TechSpot

Sirefef virus issue

By menka
Jun 23, 2012
  1. Hello, my desktop seemed to have caught the sirefef virus, windows security essential is forcing the desktop to restart after one minute even though it claimed to have clean the virus. I go into safemode to try to run Malwarebytes but the desktop shuts down before the scan can finish. I notice this is a common problem from the topic threads but it seems recommended that I make my own thread topic other than copying other users. I am running Windows 7 64-bit home premium if that helps.
     
  2. menka

    menka TS Member Topic Starter Posts: 38

    Okay I downloaded the Farbar recovery tool:

    Scan result of Farbar Recovery Scan Tool Version: 23-06-2012
    Ran by SYSTEM at 23-06-2012 13:31:42
    Running from F:\
    Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12632168 2011-07-18] (Realtek Semiconductor)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641664 2012-04-05] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [10752 2012-02-20] ()
    HKU\Calice\...\Run: [0i763f66bz] C:\Users\Calice\0i763f66bz.exe [x]
    HKU\Calice\...\Run: [Regedit32] C:\Windows\system32\regedit.exe [x]
    Tcpip\Parameters: [DhcpNameServer] 65.32.5.111 65.32.5.112

    ==================== Services (Whitelisted) ======

    2 EventSystem; C:\Windows\SysWow64\es.dll [271360 2009-07-13] (Microsoft Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)

