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
    "{49FCEFED-4D67-4D5D-A963-C7A169ECAAA7}" = Audio Browser
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
    "{4D54D8DF-25CF-9752-787E-BF8D560B009B}" = AMD Drag and Drop Transcoding
    "{4D66F66A-D5FA-15A2-F6E5-5589BD7E29AA}" = Catalyst Control Center InstallProxy
    "{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
    "{54770B39-0DF7-D211-191E-921F6CA9AEE6}" = ATI Problem Report Wizard
    "{5500BB35-1C21-4328-9F16-F894B860FADE}" = CorelDRAW Essentials 4 - Lang NL
    "{5FD89EA1-99C2-40EE-BBF5-20F8991ED756}" = Catalyst Control Center - Branding
    "{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
    "{639003F5-1970-D10E-1E7C-F8320B7402D6}" = ATI AVIVO Codecs
    "{63CEA395-22F6-A2FC-9290-B4103E0B628F}" = WMV9/VC-1 Video Playback
    "{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
    "{66BB5D8F-D9BD-4799-A9FA-5731B3B7839A}" = 3RVX
    "{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.1.5
    "{6D12EC75-E7D3-4EAD-AB10-E1F3AFF94AA6}" = AVG 2012
    "{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{72F67711-9512-4C0F-A06B-BB61C76CD55D}" = SourceGear DiffMerge 3.3.1.1118 (x86)
    "{7353BAE6-5E49-46C4-A9B5-8A269A313789}" = Crysis WARHEAD(R)
    "{76E852ED-1B06-4BC8-9D6A-625DB95FB7E5}" = CorelDRAW Essentials 4 - IPM - No VBA
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{771ABEA0-23AF-8F8E-63FE-168779F294B6}" = CCC Help English
    "{7D2370AC-D8E6-4996-986A-19824F8A167C}" = Logitech QuickCam
    "{806422F8-8E0A-494A-A369-0F34F1B89160}" = CorelDRAW Essentials 4 - Extra Content
    "{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
    "{86B247F9-1D5E-CCC6-3280-71486D9A4E70}" = ATI Stream SDK v2 Developer
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
    "{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
    "{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
    "{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{9043B9A0-9505-405B-8202-E7167A38A89C}" = CorelDRAW Essentials 4
    "{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
    "{923E3957-F939-453A-BD55-41CFB8D7F211}" = HTC Sync
    "{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A899DA1F-D626-401C-8651-F2921E3B4CB3}" = 3Connect
    "{ABD8B955-1C69-4AF3-949B-13CD587C175F}" = CorelDRAW Essentials 4 - Lang BR
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
    "{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
    "{B143D835-EBAF-4A39-8B31-1868FF4166C1}" = AVG 2012
    "{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
    "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
    "{B9FA9F15-A1F3-4DB1-AD49-0B9351843FAA}" = CorelDRAW Essentials 4 - Draw
    "{BA9319FE-BCEF-4C99-8039-F464648D046E}" = CorelDRAW Essentials 4 - Lang FR
    "{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
    "{C0237AA4-1BFB-46EA-860D-7B0EB365CA13}" = CorelDRAW Essentials 4 - ICA
    "{C0D7A16D-50D2-44E1-AB16-37110A4B00E2}" = Official Guide to the TOEFL Test, Third Edition
    "{C3BDF1C8-66EF-4A0F-B427-A99E39706F45}_is1" = RMVB Converter 1.8
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
    "{C682F3F0-00A6-4379-B083-4F3273624D7B}" = CorelDRAW Essentials 4 - Lang ES
    "{C79312BD-3E76-4474-A10C-1435D1856A4B}" = Adobe Dreamweaver CS5
    "{C92C89BB-1D11-C8D5-1584-D5259818479A}" = ccc-utility
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
    "{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
    "{D7BF3B76-EEF9-4868-9B2B-42ABF60B279A}" = Microsoft_VC80_CRT_x86
    "{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
    "{DB837331-6864-4B66-7248-4CB823DB4222}" = Catalyst Control Center InstallProxy
    "{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
    "{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
    "{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
    "{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
    "{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
    "{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
    "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F16841F6-5F0F-4DBE-B318-63CEB916F21D}" = CorelDRAW Essentials 4 - Filters
    "{F47C09DB-746B-2ABA-819B-8FC759034E74}" = Catalyst Control Center Graphics Previews Common
    "{F6A6DFF9-F71C-4BA6-B437-F18872866D3D}" = Bing Bar
    "{F761359C-9CED-45AE-9A51-9D6605CD55C4}" = Evernote v. 4.1
    "{FDB46DE7-9045-47BB-970A-3E4ED5369E03}" = EMC 10 Content
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "AVG" = AVG 2012
    "AviSynth" = AviSynth 2.5
    "chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
    "com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
    "Coupon Printer2.0" = Coupon Printer
    "Crysis WARHEAD(R)" = Crysis WARHEAD(R)
    "EIN-HJT Bundle-Maker Word Template_is1" = EIN-HJT Bundle-Maker Word Template
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "Flash Slideshow Maker Pro" = Flash Slideshow Maker Pro 4.75
    "ImgBurn" = ImgBurn
    "InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
    "InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = PRODUCT_NAME
    "InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
    "KLiteCodecPack_is1" = K-Lite Codec Pack 8.6.0 (Full)
    "Magic ISO Maker v5.5 (build 0281)" = Magic ISO Maker v5.5 (build 0281)
    "MagicDisc 2.7.106" = MagicDisc 2.7.106
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "MediaCoder" = MediaCoder 2011
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "MKVtoolnix" = MKVtoolnix 5.0.1
    "Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
    "Mp3tag" = Mp3tag v2.47b
    "Notepad++" = Notepad++
    "Opera 12.00.1467" = Opera 12.00
    "Opera 12.00.1467_1" = Opera 12.00
    "PhotoScape" = PhotoScape
    "Picasa 3" = Picasa 3
    "PS3 Media Server" = PS3 Media Server
    "PSP Video 9" = PSP Video 9 5.04
    "RaySource" = RaySource 2.2.0.1
    "RealAlt_is1" = Real Alternative 2.0.2
    "ScanSoft PaperPort Viewer 7.0" = ScanSoft PaperPort Viewer 7.0
    "Smart Defrag_is1" = Smart Defrag
    "uTorrent" = µTorrent
    "VLC media player" = VLC media player 1.0.5
    "VobSub" = VobSub v2.23 (Remove Only)
    "Win AVI HelixSDK_is1" = Win AVI HelixSDK
    "WinAVI Video Converter_is1" = WinAVI Video Converter
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinRAR archiver" = WinRAR archiver
    "ZTE_1.2059.0.8" = ZTE_1.2059.0.8

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = VSS | ID = 12292
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = VSS | ID = 13
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = VSS | ID = 12292
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = VSS | ID = 13
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = VSS | ID = 12292
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = VSS | ID = 8193
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = System Restore | ID = 8193
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = System Restore | ID = 8211
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = VSS | ID = 13
    Description =

    Error - 23/07/2012 14:11:50 | Computer Name = HenryDesktop-PC | Source = VSS | ID = 12292
    Description =

    [ Media Center Events ]
    Error - 12/09/2010 19:52:15 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 00:52:15 - Error connecting to the internet. 00:52:15 - Unable
    to contact server..

    Error - 12/09/2010 19:52:21 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 00:52:20 - Error connecting to the internet. 00:52:20 - Unable
    to contact server..

    Error - 23/09/2010 13:22:08 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 18:22:07 - Error connecting to the internet. 18:22:07 - Unable
    to contact server..

    Error - 02/10/2010 22:20:48 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 03:20:47 - Error connecting to the internet. 03:20:47 - Unable
    to contact server..

    Error - 02/10/2010 23:20:53 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 04:20:52 - Error connecting to the internet. 04:20:52 - Unable
    to contact server..

    Error - 03/10/2010 00:23:57 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 05:23:57 - Error connecting to the internet. 05:23:57 - Unable
    to contact server..

    Error - 03/10/2010 01:25:01 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 06:25:00 - Error connecting to the internet. 06:25:00 - Unable
    to contact server..

    Error - 08/10/2010 18:33:53 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 23:33:53 - Error connecting to the internet. 23:33:53 - Unable
    to contact server..

    Error - 23/10/2010 05:55:22 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 10:55:21 - Error connecting to the internet. 10:55:21 - Unable
    to contact server..

    Error - 23/10/2010 06:55:57 | Computer Name = HenryDesktop-PC | Source = MCUpdate | ID = 0
    Description = 11:55:56 - Error connecting to the internet. 11:55:56 - Unable
    to contact server..

    [ OSession Events ]
    Error - 03/08/2010 13:20:46 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 0
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 05/01/2011 11:52:56 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 8, Application Name: Microsoft Office Publisher, Application Version:
    12.0.6546.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1465
    seconds with 1320 seconds of active time. This session ended with a crash.

    Error - 18/12/2011 14:29:34 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 23/12/2011 04:52:02 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 13
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 16/01/2012 07:23:18 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 23/01/2012 10:49:15 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
    12.0.6654.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 27/01/2012 11:18:22 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 27/01/2012 18:09:49 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 06/02/2012 03:27:50 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 13/03/2012 07:06:45 | Computer Name = HenryDesktop-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
    seconds with 0 seconds of active time. This session ended with a crash.

    [ System Events ]
    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Server service depends on the Security Accounts Manager service
    which failed to start because of the following error: %%1058

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Computer Browser service depends on the Server service which failed
    to start because of the following error: %%1068

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Server service depends on the Security Accounts Manager service
    which failed to start because of the following error: %%1058

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Computer Browser service depends on the Server service which failed
    to start because of the following error: %%1068

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Server service depends on the Security Accounts Manager service
    which failed to start because of the following error: %%1058

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Computer Browser service depends on the Server service which failed
    to start because of the following error: %%1068

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Server service depends on the Security Accounts Manager service
    which failed to start because of the following error: %%1058

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Computer Browser service depends on the Server service which failed
    to start because of the following error: %%1068

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Server service depends on the Security Accounts Manager service
    which failed to start because of the following error: %%1058

    Error - 23/07/2012 17:37:02 | Computer Name = HenryDesktop-PC | Source = Service Control Manager | ID = 7001
    Description = The Computer Browser service depends on the Server service which failed
    to start because of the following error: %%1068