    ========================== Drivers (Whitelisted) =============

    2 AODDriver4.01; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
    2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
    3 NVENETFD; C:\Windows\System32\DRIVERS\nvm62x64.sys [408960 2009-06-10] (NVIDIA Corporation)
    3 NVNET; C:\Windows\System32\DRIVERS\nvmf6264.sys [350952 2010-08-12] (NVIDIA Corporation)
    3 UsbGps; C:\Windows\System32\DRIVERS\lgx64gps.sys [27136 2008-11-11] (LG Electronics Inc.)
    3 ALSysIO; \??\C:\Users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [x]
    3 gdrv; \??\C:\Windows\gdrv.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-06-23 08:58 - 2012-06-23 08:58 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1EE77193F9BCFE96
    2012-06-23 08:56 - 2012-06-23 08:56 - 00000328 ____A C:\Windows\PFRO.log
    2012-06-23 07:35 - 2012-06-23 07:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CE47B7580E4127D0
    2012-06-23 07:24 - 2012-06-23 07:24 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5994B9A783CBAC2F
    2012-06-23 07:16 - 2012-06-23 07:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.619C4D112007EE12
    2012-06-23 07:13 - 2012-06-23 07:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8A63788CF596CCF5
    2012-06-23 07:08 - 2012-06-23 07:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C5C946D4B2BF6104
    2012-06-23 07:05 - 2012-06-23 07:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.49D2A407B3219963
    2012-06-23 06:47 - 2012-06-23 06:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FD71B6D71538D73C
    2012-06-23 06:41 - 2012-06-23 06:41 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A0A2B4E64A5EB56A
    2012-06-23 06:36 - 2012-06-23 06:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F33C70996493D25B
    2012-06-23 06:36 - 2012-06-23 06:36 - 00000000 ____D C:\Users\Calice\AppData\Roaming\Malwarebytes
    2012-06-23 06:33 - 2012-06-23 06:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.58CAF57F892AF75F
    2012-06-23 06:33 - 2012-06-23 06:33 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-06-23 06:33 - 2012-06-23 06:33 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-06-23 06:33 - 2012-06-23 06:33 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-06-23 06:33 - 2012-04-04 11:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-23 06:31 - 2012-06-23 06:31 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Calice\Downloads\mbam-setup-1.61.0.1400.exe
    2012-06-23 06:31 - 2012-06-23 06:31 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A2007D98A6CD6238
    2012-06-23 06:28 - 2012-06-23 06:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ABBEF8ABF0A3E908
    2012-06-23 06:26 - 2012-06-23 06:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.29FC24FA8905EC12
    2012-06-23 06:23 - 2012-06-23 06:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.103CBED513E3C65D
    2012-06-23 06:22 - 2012-06-23 08:59 - 00001568 ____A C:\Windows\setupact.log
    2012-06-23 06:22 - 2012-06-23 06:22 - 00000000 ____A C:\Windows\setuperr.log
    2012-06-23 06:20 - 2012-06-23 06:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D45CCEF7CB5FEC72
    2012-06-23 06:18 - 2012-06-23 06:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.643BBA4CF88C93BC
    2012-06-23 06:13 - 2012-06-23 06:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BA177F2C14A4843F
    2012-06-23 06:09 - 2012-06-23 06:09 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8735FAF4A73CA8CB
    2012-06-23 06:06 - 2012-06-23 06:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EC6FB467ADB4FF9C
    2012-06-23 06:00 - 2012-06-23 06:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-06-23 06:00 - 2012-06-23 06:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-06-23 05:59 - 2012-06-23 05:59 - 12621696 ____A (Microsoft Corporation) C:\Users\Calice\Downloads\mseinstall.exe
    2012-06-22 14:48 - 2012-06-22 14:48 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-06-21 09:15 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 09:15 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 09:15 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 09:15 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 09:15 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 09:15 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 09:15 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 09:15 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 09:15 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-20 13:53 - 2012-06-20 13:54 - 00000000 ____D C:\Users\Calice\AppData\Local\{F9624A5F-E9A5-4818-A833-33DEB9BA90A6}
    2012-06-20 13:53 - 2012-06-20 13:53 - 00000000 ____D C:\Users\Calice\AppData\Local\{1ED868E8-4FB4-413F-8AE7-73D41338ED21}
    2012-06-16 11:14 - 2012-06-16 11:19 - 00000000 ____D C:\Users\Calice\AppData\Roaming\NCH Software
    2012-06-16 11:14 - 2012-06-16 11:14 - 00521312 ____A (NCH Software) C:\Users\Calice\Downloads\switchsetup.exe
    2012-06-16 11:14 - 2012-06-16 11:14 - 00000000 ____D C:\Users\All Users\NCH Software
    2012-06-16 11:14 - 2012-06-16 11:14 - 00000000 ____D C:\Program Files (x86)\NCH Software
    2012-06-15 18:35 - 2012-06-15 18:40 - 00000000 ____D C:\Users\Calice\AppData\Local\Conduit
    2012-06-15 18:35 - 2012-06-15 18:35 - 00000000 ____D C:\Program Files (x86)\Conduit
    2012-06-15 18:33 - 2012-06-15 18:33 - 00078512 ____A C:\Users\Calice\Downloads\InstallIMVU_472.0_st_c.exe
    2012-06-12 20:26 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-12 20:26 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-12 20:26 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-12 20:26 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-12 20:26 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-12 20:26 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-12 20:26 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-12 20:26 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-12 20:26 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-12 20:26 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-12 20:26 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-12 20:26 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-12 20:26 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-12 20:26 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-12 20:26 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-12 20:26 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-12 20:26 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-12 20:26 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-12 20:26 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-12 20:26 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-12 20:26 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-12 20:26 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-12 20:26 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-12 20:26 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-12 20:26 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-12 20:26 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-12 20:26 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-12 20:26 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-12 14:14 - 2012-06-12 14:15 - 00000000 ____D C:\Users\Calice\AppData\Local\{02FA11B7-A6B4-4E03-9B22-D26A4597B86D}
    2012-06-12 14:14 - 2012-06-12 14:14 - 00000000 ____D C:\Users\Calice\AppData\Local\{534D160A-FEC6-4DCB-B9BD-D8918E279241}
    2012-06-12 13:51 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-12 13:51 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-06-12 13:51 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-06-12 13:51 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-06-12 13:51 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-06-12 13:51 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-12 13:51 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-06-12 13:51 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-06-12 13:51 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-06-12 13:51 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-06-12 13:51 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-06-12 13:51 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-06-12 13:51 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-06-12 13:51 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-06-12 13:51 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-06-12 13:51 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-06-12 13:51 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
    2012-06-11 17:24 - 2012-06-11 17:24 - 00000000 ____D C:\Users\Calice\AppData\Local\{6E639B70-DCF1-4026-8059-E2922519EDB0}
    2012-06-11 17:24 - 2012-06-11 17:24 - 00000000 ____D C:\Users\Calice\AppData\Local\{38813479-1E4D-4561-BC86-455119DF3FC6}
    2012-06-11 16:01 - 2012-06-11 16:01 - 00000000 ____D C:\Program Files (x86)\LG Electronics
    2012-06-11 16:01 - 2008-11-11 09:42 - 00033792 ____A (LG Electronics Inc.) C:\Windows\System32\Drivers\lgx64modem.sys
    2012-06-11 16:01 - 2008-11-11 09:42 - 00027136 ____A (LG Electronics Inc.) C:\Windows\System32\Drivers\lgx64gps.sys
    2012-06-11 16:01 - 2008-11-11 09:42 - 00027136 ____A (LG Electronics Inc.) C:\Windows\System32\Drivers\lgx64diag.sys
    2012-06-11 16:01 - 2008-11-11 09:42 - 00017920 ____A (LG Electronics Inc.) C:\Windows\System32\Drivers\lgx64bus.sys
    2012-06-11 16:00 - 2012-06-11 16:00 - 01529080 ____A (LG Electronics ) C:\Users\Calice\Downloads\LGUSBModemDriver_Eng_WHQL_Ver_4.9.4_All.exe
    2012-06-10 18:03 - 2012-06-10 18:03 - 00000000 ____D C:\Users\Calice\AppData\Local\{48546F70-1B0B-4D93-B9DE-56FECC9245EA}
    2012-06-10 13:45 - 2012-06-10 13:45 - 00000000 ____D C:\Users\All Users\ATI
    2012-06-10 13:45 - 2012-06-10 13:45 - 00000000 ____D C:\Program Files (x86)\AMD AVT
    2012-06-10 13:45 - 2012-06-10 13:45 - 00000000 ____D C:\Program Files (x86)\AMD APP
    2012-06-09 08:51 - 2012-06-09 08:51 - 00000000 ____D C:\Users\Calice\AppData\Local\Macromedia
    2012-06-01 11:09 - 2012-06-01 11:09 - 00000000 ____D C:\Users\Calice\AppData\Local\{89318356-0E99-4C8E-9B05-31F38A440C16}
    2012-06-01 11:09 - 2012-06-01 11:09 - 00000000 ____D C:\Users\Calice\AppData\Local\{357542D8-B6DA-467B-AE3F-A44F5405331A}
    2012-05-31 14:36 - 2012-05-31 14:38 - 00000000 ____D C:\Users\Calice\Documents\Activities
    2012-05-31 14:01 - 2012-05-31 14:01 - 00000000 ____D C:\Users\All Users\Sun
    2012-05-31 14:01 - 2012-05-31 14:01 - 00000000 ____D C:\Program Files (x86)\Oracle
    2012-05-31 14:01 - 2012-04-04 14:47 - 00772504 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
    2012-05-31 14:01 - 2012-04-04 14:47 - 00687504 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
    2012-05-31 14:01 - 2012-04-04 14:47 - 00227720 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2012-05-31 14:00 - 2012-05-31 14:00 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2012-05-31 14:00 - 2012-05-31 14:00 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2012-05-31 14:00 - 2012-05-31 14:00 - 00000000 ____D C:\Program Files (x86)\Java
    2012-05-30 11:01 - 2012-05-30 11:01 - 03862112 ____A (Piriform Ltd) C:\Users\Calice\Downloads\ccsetup319.exe
    2012-05-27 18:20 - 2012-05-27 18:20 - 00012900 ____A C:\Users\Calice\Downloads\BREN.png
    2012-05-27 18:16 - 2012-05-27 18:17 - 00000000 ____D C:\Users\Calice\Downloads\glass
    2012-05-27 18:13 - 2012-05-27 18:13 - 00259067 ____A C:\Users\Calice\Downloads\glass.zip
    2012-05-27 18:07 - 2012-05-27 18:07 - 00011020 ____A C:\Users\Calice\Downloads\BRENTONSLADE5.png
    2012-05-27 18:05 - 2012-05-27 18:05 - 00011034 ____A C:\Users\Calice\Downloads\BRENTON4.png
    2012-05-27 17:58 - 2012-05-27 17:58 - 00006928 ____A C:\Users\Calice\Downloads\BRENTON SLADE3.png
    2012-05-27 17:56 - 2012-05-27 17:56 - 00007084 ____A C:\Users\Calice\Downloads\BRENTONSLADE2.png
    2012-05-27 17:55 - 2012-05-27 17:55 - 00007093 ____A C:\Users\Calice\Downloads\BRENTON SLADE.png
    2012-05-27 17:05 - 2012-05-27 17:05 - 00000000 ____D C:\Users\Calice\Downloads\pulse_sans
    2012-05-27 17:00 - 2012-05-27 17:00 - 00120692 ____A C:\Users\Calice\Downloads\pulse_sans.zip
    2012-05-27 16:59 - 2012-05-27 16:59 - 00000000 ____D C:\Users\Calice\Downloads\crackvetica
    2012-05-27 16:46 - 2012-05-27 16:46 - 00122660 ____A C:\Users\Calice\Downloads\crackvetica.zip
    2012-05-27 16:45 - 2012-05-27 16:45 - 00137123 ____A C:\Users\Calice\Downloads\buy_more.zip
    2012-05-27 16:39 - 2012-05-27 16:39 - 00004660 ____A C:\Users\Calice\Downloads\high_volume.zip
    2012-05-27 16:39 - 2012-05-27 16:39 - 00000000 ____D C:\Users\Calice\Downloads\high_volume
    2012-05-27 16:33 - 2012-05-27 16:33 - 00000000 ____D C:\Users\Calice\Downloads\feedback_loud
    2012-05-27 16:32 - 2012-05-27 16:32 - 00063268 ____A C:\Users\Calice\Downloads\feedback_loud.zip
    2012-05-27 16:24 - 2012-05-27 16:24 - 00000000 ____D C:\Users\Calice\Downloads\vermin_vibes
    2012-05-27 16:21 - 2012-05-27 16:21 - 00049483 ____A C:\Users\Calice\Downloads\vermin_vibes.zip


    ============ 3 Months Modified Files and Folders =============

    2012-06-23 13:31 - 2012-06-23 13:31 - 00000000 ____D C:\FRST
    2012-06-23 08:59 - 2012-06-23 06:22 - 00001568 ____A C:\Windows\setupact.log
    2012-06-23 08:59 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-06-23 08:58 - 2012-06-23 08:58 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1EE77193F9BCFE96
    2012-06-23 08:56 - 2012-06-23 08:56 - 00000328 ____A C:\Windows\PFRO.log
    2012-06-23 08:29 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-06-23 07:35 - 2012-06-23 07:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CE47B7580E4127D0
    2012-06-23 07:24 - 2012-06-23 07:24 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5994B9A783CBAC2F
    2012-06-23 07:16 - 2012-06-23 07:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.619C4D112007EE12
    2012-06-23 07:13 - 2012-06-23 07:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8A63788CF596CCF5
    2012-06-23 07:08 - 2012-06-23 07:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C5C946D4B2BF6104
    2012-06-23 07:05 - 2012-06-23 07:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.49D2A407B3219963
    2012-06-23 06:47 - 2012-06-23 06:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FD71B6D71538D73C
    2012-06-23 06:41 - 2012-06-23 06:41 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A0A2B4E64A5EB56A
    2012-06-23 06:40 - 2012-04-27 16:41 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-06-23 06:36 - 2012-06-23 06:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F33C70996493D25B
    2012-06-23 06:36 - 2012-06-23 06:36 - 00000000 ____D C:\Users\Calice\AppData\Roaming\Malwarebytes
    2012-06-23 06:33 - 2012-06-23 06:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.58CAF57F892AF75F
    2012-06-23 06:33 - 2012-06-23 06:33 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-06-23 06:33 - 2012-06-23 06:33 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-06-23 06:33 - 2012-06-23 06:33 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-06-23 06:31 - 2012-06-23 06:31 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Calice\Downloads\mbam-setup-1.61.0.1400.exe
    2012-06-23 06:31 - 2012-06-23 06:31 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A2007D98A6CD6238
    2012-06-23 06:28 - 2012-06-23 06:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ABBEF8ABF0A3E908
    2012-06-23 06:26 - 2012-06-23 06:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.29FC24FA8905EC12
    2012-06-23 06:23 - 2012-06-23 06:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.103CBED513E3C65D
    2012-06-23 06:22 - 2012-06-23 06:22 - 00000000 ____A C:\Windows\setuperr.log
    2012-06-23 06:20 - 2012-06-23 06:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D45CCEF7CB5FEC72
    2012-06-23 06:18 - 2012-06-23 06:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.643BBA4CF88C93BC
    2012-06-23 06:13 - 2012-06-23 06:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BA177F2C14A4843F
    2012-06-23 06:09 - 2012-06-23 06:09 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8735FAF4A73CA8CB
    2012-06-23 06:06 - 2012-06-23 06:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EC6FB467ADB4FF9C
    2012-06-23 06:04 - 2009-07-13 20:45 - 00021872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-06-23 06:04 - 2009-07-13 20:45 - 00021872 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-06-23 06:00 - 2012-06-23 06:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-06-23 06:00 - 2012-06-23 06:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-06-23 06:00 - 2012-03-14 20:24 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-06-23 06:00 - 2012-03-14 20:23 - 00799314 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-06-23 05:59 - 2012-06-23 05:59 - 12621696 ____A (Microsoft Corporation) C:\Users\Calice\Downloads\mseinstall.exe
    2012-06-23 05:54 - 2012-03-14 19:51 - 00000000 ____D C:\users\Calice
    2012-06-23 05:43 - 2009-07-13 21:13 - 00783160 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-06-22 15:39 - 2012-04-27 16:41 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-06-22 15:39 - 2012-02-03 16:13 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-06-22 14:48 - 2012-06-22 14:48 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-06-22 08:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
    2012-06-20 19:46 - 2012-04-18 16:36 - 00000000 ____D C:\Users\Calice\Tracing
    2012-06-20 13:54 - 2012-06-20 13:53 - 00000000 ____D C:\Users\Calice\AppData\Local\{F9624A5F-E9A5-4818-A833-33DEB9BA90A6}
    2012-06-20 13:54 - 2012-04-18 16:21 - 00000000 ____D C:\Users\Calice\AppData\Local\Windows Live
    2012-06-20 13:53 - 2012-06-20 13:53 - 00000000 ____D C:\Users\Calice\AppData\Local\{1ED868E8-4FB4-413F-8AE7-73D41338ED21}
    2012-06-18 02:59 - 2012-05-02 16:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2012-06-17 14:16 - 2012-03-14 19:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2012-06-16 11:19 - 2012-06-16 11:14 - 00000000 ____D C:\Users\Calice\AppData\Roaming\NCH Software
    2012-06-16 11:14 - 2012-06-16 11:14 - 00521312 ____A (NCH Software) C:\Users\Calice\Downloads\switchsetup.exe
    2012-06-16 11:14 - 2012-06-16 11:14 - 00000000 ____D C:\Users\All Users\NCH Software
    2012-06-16 11:14 - 2012-06-16 11:14 - 00000000 ____D C:\Program Files (x86)\NCH Software
    2012-06-15 18:40 - 2012-06-15 18:35 - 00000000 ____D C:\Users\Calice\AppData\Local\Conduit
    2012-06-15 18:35 - 2012-06-15 18:35 - 00000000 ____D C:\Program Files (x86)\Conduit
    2012-06-15 18:33 - 2012-06-15 18:33 - 00078512 ____A C:\Users\Calice\Downloads\InstallIMVU_472.0_st_c.exe
    2012-06-14 12:03 - 2012-04-07 17:52 - 00000000 ____D C:\Users\Calice\AppData\Roaming\SoftGrid Client
    2012-06-13 13:02 - 2009-07-13 20:45 - 00299160 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-12 20:30 - 2012-02-06 16:15 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-12 14:15 - 2012-06-12 14:14 - 00000000 ____D C:\Users\Calice\AppData\Local\{02FA11B7-A6B4-4E03-9B22-D26A4597B86D}
    2012-06-12 14:14 - 2012-06-12 14:14 - 00000000 ____D C:\Users\Calice\AppData\Local\{534D160A-FEC6-4DCB-B9BD-D8918E279241}
    2012-06-11 17:24 - 2012-06-11 17:24 - 00000000 ____D C:\Users\Calice\AppData\Local\{6E639B70-DCF1-4026-8059-E2922519EDB0}
    2012-06-11 17:24 - 2012-06-11 17:24 - 00000000 ____D C:\Users\Calice\AppData\Local\{38813479-1E4D-4561-BC86-455119DF3FC6}
    2012-06-11 16:01 - 2012-06-11 16:01 - 00000000 ____D C:\Program Files (x86)\LG Electronics
    2012-06-11 16:01 - 2012-02-03 15:54 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2012-06-11 16:00 - 2012-06-11 16:00 - 01529080 ____A (LG Electronics ) C:\Users\Calice\Downloads\LGUSBModemDriver_Eng_WHQL_Ver_4.9.4_All.exe
    2012-06-10 18:03 - 2012-06-10 18:03 - 00000000 ____D C:\Users\Calice\AppData\Local\{48546F70-1B0B-4D93-B9DE-56FECC9245EA}
    2012-06-10 13:45 - 2012-06-10 13:45 - 00000000 ____D C:\Users\All Users\ATI
    2012-06-10 13:45 - 2012-06-10 13:45 - 00000000 ____D C:\Program Files (x86)\AMD AVT
    2012-06-10 13:45 - 2012-06-10 13:45 - 00000000 ____D C:\Program Files (x86)\AMD APP
    2012-06-10 13:45 - 2012-02-03 16:05 - 00000000 ____D C:\Users\All Users\AMD
    2012-06-10 13:45 - 2012-02-03 16:04 - 00000000 ____D C:\Program Files\ATI Technologies
    2012-06-09 08:51 - 2012-06-09 08:51 - 00000000 ____D C:\Users\Calice\AppData\Local\Macromedia