    < End of report >
     
  11. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    The OTL.txt. file is too big to post, soI have split into 2 parts:
    OTL logfile created on: 23/07/2012 22:28:36 - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Test\Desktop
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    3.25 Gb Total Physical Memory | 2.16 Gb Available Physical Memory | 66.35% Memory free
    6.50 Gb Paging File | 5.04 Gb Available in Paging File | 77.60% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 910.41 Gb Total Space | 155.06 Gb Free Space | 17.03% Space Free | Partition Type: NTFS
    Drive D: | 20.00 Gb Total Space | 9.75 Gb Free Space | 48.77% Space Free | Partition Type: NTFS
    Drive E: | 1.54 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive J: | 1.54 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: HENRYDESKTOP-PC | User Name: Test | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/23 22:04:05 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Test\Desktop\OTL.exe
    PRC - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe
    PRC - [2012/06/13 03:48:26 | 000,758,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
    PRC - [2012/06/13 03:48:24 | 001,255,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
    PRC - [2012/05/13 08:04:26 | 000,880,496 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
    PRC - [2012/04/05 05:12:34 | 002,587,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
    PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
    PRC - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    PRC - [2012/02/14 04:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    PRC - [2011/03/10 20:57:04 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    PRC - [2010/11/20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/11/20 13:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2009/06/03 21:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    PRC - [2008/10/13 23:44:44 | 000,159,232 | ---- | M] (matt.malensek.net) -- C:\Program Files\3RVX\3RVX.exe
    PRC - [2007/02/08 01:13:48 | 000,774,168 | ---- | M] () -- C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    PRC - [2007/02/08 01:12:48 | 000,488,984 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    PRC - [2007/02/08 01:12:20 | 000,230,936 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    PRC - [2007/02/06 17:43:26 | 000,252,704 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/07/15 18:40:48 | 000,183,296 | ---- | M] () -- C:\Program Files\Opera 11.00 beta\mapi\OperaMAPI.dll
    MOD - [2012/06/13 14:48:33 | 000,238,080 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\3RVX\5fb4f3a2327eb7320756711efdb01aea\3RVX.ni.exe
    MOD - [2012/06/13 14:48:33 | 000,189,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MHook\fc165e3f5b1e282cbb849f0199c1b817\MHook.ni.dll
    MOD - [2012/06/13 14:48:33 | 000,114,176 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WaveLibMixer\efc3fce14de34dd89bce9962cd22cd43\WaveLibMixer.ni.dll
    MOD - [2012/06/13 14:02:12 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
    MOD - [2012/06/13 14:02:05 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
    MOD - [2012/05/10 07:46:04 | 000,058,368 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\CoreAudioApi\385f643b6ebc014373f9db3c7a7362eb\CoreAudioApi.ni.dll
    MOD - [2012/05/10 07:42:31 | 000,025,600 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\2ec98ab0193d64e95b7d09d094deed97\Accessibility.ni.dll
    MOD - [2012/05/10 07:42:18 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
    MOD - [2012/05/10 07:42:14 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
    MOD - [2012/05/10 07:42:13 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
    MOD - [2012/05/10 07:41:59 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
    MOD - [2009/06/03 21:59:14 | 000,013,096 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
    MOD - [2009/06/03 21:59:02 | 000,619,816 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
    MOD - [2007/02/08 01:18:18 | 001,119,768 | ---- | M] () -- C:\Program Files\Logitech\QuickCam10\LAppRes.DLL
    MOD - [2007/02/08 01:13:48 | 000,774,168 | ---- | M] () -- C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    MOD - [2007/02/08 01:13:00 | 000,022,040 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LComMgr\LCMServerPS.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\Users\Test\AppData\Local\Temp\DX9\SessionLauncher.exe -- (SessionLauncher)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
    SRV - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
    SRV - [2012/06/19 17:32:30 | 003,048,136 | ---- | M] (Skype Technologies S.A.) [Disabled | Stopped] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
    SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV - [2012/02/29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
    SRV - [2011/05/26 14:34:34 | 000,191,752 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
    SRV - [2011/03/10 20:57:04 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
    SRV - [2011/01/05 03:57:32 | 000,176,128 | ---- | M] (AMD) [Disabled | Stopped] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
    SRV - [2011/01/04 23:05:54 | 000,284,672 | ---- | M] (Advanced Micro Devices, Inc.) [Disabled | Stopped] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
    SRV - [2010/09/16 15:06:22 | 000,080,896 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
    SRV - [2010/06/17 06:23:34 | 000,140,224 | ---- | M] (Advanced Micro Devices) [Disabled | Stopped] -- C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe -- (AMD Reservation Manager)
    SRV - [2010/02/17 11:23:38 | 001,343,400 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2010/01/28 13:47:44 | 001,737,464 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe -- (BecHelperService)
    SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2007/07/24 12:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
    SRV - [2007/05/31 09:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
    SRV - [2007/05/31 09:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
    SRV - [2007/02/06 17:47:12 | 000,105,248 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
    SRV - [2007/02/06 17:45:26 | 000,109,344 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\HENRYD~1\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - [2012/04/19 04:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\avgidshx.sys -- (AVGIDSHX)
    DRV - [2012/03/24 18:10:31 | 000,022,656 | ---- | M] (Dev47Apps) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\droidcam.sys -- (DroidCam)
    DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2012/03/19 05:17:28 | 000,301,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
    DRV - [2012/02/22 05:25:32 | 000,235,216 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
    DRV - [2012/01/31 04:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
    DRV - [2012/01/17 21:55:42 | 000,028,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PRSBDrvr.sys -- (PRSBDrvr)
    DRV - [2012/01/17 21:55:36 | 000,059,272 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\DasBootF.SYS -- (DasBootF)
    DRV - [2012/01/17 21:55:34 | 000,020,744 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\DasBoot.SYS -- (DasBoot)
    DRV - [2011/12/23 13:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
    DRV - [2011/12/23 13:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsshimx.sys -- (AVGIDSShim)
    DRV - [2011/12/23 13:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsfilterx.sys -- (AVGIDSFilter)
    DRV - [2011/12/23 13:32:00 | 000,139,856 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
    DRV - [2011/01/05 04:36:10 | 006,789,120 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
    DRV - [2011/01/05 03:19:18 | 000,235,520 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
    DRV - [2010/11/20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/11/20 10:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WINUSB)
    DRV - [2010/06/23 11:24:56 | 000,023,040 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\htcnprot.sys -- (htcnprot)
    DRV - [2010/03/18 19:01:22 | 000,048,640 | ---- | M] (MotioninJoy) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MijXfilt.sys -- (MotioninJoyXFilter)
    DRV - [2010/03/18 10:02:24 | 000,079,568 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LMouKE.Sys -- (LMouKE)
    DRV - [2010/03/18 10:01:04 | 000,063,312 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L8042mou.Sys -- (L8042mou)
    DRV - [2010/03/18 10:00:56 | 000,020,304 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L8042Kbd.sys -- (L8042Kbd)
    DRV - [2010/02/18 10:18:22 | 000,037,944 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\amdiox86.sys -- (amdiox86)
    DRV - [2010/02/06 07:49:00 | 000,597,536 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTL8192su.sys -- (RTL8192su)
    DRV - [2010/01/28 13:35:24 | 000,010,240 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mdvrmng.sys -- (mdvrmng)
    DRV - [2010/01/19 12:49:48 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
    DRV - [2010/01/19 12:49:48 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
    DRV - [2010/01/19 12:49:48 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
    DRV - [2010/01/19 12:49:48 | 000,009,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)
    DRV - [2009/12/30 11:21:16 | 000,027,192 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\revoflt.sys -- (Revoflt)
    DRV - [2009/11/19 00:25:04 | 000,100,352 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
    DRV - [2009/10/26 09:54:24 | 000,025,088 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ANDROIDUSB.sys -- (HTCAND32)
    DRV - [2009/07/14 00:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
    DRV - [2009/07/07 22:48:14 | 000,011,832 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\amdide.sys -- (amdide)
    DRV - [2009/05/05 10:00:28 | 000,014,392 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
    DRV - [2009/02/24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
    DRV - [2007/09/25 15:59:46 | 000,015,152 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\MediaCoder\SysInfo.sys -- (CrystalSysInfo)
    DRV - [2007/02/06 17:45:04 | 000,025,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
    DRV - [2007/02/06 17:44:36 | 001,964,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LVMVdrv.sys -- (LVMVDrv)
    DRV - [2007/02/06 17:42:40 | 001,691,808 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Lvckap.sys -- (LVcKap)
    DRV - [2007/02/03 10:32:36 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
    DRV - [2007/02/03 10:25:56 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)