    2012-06-02 14:19 - 2012-06-21 09:15 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 09:15 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 09:15 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 09:15 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 09:15 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 09:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 09:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 09:15 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-21 09:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-01 11:09 - 2012-06-01 11:09 - 00000000 ____D C:\Users\Calice\AppData\Local\{89318356-0E99-4C8E-9B05-31F38A440C16}
    2012-06-01 11:09 - 2012-06-01 11:09 - 00000000 ____D C:\Users\Calice\AppData\Local\{357542D8-B6DA-467B-AE3F-A44F5405331A}
    2012-05-31 14:38 - 2012-05-31 14:36 - 00000000 ____D C:\Users\Calice\Documents\Activities
    2012-05-31 14:01 - 2012-05-31 14:01 - 00000000 ____D C:\Users\All Users\Sun
    2012-05-31 14:01 - 2012-05-31 14:01 - 00000000 ____D C:\Program Files (x86)\Oracle
    2012-05-31 14:00 - 2012-05-31 14:00 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2012-05-31 14:00 - 2012-05-31 14:00 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2012-05-31 14:00 - 2012-05-31 14:00 - 00000000 ____D C:\Program Files (x86)\Java
    2012-05-30 11:01 - 2012-05-30 11:01 - 03862112 ____A (Piriform Ltd) C:\Users\Calice\Downloads\ccsetup319.exe
    2012-05-30 11:01 - 2012-03-14 20:03 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-05-30 11:01 - 2012-03-14 20:03 - 00000000 ____D C:\Program Files\CCleaner
    2012-05-28 14:32 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
    2012-05-28 08:44 - 2012-03-14 19:51 - 00070832 ____A C:\Users\Calice\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-05-27 18:20 - 2012-05-27 18:20 - 00012900 ____A C:\Users\Calice\Downloads\BREN.png
    2012-05-27 18:17 - 2012-05-27 18:16 - 00000000 ____D C:\Users\Calice\Downloads\glass
    2012-05-27 18:16 - 2011-02-22 07:10 - 00535672 ____A C:\Users\Calice\Downloads\Glass.ttf
    2012-05-27 18:13 - 2012-05-27 18:13 - 00259067 ____A C:\Users\Calice\Downloads\glass.zip
    2012-05-27 18:07 - 2012-05-27 18:07 - 00011020 ____A C:\Users\Calice\Downloads\BRENTONSLADE5.png
    2012-05-27 18:05 - 2012-05-27 18:05 - 00011034 ____A C:\Users\Calice\Downloads\BRENTON4.png
    2012-05-27 17:58 - 2012-05-27 17:58 - 00006928 ____A C:\Users\Calice\Downloads\BRENTON SLADE3.png
    2012-05-27 17:56 - 2012-05-27 17:56 - 00007084 ____A C:\Users\Calice\Downloads\BRENTONSLADE2.png
    2012-05-27 17:55 - 2012-05-27 17:55 - 00007093 ____A C:\Users\Calice\Downloads\BRENTON SLADE.png
    2012-05-27 17:05 - 2012-05-27 17:05 - 00000000 ____D C:\Users\Calice\Downloads\pulse_sans
    2012-05-27 17:00 - 2012-05-27 17:00 - 00120692 ____A C:\Users\Calice\Downloads\pulse_sans.zip
    2012-05-27 16:59 - 2012-05-27 16:59 - 00000000 ____D C:\Users\Calice\Downloads\crackvetica
    2012-05-27 16:46 - 2012-05-27 16:46 - 00122660 ____A C:\Users\Calice\Downloads\crackvetica.zip
    2012-05-27 16:45 - 2012-05-27 16:45 - 00137123 ____A C:\Users\Calice\Downloads\buy_more.zip
    2012-05-27 16:39 - 2012-05-27 16:39 - 00004660 ____A C:\Users\Calice\Downloads\high_volume.zip
    2012-05-27 16:39 - 2012-05-27 16:39 - 00000000 ____D C:\Users\Calice\Downloads\high_volume
    2012-05-27 16:33 - 2012-05-27 16:33 - 00000000 ____D C:\Users\Calice\Downloads\feedback_loud
    2012-05-27 16:32 - 2012-05-27 16:32 - 00063268 ____A C:\Users\Calice\Downloads\feedback_loud.zip
    2012-05-27 16:24 - 2012-05-27 16:24 - 00000000 ____D C:\Users\Calice\Downloads\vermin_vibes
    2012-05-27 16:21 - 2012-05-27 16:21 - 00049483 ____A C:\Users\Calice\Downloads\vermin_vibes.zip
    2012-05-17 18:47 - 2012-06-12 20:26 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-12 20:26 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-12 20:26 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-12 20:26 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-12 20:26 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-12 20:26 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-12 20:26 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-12 20:26 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-12 20:26 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-12 20:26 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-12 20:26 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-12 20:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-12 20:26 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-12 20:26 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-12 20:26 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-12 20:26 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-12 20:26 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-12 20:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-12 20:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-12 20:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-12 20:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-12 20:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-12 20:26 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-12 20:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-12 20:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-12 20:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-12 20:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-12 20:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-14 17:32 - 2012-06-12 13:51 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-11 09:28 - 2011-11-10 11:59 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
    2012-05-11 09:27 - 2010-11-20 23:17 - 00000000 ____D C:\Program Files\Windows Journal
    2012-05-08 09:54 - 2012-05-08 09:53 - 00000000 ____D C:\Users\Calice\AppData\Local\{482A35E8-0E17-4120-9C80-7D2F7797C9FE}
    2012-05-08 09:53 - 2012-05-08 09:53 - 00000000 ____D C:\Users\Calice\AppData\Local\{2F689F1E-8185-4EC9-B636-C88FF88CF823}
    2012-05-07 10:54 - 2012-05-07 10:54 - 00000000 ____D C:\Users\Calice\AppData\Local\{E1B2A748-1751-4EFB-BBE1-C897E42526A6}
    2012-05-07 10:54 - 2012-05-07 10:54 - 00000000 ____D C:\Users\Calice\AppData\Local\{A272A12D-4C12-450D-99B8-4555DE2ABCFA}
    2012-05-06 12:27 - 2012-05-06 12:27 - 00000000 ____D C:\Users\Calice\AppData\Local\{52B96F90-41BF-4324-BE37-220FCDD0F6C9}
    2012-05-06 12:27 - 2012-05-06 12:27 - 00000000 ____D C:\Users\Calice\AppData\Local\{172F8348-85D4-4DC1-8A96-7CEE91BC6984}
    2012-05-05 11:22 - 2012-05-05 11:22 - 00000000 ____D C:\Users\Calice\AppData\Local\{974DD718-0F27-42B1-89FD-74A189E1BE40}
    2012-05-05 11:22 - 2012-05-05 11:22 - 00000000 ____D C:\Users\Calice\AppData\Local\{57F53E18-B877-447F-9713-103B19911B1A}
    2012-05-04 03:11 - 2012-05-04 03:11 - 00000000 ____D C:\Users\Calice\AppData\Local\{759C1E8E-9405-436B-A225-5D1F74FD9DEC}
    2012-05-04 03:11 - 2012-05-04 03:11 - 00000000 ____D C:\Users\Calice\AppData\Local\{1AD7727C-3BBC-448A-957D-D5E814C1BF8C}
    2012-05-04 03:06 - 2012-06-12 13:51 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 02:03 - 2012-06-12 13:51 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-12 13:51 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-05-03 09:34 - 2012-05-03 09:34 - 00000000 ____D C:\Users\Calice\AppData\Local\{BB1B280A-F3A0-4BBE-A29D-82AF89E0F6B4}
    2012-05-03 09:34 - 2012-05-03 09:33 - 00000000 ____D C:\Users\Calice\AppData\Local\{3C546F84-C5FA-4912-8907-D46D99BE6704}
    2012-05-02 16:36 - 2012-05-02 16:36 - 00000000 ____D C:\Users\All Users\Mozilla
    2012-05-02 15:11 - 2009-07-13 21:08 - 00032544 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-05-02 11:17 - 2012-03-14 20:53 - 00000000 ____D C:\Program Files (x86)\Steam
    2012-05-02 10:01 - 2012-05-02 10:01 - 00000000 ____D C:\Users\Calice\AppData\Local\{D073549E-CAF3-48AF-8A7A-4FE1C547814C}
    2012-05-02 10:01 - 2012-05-02 10:01 - 00000000 ____D C:\Users\Calice\AppData\Local\{CB42AAB3-D659-489B-B76D-8999506BE53F}
    2012-05-01 17:46 - 2012-05-01 17:46 - 00000000 ____D C:\Users\Calice\AppData\Local
     