    ========== Standard Registry (SafeList) ==========
     
  12. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    and part 2:

    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://medion.msn.com [binary data]
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\SearchScopes\{1AEA5634-4390-43C0-9A4A-972B5EED29AD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=MEDTDF&pc=MAMD&src=IE-SearchBox
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid=...20973ddd3df&lang=en&ds=AVG&pr=fr&d=2012-07-17 21:54:01&v=12.1.0.20&sap=dsp&q={searchTerms}
    IE - HKU\S-1-5-21-603813022-4084152872-712802821-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.4: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Test\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Test\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Test\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Test\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/07/22 13:38:42 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/22 13:38:26 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/18 19:11:07 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2012/05/18 19:11:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Test\AppData\Roaming\mozilla\Extensions
    [2012/05/21 22:41:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Test\AppData\Roaming\mozilla\Firefox\Profiles\q4c0moi1.default\extensions
    [2012/05/18 19:12:14 | 000,000,000 | ---D | M] (All-in-One Gestures) -- C:\Users\Test\AppData\Roaming\mozilla\Firefox\Profiles\q4c0moi1.default\extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055}
    [2012/05/18 19:11:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    File not found (No name found) -- C:\PROGRAMDATA\AVG SECURE SEARCH\12.1.0.20\
    [2012/05/21 22:41:25 | 000,413,408 | ---- | M] () (No name found) -- C:\USERS\TEST\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\Q4C0MOI1.DEFAULT\EXTENSIONS\{C45C406E-AB73-11D8-BE73-000A95BE3B12}.XPI
    [2012/04/21 02:19:34 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/07/17 21:53:50 | 000,003,750 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
    [2012/04/21 02:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/04/21 02:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - default_search_provider: AVG Secure Search (Enabled)
    CHR - default_search_provider: search_url = https://isearch.avg.com/search?cid=...20973ddd3df&lang=en&ds=AVG&pr=fr&d=2012-07-17 21:54:01&v=12.1.0.20&sap=dsp&q={searchTerms}
    CHR - default_search_provider: suggest_url = http://clients5.google.com/complete...nputEncoding}&outputencoding={outputEncoding}
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\Test\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Test\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Test\AppData\Local\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
    CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Test\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
    CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2161_0\plugins/avgnpss.dll
    CHR - plugin: Skype Toolbars (Enabled) = C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.9.0.9216_0\npSkypeChromePlugin.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java Deployment Toolkit 6.0.180.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
    CHR - plugin: Java(TM) Platform SE 6 U18 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\Test\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\Test\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
    CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
    CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
    CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll
    CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll
    CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
    CHR - plugin: Google Update (Enabled) = C:\Users\Test\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
    CHR - Extension: YouTube = C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
    CHR - Extension: Google Search = C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
    CHR - Extension: AVG Safe Search = C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2191_0\
    CHR - Extension: Smooth Gestures = C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfkgmnnajiljnolcgolmmgnecgldgeld\0.15.4.13_0\
    CHR - Extension: AVG Do Not Track = C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\12.0.0.2166_0\
    CHR - Extension: Gmail = C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