  3. menka

    menka TS Member Topic Starter Posts: 38

    \{F8AF5B17-FB0B-4836-B1A5-23C7D7CAD3A1}
    2012-05-01 09:20 - 2012-05-01 09:20 - 00000000 ____D C:\Users\Calice\AppData\Local\{9A318964-7050-49EF-B3B0-83F1B6F9BC90}
    2012-05-01 03:51 - 2012-05-01 03:51 - 00000000 ____D C:\Users\Calice\AppData\Local\{EEBED952-9471-495D-9A99-F00EA641D812}
    2012-04-30 21:40 - 2012-06-12 13:51 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-30 16:55 - 2012-04-30 16:55 - 00000000 ____D C:\Users\Calice\AppData\Local\{210ACFBB-3CCC-4638-BA9A-4F830C3E0B94}
    2012-04-30 10:29 - 2012-04-30 10:29 - 00000000 ____D C:\Users\Calice\AppData\Local\{B15703B8-5BB5-48AA-9A04-1E55D55DD275}
    2012-04-30 09:13 - 2012-04-30 09:13 - 00000000 ____D C:\Users\Calice\AppData\Local\{599389B4-EF6B-4ABA-A38F-D1C83DC4A4BA}
    2012-04-29 12:02 - 2012-04-29 12:02 - 00000000 ____D C:\Users\Calice\AppData\Local\{64B0976C-4401-4F4E-88B9-FB320323BA9E}
    2012-04-28 22:01 - 2012-04-28 22:01 - 03654896 ____A (Piriform Ltd) C:\Users\Calice\Downloads\ccsetup318.exe
    2012-04-28 13:14 - 2012-04-28 13:14 - 00000000 ____D C:\Users\Calice\AppData\Local\{BDF84AB5-07B1-465A-A80C-ED7D8E02B708}
    2012-04-28 08:36 - 2012-04-28 08:36 - 00000000 ____D C:\Users\Calice\AppData\Local\{2A95F7F8-87F0-4393-A545-0949BC30C416}
    2012-04-27 19:55 - 2012-06-12 13:51 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-27 16:41 - 2012-04-27 16:41 - 00000000 ____D C:\Users\Calice\AppData\Local\{581E8F05-D2BF-4EC4-854B-8396EA7210AC}
    2012-04-27 07:59 - 2012-04-27 07:59 - 00000000 ____D C:\Users\Calice\AppData\Local\{FB20FEC4-1AAD-421F-BEB2-E9D2D44E19FA}
    2012-04-26 08:11 - 2012-04-26 08:11 - 00000000 ____D C:\Users\Calice\AppData\Local\{ECED2D27-D268-4A8D-8E1D-EFD104806CB4}
    2012-04-26 08:11 - 2012-04-26 08:11 - 00000000 ____D C:\Users\Calice\AppData\Local\{402230CC-B4D7-44B2-8E77-365FEC576DC3}
    2012-04-25 21:41 - 2012-06-12 13:51 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 21:41 - 2012-06-12 13:51 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 21:34 - 2012-06-12 13:51 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-25 07:16 - 2012-04-25 07:16 - 00000000 ____D C:\Users\Calice\AppData\Local\{D189AB87-D8F0-4EE9-8F8E-24148F67763D}
    2012-04-25 07:16 - 2012-04-25 07:16 - 00000000 ____D C:\Users\Calice\AppData\Local\{5836653A-1CDD-4835-AD6B-4E691FDC742C}
    2012-04-23 21:37 - 2012-06-12 13:51 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 21:37 - 2012-06-12 13:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 21:37 - 2012-06-12 13:51 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 20:36 - 2012-06-12 13:51 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 20:36 - 2012-06-12 13:51 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 20:36 - 2012-06-12 13:51 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-04-23 07:37 - 2012-04-23 07:37 - 00000000 ____D C:\Users\Calice\AppData\Local\{F83AEA3B-2455-473F-9B10-D16B60CA8FB0}
    2012-04-23 07:37 - 2012-04-23 07:37 - 00000000 ____D C:\Users\Calice\AppData\Local\{96C006DC-DB7F-48C1-93C9-29B38B99D165}
    2012-04-22 12:39 - 2012-04-22 12:39 - 00000000 ____D C:\Users\Calice\AppData\Local\{AC9C5331-4BC5-463F-8F0D-AB57A82EF9C3}
    2012-04-22 12:39 - 2012-04-22 12:39 - 00000000 ____D C:\Users\Calice\AppData\Local\{9BD0977E-A953-4144-819B-E5F48049B76D}
    2012-04-21 19:29 - 2012-04-21 19:29 - 00000000 ____D C:\Users\Calice\AppData\Local\{9635E45D-A0EA-407D-924A-EBA818BE66ED}
    2012-04-21 19:29 - 2012-04-21 19:28 - 00000000 ____D C:\Users\Calice\AppData\Local\{5F29622D-1693-4CD5-ADDD-E07A6AE6303B}
    2012-04-19 22:10 - 2012-04-19 22:10 - 00000000 ____D C:\Users\Calice\AppData\Local\{CDCAC7AB-833A-42CC-9322-2FCEA75BF851}
    2012-04-19 22:10 - 2012-04-19 22:10 - 00000000 ____D C:\Users\Calice\AppData\Local\{2AAB7F0A-32DC-40A4-9F2D-B2BF58AD0BAB}
    2012-04-19 15:51 - 2012-04-19 15:51 - 00000000 ____D C:\Users\Calice\AppData\Local\{970E3673-0677-4222-B3CE-33B2529B97C7}
    2012-04-19 11:21 - 2012-04-19 11:21 - 00000000 ____D C:\Users\Calice\AppData\Local\{DDE8C0F9-9491-4BCE-AFCE-7CF3BCF654B9}
    2012-04-19 11:21 - 2012-04-19 11:21 - 00000000 ____D C:\Users\Calice\AppData\Local\{C00B0672-6E6B-484F-A21F-54B1ECBBFC2D}
    2012-04-18 16:25 - 2012-04-18 16:25 - 00000000 ____D C:\Windows\en
    2012-04-18 16:24 - 2011-11-10 12:00 - 00000000 ____D C:\Program Files (x86)\Windows Live
    2012-04-18 16:22 - 2011-11-10 12:00 - 00000000 ____D C:\Program Files\Windows Live
    2012-04-18 16:20 - 2012-04-18 16:20 - 01287528 ____A (Microsoft Corporation) C:\Users\Calice\Downloads\wlsetup-web.exe
    2012-04-09 11:32 - 2012-04-07 20:04 - 00000000 ____D C:\Users\All Users\VirtualizedApplications
    2012-04-08 18:48 - 2012-04-07 17:52 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
    2012-04-08 18:08 - 2012-03-15 18:19 - 00000000 ____D C:\Users\Calice\Documents\Pics
    2012-04-07 21:23 - 2012-04-07 21:23 - 03645656 ____A (Piriform Ltd) C:\Users\Calice\Downloads\ccsetup317.exe
    2012-04-07 17:52 - 2012-04-07 17:52 - 00000000 ____D C:\Users\Calice\AppData\Local\SoftGrid Client
    2012-04-07 17:52 - 2012-04-07 17:52 - 00000000 ____D C:\Program Files\Microsoft Office
    2012-04-07 17:52 - 2012-04-07 17:51 - 00000000 ____D C:\Users\Calice\AppData\Roaming\TP
    2012-04-07 17:52 - 2011-11-10 12:03 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
    2012-04-07 17:52 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
    2012-04-07 04:31 - 2012-06-12 13:51 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-04-07 03:26 - 2012-06-12 13:51 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
    2012-04-05 21:22 - 2012-04-05 21:22 - 11174400 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmdag.sys
    2012-04-05 18:34 - 2012-04-05 18:34 - 00187392 ____A C:\Windows\System32\clinfo.exe
    2012-04-05 18:34 - 2012-04-05 18:34 - 00074752 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo64.dll
    2012-04-05 18:34 - 2012-04-05 18:34 - 00064512 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OpenVideo.dll
    2012-04-05 18:33 - 2012-04-05 18:33 - 16457216 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl64.dll
    2012-04-05 18:33 - 2012-04-05 18:33 - 00063488 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OVDecode64.dll