    O1 HOSTS File: ([2012/07/21 19:27:02 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {06433BFE-4946-4E89-823D-CD359C81CD06} - No CLSID value found.
    O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (no name) - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Mouse Gestures) - {A6A49249-57AE-4295-8D4D-18A9502C7D8E} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll (Drowse)
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
    O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Logitech Inc.)
    O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam10\QuickCam10.exe ()
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-603813022-4084152872-712802821-1004..\Run: [3RVX] C:\Program Files\3RVX\3RVX.exe (matt.malensek.net)
    O4 - HKU\S-1-5-21-603813022-4084152872-712802821-1004..\Run: [Radio Downloader] "C:\Program Files\Radio Downloader\Radio Downloader.exe" /hidemainwindow File not found
    O4 - HKU\S-1-5-21-603813022-4084152872-712802821-1004..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
    O4 - Startup: C:\Users\Henry Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PS3 Media Server.lnk = C:\Program Files\PS3 Media Server\PMS.exe (PS3 Media Server)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
    O8 - Extra context menu item: Add to Evernote 4.0 - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
    O9 - Extra Button: eBay.co.uk - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/710-72741-17534-1/4 File not found
    O9 - Extra 'Tools' menuitem : eBay.co.uk - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/710-72741-17534-1/4 File not found
    O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Mouse Gestures... - {4E660F19-E91E-41E1-88EF-D1DFAB118F67} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll (Drowse)
    O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
    O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
    O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
    O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
    O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
    O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
    O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
    O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
    O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
    O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
    O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
    O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
    O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
    O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
    O15 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..Trusted Domains: freerealms.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..Trusted Domains: soe.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..Trusted Domains: sony.com ([]* in Trusted sites)
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab (Office Genuine Advantage Validation Tool)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6015F214-CB55-44FC-B878-70EF53C92016}: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8AD1ED2A-190F-418E-9118-9075A9523055}: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B2C14BC4-0F81-4F95-8DAB-D2B184212427}: DhcpNameServer = 192.168.42.129
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2004/06/29 14:15:58 | 000,000,029 | R--- | M] () - J:\autorun.inf -- [ CDFS ]
    O33 - MountPoints2\{c48afcb8-be8b-11e1-b53f-406186951fdb}\Shell - "" = AutoRun
    O33 - MountPoints2\{c48afcb8-be8b-11e1-b53f-406186951fdb}\Shell\AutoRun\command - "" = F:\Startme.exe
    O33 - MountPoints2\{e5f127b6-b9da-11df-ba65-406186951fdb}\Shell - "" = AutoRun
    O33 - MountPoints2\{e5f127b6-b9da-11df-ba65-406186951fdb}\Shell\AutoRun\command - "" = K:\AutoRun.exe
    O33 - MountPoints2\F\Shell - "" = AutoRun
    O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AutoRun.exe
    O33 - MountPoints2\K\Shell - "" = AutoRun
    O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\AutoRun.exe
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/23 22:03:59 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Test\Desktop\OTL.exe
    [2012/07/22 13:38:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
    [2012/07/22 13:38:23 | 000,000,000 | -H-D | C] -- C:\$AVG
    [2012/07/21 21:42:24 | 000,000,000 | ---D | C] -- C:\Users\Test\AppData\Roaming\AVG2012
    [2012/07/21 19:35:21 | 000,000,000 | ---D | C] -- C:\Users\Test\AppData\Local\temp
    [2012/07/21 19:27:09 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/07/21 19:23:07 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/07/21 19:10:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/07/21 19:10:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/07/21 19:10:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/07/21 19:10:40 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/07/21 19:10:38 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/21 19:10:18 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/07/21 06:52:05 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/07/20 22:25:03 | 000,100,864 | ---- | C] (GMER) -- C:\ffxdrpog.sys
    [2012/07/19 23:04:44 | 000,000,000 | ---D | C] -- C:\Windows\System32\DBBK
    [2012/07/19 07:12:48 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/07/15 07:15:28 | 000,000,000 | ---D | C] -- C:\ProgramData\6C82ED420009B0E872A08290F875F020
    [2012/06/25 11:29:18 | 000,000,000 | ---D | C] -- C:\Users\Test\Desktop\MumJanice
    [2 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/07/23 22:28:00 | 000,000,940 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1001UA.job
    [2012/07/23 22:07:01 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1004Core.job
    [2012/07/23 22:07:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1004UA.job
    [2012/07/23 22:04:05 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Test\Desktop\OTL.exe
    [2012/07/23 22:00:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/23 18:16:41 | 101,994,634 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
    [2012/07/23 17:17:30 | 000,009,920 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/23 17:17:30 | 000,009,920 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/23 17:09:52 | 2615,910,400 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/23 07:28:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-603813022-4084152872-712802821-1001Core.job
    [2012/07/22 23:31:12 | 271,898,784 | ---- | M] () -- C:\Users\Test\Desktop\TVBOXNOW Witness Insecurity Ch09.rmvb
    [2012/07/22 13:38:42 | 000,000,939 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk
    [2012/07/21 21:23:58 | 000,629,582 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/07/21 21:23:58 | 000,112,060 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/07/21 19:27:02 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/07/20 22:25:03 | 000,100,864 | ---- | M] (GMER) -- C:\ffxdrpog.sys
    [2012/07/19 07:13:06 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/07/12 07:05:30 | 000,002,403 | ---- | M] () -- C:\Users\Test\Desktop\Google Chrome.lnk
    [2012/07/11 07:06:16 | 000,462,472 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/07/08 17:15:10 | 000,466,593 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
    [2012/07/08 11:41:59 | 000,000,004 | ---- | M] () -- C:\authres.html
    [2012/07/07 07:38:57 | 000,761,236 | ---- | M] () -- C:\Users\Test\Desktop\DSCF1670.JPG
    [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/07/03 07:21:24 | 587,214,217 | ---- | M] () -- C:\Users\Test\Desktop\TVBOXNOW_Tiger_Cubs_Ch02.mp4
    [2012/06/26 18:01:54 | 000,081,722 | ---- | M] () -- C:\Users\Test\Desktop\teachers standards from september 2012.pdf
    [2012/06/26 10:28:56 | 000,833,319 | ---- | M] () -- C:\Users\Test\Desktop\Languages-Review.pdf
    [2 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/22 22:35:53 | 271,898,784 | ---- | C] () -- C:\Users\Test\Desktop\TVBOXNOW Witness Insecurity Ch09.rmvb
    [2012/07/21 19:10:44 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/07/21 19:10:44 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/07/21 19:10:44 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/07/21 19:10:44 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/07/21 19:10:44 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/07/19 23:23:02 | 000,028,424 | ---- | C] () -- C:\Windows\System32\drivers\PRSBDrvr.sys
    [2012/07/19 23:04:44 | 000,225,664 | ---- | C] () -- C:\Windows\System32\drivers\DasBootS.SYS
    [2012/07/19 23:04:44 | 000,059,272 | ---- | C] () -- C:\Windows\System32\drivers\DasBootF.SYS
    [2012/07/19 23:04:44 | 000,027,528 | ---- | C] () -- C:\Windows\System32\drivers\DasBootK.SYS
    [2012/07/19 23:04:44 | 000,020,744 | ---- | C] () -- C:\Windows\System32\drivers\DasBoot.SYS
    [2012/07/19 23:04:44 | 000,009,096 | ---- | C] () -- C:\Windows\System32\drivers\DasBootI.SYS
    [2012/07/19 23:04:44 | 000,009,096 | ---- | C] () -- C:\Windows\System32\drivers\DasBootE.SYS
    [2012/07/19 23:04:44 | 000,003,072 | ---- | C] () -- C:\Windows\System32\drivers\DasBootD.SYS
    [2012/07/19 07:12:59 | 000,001,919 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/07/07 07:38:56 | 000,761,236 | ---- | C] () -- C:\Users\Test\Desktop\DSCF1670.JPG
    [2012/07/03 07:12:58 | 587,214,217 | ---- | C] () -- C:\Users\Test\Desktop\TVBOXNOW_Tiger_Cubs_Ch02.mp4
    [2012/06/26 18:01:54 | 000,081,722 | ---- | C] () -- C:\Users\Test\Desktop\teachers standards from september 2012.pdf
    [2012/06/26 10:28:56 | 000,833,319 | ---- | C] () -- C:\Users\Test\Desktop\Languages-Review.pdf
    [2012/06/17 10:29:02 | 000,661,629 | ---- | C] () -- C:\Users\Test\viewTaxReturnPdf.pdf
    [2012/03/29 23:28:24 | 000,002,795 | ---- | C] () -- C:\Users\Test\Official Guide to the TOEFL Test, Third Edition.lnk
    [2012/03/29 23:28:24 | 000,002,615 | ---- | C] () -- C:\Users\Test\TOEFL Practice Tests.lnk
    [2012/03/24 18:12:06 | 000,000,033 | ---- | C] () -- C:\ProgramData\droidcam-settings
    [2012/02/12 09:48:11 | 000,018,760 | ---- | C] () -- C:\Windows\System32\QQVistaHelper.dll
    [2011/10/13 10:01:28 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
    [2011/08/05 07:39:04 | 000,001,204 | -HS- | C] () -- C:\Users\Test\AppData\Local\wvt617p653s1oh
    [2011/08/05 07:39:04 | 000,000,000 | -HS- | C] () -- C:\ProgramData\wvt617p653s1oh
    [2011/07/23 18:20:58 | 000,000,031 | -H-- | C] () -- C:\Windows\UKCpInfo.sys
    [2011/07/12 10:41:42 | 000,000,029 | -H-- | C] () -- C:\Users\Test\.picasa.ini
    [2011/07/07 23:42:49 | 000,000,848 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
    [2011/05/30 09:05:04 | 000,003,584 | ---- | C] () -- C:\Users\Test\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/04/15 23:54:05 | 000,010,240 | ---- | C] () -- C:\Windows\System32\drivers\mdvrmng.sys
    [2011/04/05 00:20:34 | 000,001,376 | -HS- | C] () -- C:\ProgramData\4sitd58ruu5k5f08bm75d102b10ml1
    [2011/04/04 22:06:01 | 000,000,136 | ---- | C] () -- C:\ProgramData\~32562952r
    [2011/04/04 22:06:01 | 000,000,112 | ---- | C] () -- C:\ProgramData\~32562952
    [2011/04/04 22:03:19 | 000,012,270 | -HS- | C] () -- C:\ProgramData\ht74csuklln463r7lp26k3qo87473u4w6tsier6bv5m8c
    [2010/12/15 20:33:32 | 000,002,975 | ---- | C] () -- C:\Windows\System32\atipblag.dat
    [2010/12/09 10:42:22 | 000,000,056 | ---- | C] () -- C:\Windows\System32\ezsidmv.dat
    [2010/10/27 23:13:58 | 000,226,857 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
    [2010/08/31 09:50:39 | 000,000,000 | ---- | C] () -- C:\Windows\PPViewer.INI