    2012-04-05 18:33 - 2012-04-05 18:33 - 00056320 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OVDecode.dll
    2012-04-05 18:32 - 2012-04-05 18:32 - 13007872 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
    2012-04-05 18:23 - 2012-04-05 18:23 - 00245896 ____A C:\Windows\SysWOW64\atiapfxx.blb
    2012-04-05 18:23 - 2012-04-05 18:23 - 00245896 ____A C:\Windows\System32\atiapfxx.blb
    2012-04-05 18:22 - 2012-04-05 18:22 - 00159744 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiapfxx.exe
    2012-04-05 18:21 - 2012-02-14 19:18 - 00909312 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
    2012-04-05 18:20 - 2011-12-05 19:16 - 01067520 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\aticfx64.dll
    2012-04-05 18:16 - 2012-04-05 18:16 - 00503808 ____A (AMD) C:\Windows\System32\atieclxx.exe
    2012-04-05 18:16 - 2012-04-05 18:16 - 00442368 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\ATIDEMGX.dll
    2012-04-05 18:16 - 2012-04-05 18:16 - 00236544 ____A (AMD) C:\Windows\System32\atiesrxx.exe
    2012-04-05 18:14 - 2012-04-05 18:14 - 00120320 ____A (AMD) C:\Windows\System32\atitmm64.dll
    2012-04-05 18:14 - 2012-04-05 18:14 - 00059392 ____A (ATI Technologies, Inc.) C:\Windows\System32\atiedu64.dll
    2012-04-05 18:14 - 2012-04-05 18:14 - 00043520 ____A (ATI Technologies, Inc.) C:\Windows\SysWOW64\ati2edxx.dll
    2012-04-05 18:14 - 2012-04-05 18:14 - 00021504 ____A (AMD) C:\Windows\System32\atimuixx.dll
    2012-04-05 18:13 - 2012-02-14 19:07 - 06800896 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
    2012-04-05 18:10 - 2012-04-05 18:10 - 26181632 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atio6axx.dll
    2012-04-05 18:00 - 2011-12-05 18:18 - 00064000 ____A (AMD) C:\Windows\System32\coinst.dll
    2012-04-05 17:54 - 2011-12-05 18:51 - 07479296 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atidxx64.dll
    2012-04-05 17:50 - 2012-04-05 17:50 - 19753984 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
    2012-04-05 17:35 - 2012-04-05 17:35 - 01120768 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6v.dll
    2012-04-05 17:34 - 2012-04-05 17:34 - 06203392 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
    2012-04-05 17:34 - 2012-04-05 17:34 - 04731904 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6a.dll
    2012-04-05 17:34 - 2012-04-05 17:34 - 01831424 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdmv.dll
    2012-04-05 17:30 - 2012-04-05 17:30 - 00051200 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalrt64.dll
    2012-04-05 17:30 - 2012-04-05 17:30 - 00046080 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
    2012-04-05 17:30 - 2012-04-05 17:30 - 00044544 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalcl64.dll
    2012-04-05 17:30 - 2012-04-05 17:30 - 00044032 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
    2012-04-05 17:29 - 2012-04-05 17:29 - 16090624 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticaldd64.dll
    2012-04-05 17:29 - 2012-04-05 17:29 - 02631008 ____A C:\Windows\System32\atiumd6a.cap
    2012-04-05 17:25 - 2012-04-05 17:25 - 13764096 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
    2012-04-05 17:23 - 2012-04-05 17:23 - 07431680 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd64.dll
    2012-04-05 17:22 - 2012-04-05 17:22 - 04795904 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
    2012-04-05 17:21 - 2012-04-05 17:21 - 02664704 ____A C:\Windows\SysWOW64\atiumdva.cap
    2012-04-05 17:11 - 2012-04-05 17:11 - 00514560 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiadlxx.dll
    2012-04-05 17:11 - 2012-04-05 17:11 - 00360448 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
    2012-04-05 17:11 - 2012-04-05 17:11 - 00041984 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6txx.dll
    2012-04-05 17:11 - 2012-04-05 17:11 - 00017408 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6pxx.dll
    2012-04-05 17:11 - 2012-04-05 17:11 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
    2012-04-05 17:11 - 2012-04-05 17:11 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiglpxx.dll
    2012-04-05 17:10 - 2012-04-05 17:10 - 00343040 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmpag.sys
    2012-04-05 17:10 - 2012-04-05 17:10 - 00033280 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
    2012-04-05 17:09 - 2012-04-05 17:09 - 00053248 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\ati2erec.dll
    2012-04-05 17:09 - 2012-04-05 17:09 - 00044544 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiu9p64.dll
    2012-04-05 17:09 - 2012-04-05 17:09 - 00032256 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
    2012-04-05 17:09 - 2012-02-14 18:12 - 00041984 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
    2012-04-05 17:09 - 2011-12-05 18:11 - 00054784 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiuxp64.dll
    2012-04-05 17:06 - 2012-04-05 17:06 - 00054784 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atimpc64.dll
    2012-04-05 17:06 - 2012-04-05 17:06 - 00054784 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\amdpcom64.dll
    2012-04-05 17:06 - 2012-04-05 17:06 - 00053760 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
    2012-04-05 17:06 - 2012-04-05 17:06 - 00053760 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
    2012-04-04 20:41 - 2012-04-04 20:38 - 00000000 ____D C:\Users\Calice\AppData\Local\Microsoft Games
    2012-04-04 18:26 - 2012-04-04 18:26 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2012-04-04 14:47 - 2012-05-31 14:01 - 00772504 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
    2012-04-04 14:47 - 2012-05-31 14:01 - 00687504 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
    2012-04-04 14:47 - 2012-05-31 14:01 - 00227720 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2012-04-04 11:56 - 2012-06-23 06:33 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-03-30 03:35 - 2012-05-11 08:00 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2012-03-27 20:33 - 2012-03-27 20:33 - 00000000 ____D C:\Program Files\AMD
    2012-03-27 20:33 - 2012-03-27 20:33 - 00000000 ____D C:\Program Files (x86)\AMD