    ========== LOP Check ==========

    [2012/07/21 19:07:09 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\AVG2012
    [2010/05/29 15:34:15 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\GetRightToGo
    [2010/12/28 10:54:25 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\HTC
    [2010/12/24 18:03:41 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
    [2011/02/06 12:16:21 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\ImgBurn
    [2010/04/15 19:48:07 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\IObit
    [2010/04/09 07:45:28 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\Leadertech
    [2011/04/02 00:41:32 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\mkvtoolnix
    [2010/05/08 12:13:26 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\MotioninJoy
    [2010/12/24 11:58:31 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\Mp3tag
    [2010/12/17 15:12:00 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\Opera
    [2011/02/24 00:22:33 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\Outlook
    [2011/12/07 22:26:45 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\PhotoScape
    [2010/04/07 07:04:49 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\Red Kawa
    [2010/08/19 23:05:30 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\TomTom
    [2012/07/21 21:19:20 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\uTorrent
    [2010/04/15 20:00:04 | 000,000,000 | ---D | M] -- C:\Users\Henry Desktop\AppData\Roaming\VS Revo Group
    [2012/07/21 21:42:24 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\AVG2012
    [2011/04/15 23:54:28 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Birdstep Technology
    [2011/05/14 20:30:40 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Broad Intelligence
    [2011/07/08 00:43:41 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2012/01/24 21:37:15 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Dyvynya
    [2012/01/24 08:33:39 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Fyon
    [2012/03/29 23:29:30 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\GetRightToGo
    [2011/04/12 07:49:22 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\HTC
    [2011/05/06 07:43:35 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
    [2011/04/13 09:04:23 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Leadertech
    [2012/03/29 23:28:19 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\M-HTOEFL
    [2011/04/29 11:35:39 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\mkvtoolnix
    [2011/08/25 19:18:07 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Notepad++
    [2012/01/21 14:10:51 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Nywa
    [2011/05/02 17:47:15 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Opera
    [2011/07/04 07:44:33 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Pyfia
    [2012/04/04 22:20:27 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Red Kawa
    [2012/02/12 13:18:03 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Tencent
    [2012/01/27 08:34:23 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Ugy
    [2012/07/23 22:33:45 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\uTorrent
    [2012/04/16 23:21:26 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\www.nerdoftheherd.com
    [2012/06/30 16:03:45 | 000,032,608 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    < End of report >
     
  13. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {06433BFE-4946-4E89-823D-CD359C81CD06} - No CLSID value found.
      SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
      O2 - BHO: (no name) - {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} - No CLSID value found.
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O3 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
      O3 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
      O4 - HKU\S-1-5-21-603813022-4084152872-712802821-1004..\Run: [Radio Downloader] "C:\Program Files\Radio Downloader\Radio Downloader.exe" /hidemainwindow File not found
      O9 - Extra Button: eBay.co.uk - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/710-72741-17534-1/4 File not found
      O9 - Extra 'Tools' menuitem : eBay.co.uk - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/710-72741-17534-1/4 File not found
      O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
      O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
      O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
      O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
      O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
      O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
      O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
      O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
      O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
      O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
      O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
      O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
      O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
      O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
      O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
      O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
      O15 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
      O15 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..Trusted Domains: freerealms.com ([]* in Trusted sites)
      O15 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..Trusted Domains: soe.com ([]* in Trusted sites)
      O15 - HKU\S-1-5-21-603813022-4084152872-712802821-1004\..Trusted Domains: sony.com ([]* in Trusted sites)
      O33 - MountPoints2\{c48afcb8-be8b-11e1-b53f-406186951fdb}\Shell - "" = AutoRun
      O33 - MountPoints2\{c48afcb8-be8b-11e1-b53f-406186951fdb}\Shell\AutoRun\command - "" = F:\Startme.exe
      O33 - MountPoints2\{e5f127b6-b9da-11df-ba65-406186951fdb}\Shell - "" = AutoRun
      O33 - MountPoints2\{e5f127b6-b9da-11df-ba65-406186951fdb}\Shell\AutoRun\command - "" = K:\AutoRun.exe
      O33 - MountPoints2\F\Shell - "" = AutoRun
      O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AutoRun.exe
      O33 - MountPoints2\K\Shell - "" = AutoRun
      O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\AutoRun.exe
      [2012/07/21 06:52:05 | 000,000,000 | ---D | C] -- C:\FRST
      [2011/08/05 07:39:04 | 000,001,204 | -HS- | C] () -- C:\Users\Test\AppData\Local\wvt617p653s1oh
      [2011/08/05 07:39:04 | 000,000,000 | -HS- | C] () -- C:\ProgramData\wvt617p653s1oh
      [2011/04/05 00:20:34 | 000,001,376 | -HS- | C] () -- C:\ProgramData\4sitd58ruu5k5f08bm75d102b10ml1
      [2011/04/04 22:06:01 | 000,000,136 | ---- | C] () -- C:\ProgramData\~32562952r
      [2011/04/04 22:06:01 | 000,000,112 | ---- | C] () -- C:\ProgramData\~32562952
      [2011/04/04 22:03:19 | 000,012,270 | -HS- | C] () -- C:\ProgramData\ht74csuklln463r7lp26k3qo87473u4w6tsier6bv5m8c
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  14. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    OTL:
    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06433BFE-4946-4E89-823D-CD359C81CD06}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06433BFE-4946-4E89-823D-CD359C81CD06}\ not found.
    Service RoxLiveShare10 stopped successfully!
    Service RoxLiveShare10 deleted successfully!
    File C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{481EE3EC-C026-4F9A-BA22-FD07654ADFC0}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_USERS\S-1-5-21-603813022-4084152872-712802821-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
    Registry value HKEY_USERS\S-1-5-21-603813022-4084152872-712802821-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
    Registry value HKEY_USERS\S-1-5-21-603813022-4084152872-712802821-1004\Software\Microsoft\Windows\CurrentVersion\Run\\Radio Downloader deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA}\ not found.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
    Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ not found.
    Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ not found.
    Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ not found.
    Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ not found.
    Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-603813022-4084152872-712802821-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c48afcb8-be8b-11e1-b53f-406186951fdb}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c48afcb8-be8b-11e1-b53f-406186951fdb}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c48afcb8-be8b-11e1-b53f-406186951fdb}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c48afcb8-be8b-11e1-b53f-406186951fdb}\ not found.
    File F:\Startme.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e5f127b6-b9da-11df-ba65-406186951fdb}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e5f127b6-b9da-11df-ba65-406186951fdb}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e5f127b6-b9da-11df-ba65-406186951fdb}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e5f127b6-b9da-11df-ba65-406186951fdb}\ not found.
    File K:\AutoRun.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
    File F:\AutoRun.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K\ not found.
    File K:\AutoRun.exe not found.
    C:\FRST\Quarantine\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\U folder moved successfully.
    C:\FRST\Quarantine\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\L folder moved successfully.
    C:\FRST\Quarantine\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\{75bd8795-729e-3e2a-6b32-659cf4473ab0} folder moved successfully.
    C:\FRST\Quarantine\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\U folder moved successfully.
    C:\FRST\Quarantine\{75bd8795-729e-3e2a-6b32-659cf4473ab0}\L folder moved successfully.
    C:\FRST\Quarantine\{75bd8795-729e-3e2a-6b32-659cf4473ab0} folder moved successfully.
    Folder move failed. C:\FRST\Quarantine scheduled to be moved on reboot.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    C:\Users\Test\AppData\Local\wvt617p653s1oh moved successfully.
    C:\ProgramData\wvt617p653s1oh moved successfully.
    C:\ProgramData\4sitd58ruu5k5f08bm75d102b10ml1 moved successfully.
    C:\ProgramData\~32562952r moved successfully.
    C:\ProgramData\~32562952 moved successfully.
    C:\ProgramData\ht74csuklln463r7lp26k3qo87473u4w6tsier6bv5m8c moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56502 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Henry Desktop
    ->Temp folder emptied: 581876 bytes
    ->Temporary Internet Files folder emptied: 18862063 bytes
    ->Java cache emptied: 6179 bytes
    ->Google Chrome cache emptied: 372072743 bytes
    ->Opera cache emptied: 37780486 bytes
    ->Flash cache emptied: 245037 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Test
    ->Temp folder emptied: 371984 bytes
    ->Temporary Internet Files folder emptied: 25248408 bytes
    ->Java cache emptied: 1387849 bytes
    ->FireFox cache emptied: 291670179 bytes
    ->Google Chrome cache emptied: 424002507 bytes
    ->Opera cache emptied: 57193881 bytes
    ->Flash cache emptied: 4060985 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 97732 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 2825287424 bytes