    ZeroAccess:
    C:\Windows\Installer\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}
    C:\Windows\Installer\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\@
    C:\Windows\Installer\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\L
    C:\Windows\Installer\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\n
    C:\Windows\Installer\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\U
    C:\Windows\Installer\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\U\00000001.@
    C:\Windows\Installer\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\U\80000000.@
    C:\Windows\Installer\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\U\800000cb.@

    ZeroAccess:
    C:\Users\Calice\AppData\Local\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}
    C:\Users\Calice\AppData\Local\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\@
    C:\Users\Calice\AppData\Local\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\L
    C:\Users\Calice\AppData\Local\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 9%
    Total physical RAM: 8190.46 MB
    Available physical RAM: 7389.28 MB
    Total Pagefile: 8188.66 MB
    Available Pagefile: 7382.05 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:465.66 GB) (Free:416.99 GB) NTFS
    3 Drive f: () (Removable) (Total:0.94 GB) (Free:0.81 GB) FAT
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 1024 KB
    Disk 1 Online 967 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 465 GB 101 MB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 465 GB Healthy

    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 967 MB 16 KB

    ======================================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT Removable 967 MB Healthy

    ======================================================================================================

    ==========================================================

    Last Boot: 2012-06-20 12:51

    ======================= End Of Log ==========================
     
  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================================

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
     
  5. menka

    menka TS Member Topic Starter Posts: 38

    Thanks so much for your reply. Hope I did this right.

    Farbar Recovery Scan Tool Version: 23-06-2012
    Ran by SYSTEM at 2012-06-23 16:05:01
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2012-06-23 08:29] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======
     
  6. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    See if you can boot normally.

    If so...

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  7. menka

    menka TS Member Topic Starter Posts: 38

    Ok I added the file like you said and it booted up normally (Thank you so much for that :D) but the log it left was blank did I mess up somewhere? After I ran combo fix it mentioned something about a registry key I was not really sure what it meant...