    Total Files Cleaned = 3,871.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Henry Desktop
    ->Java cache emptied: 0 bytes

    User: Public

    User: Test
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Henry Desktop
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Test
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.53.1 log created on 07242012_220010

    Files\Folders moved on Reboot...
    File\Folder C:\FRST\Quarantine not found!

    PendingFileRenameOperations files...
    File C:\FRST\Quarantine not found!

    Registry entries deleted on Reboot...
     
  15. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    SecurityCheck log:
    Results of screen317's Security Check version 0.99.24
    Windows 7 Service Pack 1 x86 (UAC is disabled!)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG 2012
    Microsoft Security Essentials
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 18
    Out of date Java installed!
    Adobe Flash Player ( 10.3.181.26) Flash Player Out of Date!
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    AVG avgemc.exe
    Microsoft Security Essentials msseces.exe
    ``````````End of Log````````````
     
  16. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    FSS log:
    Farbar Service Scanner Version: 22-07-2012
    Ran by Test (administrator) on 24-07-2012 at 22:10:47
    Running from "C:\Users\Test\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is set to Disabled. The default start type is 3.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.


    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============

    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is set to Auto
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  17. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    And here is the estet log:
    C:\Users\Henry Desktop\Videos\TV\Anvsoft Flash Slideshow Maker Professional v4.75+KgN[h33t][rupliham]\Setup\Keymaker.rar probably a variant of Win32/Agent.MMXBBOW trojan deleted - quarantined
    C:\Users\Henry Desktop\Videos\TV\Pimp My Droid\Android Apps\InstantRoot (1.04).apk Android/Exploit.Lotoor.AP trojan deleted - quarantined
    C:\Users\Henry Desktop\Videos\TV\Pimp My Droid\Android Apps\Recovery Flasher (1.1.3).apk multiple threats deleted - quarantined
    C:\Users\Henry Desktop\Videos\TV\Windows XP Professional 32-bit en-US - Black Edition v2010.12.18\Windows XP Professional 32-bit en-US - Black Edition v2010.12.18.iso Win32/Adware.ADON application deleted - quarantined
     
  18. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Did you disable system restore for whatever reason?
    If so re-enable it.

    ===============================

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    ===============================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  19. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    Tried enabling system restore but every time I open system properties page it is coming up with an error
     
  20. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    OTL Log:
    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Henry Desktop
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Opera cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Test
    ->Temp folder emptied: 982669 bytes
    ->Temporary Internet Files folder emptied: 6385503 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 38075162 bytes
    ->Opera cache emptied: 55385728 bytes
    ->Flash cache emptied: 2404 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 20262 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 1671426708 bytes

    Total Files Cleaned = 1,690.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Henry Desktop
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Test
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Henry Desktop
    ->Java cache emptied: 0 bytes

    User: Public

    User: Test
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb

    Unable to start System Restore Service. Error code -2147212542

    OTL by OldTimer - Version 3.2.53.1 log created on 07252012_220258

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  21. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Go Start and in "Start search" type:
    services.msc
    Press Enter.

    Services window will open.
    Scroll down to "Windows backup" service.
    Right click on it, click "Properties".
    Under "Startup type" select "Manual" from drop down menu.
    OK your way out.

    Restart computer and see if you can enable system restore.
     
  22. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    Nope, still didn't work
     
  23. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Post new FSS log.
     
  24. hekawila

    hekawila TS Rookie Topic Starter Posts: 23

    Farbar Service Scanner Version: 22-07-2012
    Ran by Test (administrator) on 26-07-2012 at 00:23:24
    Running from "C:\Users\Test\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============

    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is set to Auto
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  25. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Looks good.

    I see no reason for system restore not working.

    What EXACTLY happens?
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...