    ComboFix 12-06-23.05 - Calice 06/23/2012 19:31:41.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8190.6634 [GMT -4:00]
    Running from: c:\users\Calice\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\tmpA3CD.tmp
    c:\windows\SysWow64\tmpA3CE.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-23 to 2012-06-23 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-23 21:31 . 2012-06-23 21:32 -------- d-----w- C:\FRST
    2012-06-23 16:58 . 2012-06-23 16:58 328704 ----a-w- c:\windows\system32\services.exe.1EE77193F9BCFE96
    2012-06-23 15:35 . 2012-06-23 15:35 328704 ----a-w- c:\windows\system32\services.exe.CE47B7580E4127D0
    2012-06-23 15:24 . 2012-06-23 15:24 328704 ----a-w- c:\windows\system32\services.exe.5994B9A783CBAC2F
    2012-06-23 15:16 . 2012-06-23 15:16 328704 ----a-w- c:\windows\system32\services.exe.619C4D112007EE12
    2012-06-23 15:13 . 2012-06-23 15:13 328704 ----a-w- c:\windows\system32\services.exe.8A63788CF596CCF5
    2012-06-23 15:08 . 2012-06-23 15:08 328704 ----a-w- c:\windows\system32\services.exe.C5C946D4B2BF6104
    2012-06-23 15:05 . 2012-06-23 15:05 328704 ----a-w- c:\windows\system32\services.exe.49D2A407B3219963
    2012-06-23 14:47 . 2012-06-23 14:47 328704 ----a-w- c:\windows\system32\services.exe.FD71B6D71538D73C
    2012-06-23 14:41 . 2012-06-23 14:41 328704 ----a-w- c:\windows\system32\services.exe.A0A2B4E64A5EB56A
    2012-06-23 14:36 . 2012-06-23 14:36 328704 ----a-w- c:\windows\system32\services.exe.F33C70996493D25B
    2012-06-23 14:36 . 2012-06-23 14:36 -------- d-----w- c:\users\Calice\AppData\Roaming\Malwarebytes
    2012-06-23 14:33 . 2012-06-23 14:33 328704 ----a-w- c:\windows\system32\services.exe.58CAF57F892AF75F
    2012-06-23 14:33 . 2012-06-23 14:33 -------- d-----w- c:\programdata\Malwarebytes
    2012-06-23 14:33 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-23 14:33 . 2012-06-23 14:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-06-23 14:31 . 2012-06-23 14:31 328704 ----a-w- c:\windows\system32\services.exe.A2007D98A6CD6238
    2012-06-23 14:28 . 2012-06-23 14:28 328704 ----a-w- c:\windows\system32\services.exe.ABBEF8ABF0A3E908
    2012-06-23 14:26 . 2012-06-23 14:26 328704 ----a-w- c:\windows\system32\services.exe.29FC24FA8905EC12
    2012-06-23 14:23 . 2012-06-23 14:23 328704 ----a-w- c:\windows\system32\services.exe.103CBED513E3C65D
    2012-06-23 14:20 . 2012-06-23 14:20 328704 ----a-w- c:\windows\system32\services.exe.D45CCEF7CB5FEC72
    2012-06-23 14:18 . 2012-06-23 14:18 328704 ----a-w- c:\windows\system32\services.exe.643BBA4CF88C93BC
    2012-06-23 14:13 . 2012-06-23 14:13 328704 ----a-w- c:\windows\system32\services.exe.BA177F2C14A4843F
    2012-06-23 14:09 . 2012-06-23 14:09 328704 ----a-w- c:\windows\system32\services.exe.8735FAF4A73CA8CB
    2012-06-23 14:06 . 2012-06-23 14:06 328704 ----a-w- c:\windows\system32\services.exe.EC6FB467ADB4FF9C
    2012-06-23 14:02 . 2012-06-23 14:02 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5C830568-2D1D-48EF-943B-340EDA25CE9A}\gapaengine.dll
    2012-06-23 14:02 . 2012-05-31 01:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E6FBAD79-DB85-4569-9493-E9832F78C40E}\mpengine.dll
    2012-06-23 14:00 . 2012-06-23 14:00 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-06-23 14:00 . 2012-06-23 14:00 -------- d-----w- c:\program files\Microsoft Security Client
    2012-06-22 22:48 . 2012-06-22 22:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-06-21 17:15 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 17:15 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 17:15 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 17:15 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 17:15 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 17:15 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 17:15 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 17:15 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 17:15 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-17 22:16 . 2012-06-17 22:16 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-17 22:16 . 2012-06-17 22:16 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-16 19:14 . 2012-06-23 23:34 -------- d-----w- c:\programdata\NCH Software
    2012-06-16 19:14 . 2012-06-16 19:14 -------- d-----w- c:\program files (x86)\NCH Software
    2012-06-16 19:14 . 2012-06-23 23:34 -------- d-----w- c:\users\Calice\AppData\Roaming\NCH Software
    2012-06-16 02:35 . 2012-06-16 02:35 -------- d-----w- c:\program files (x86)\Conduit
    2012-06-16 02:35 . 2012-06-16 02:40 -------- d-----w- c:\users\Calice\AppData\Local\Conduit
    2012-06-12 00:01 . 2012-06-12 00:01 -------- d-----w- c:\program files (x86)\LG Electronics
    2012-06-12 00:01 . 2008-11-11 17:42 33792 ----a-w- c:\windows\system32\drivers\lgx64modem.sys
    2012-06-12 00:01 . 2008-11-11 17:42 27136 ----a-w- c:\windows\system32\drivers\lgx64gps.sys
    2012-06-12 00:01 . 2008-11-11 17:42 27136 ----a-w- c:\windows\system32\drivers\lgx64diag.sys
    2012-06-12 00:01 . 2008-11-11 17:42 17920 ----a-w- c:\windows\system32\drivers\lgx64bus.sys
    2012-06-12 00:00 . 2001-09-05 09:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
    2012-06-12 00:00 . 2001-09-05 09:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
    2012-06-12 00:00 . 2001-09-05 09:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
    2012-06-12 00:00 . 2001-09-05 09:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
    2012-06-12 00:00 . 2002-07-25 21:07 614532 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    2012-06-10 21:45 . 2012-06-10 21:45 -------- d-----w- c:\programdata\ATI
    2012-06-10 21:45 . 2012-06-10 21:45 -------- d-----w- c:\program files (x86)\AMD AVT
    2012-06-10 21:45 . 2012-06-10 21:45 -------- d-----w- c:\program files (x86)\AMD APP
    2012-06-09 16:51 . 2012-06-09 16:51 -------- d-----w- c:\users\Calice\AppData\Local\Macromedia
    2012-05-31 22:01 . 2012-05-31 22:01 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-05-31 22:01 . 2012-05-31 22:01 -------- d-----w- c:\program files (x86)\Oracle
    2012-05-31 22:01 . 2012-04-04 22:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-05-31 22:01 . 2012-04-04 22:47 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-05-31 22:00 . 2012-05-31 22:00 -------- d-----w- c:\program files (x86)\Java
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-22 23:39 . 2012-04-28 00:41 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-22 23:39 . 2012-02-04 00:13 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-04-06 05:22 . 2012-04-06 05:22 11174400 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2012-04-06 02:34 . 2012-04-06 02:34 187392 ----a-w- c:\windows\system32\clinfo.exe
    2012-04-06 02:34 . 2012-04-06 02:34 74752 ----a-w- c:\windows\system32\OpenVideo64.dll
    2012-04-06 02:34 . 2012-04-06 02:34 64512 ----a-w- c:\windows\SysWow64\OpenVideo.dll
    2012-04-06 02:33 . 2012-04-06 02:33 63488 ----a-w- c:\windows\system32\OVDecode64.dll
    2012-04-06 02:33 . 2012-04-06 02:33 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
    2012-04-06 02:33 . 2012-04-06 02:33 16457216 ----a-w- c:\windows\system32\amdocl64.dll
    2012-04-06 02:32 . 2012-04-06 02:32 13007872 ----a-w- c:\windows\SysWow64\amdocl.dll
    2012-04-06 02:22 . 2012-04-06 02:22 159744 ----a-w- c:\windows\system32\atiapfxx.exe
    2012-04-06 02:21 . 2012-02-15 03:18 909312 ----a-w- c:\windows\SysWow64\aticfx32.dll
    2012-04-06 02:20 . 2011-12-06 03:16 1067520 ----a-w- c:\windows\system32\aticfx64.dll
    2012-04-06 02:16 . 2012-04-06 02:16 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2012-04-06 02:16 . 2012-04-06 02:16 503808 ----a-w- c:\windows\system32\atieclxx.exe
    2012-04-06 02:16 . 2012-04-06 02:16 236544 ----a-w- c:\windows\system32\atiesrxx.exe
    2012-04-06 02:14 . 2012-04-06 02:14 120320 ----a-w- c:\windows\system32\atitmm64.dll
    2012-04-06 02:14 . 2012-04-06 02:14 21504 ----a-w- c:\windows\system32\atimuixx.dll
    2012-04-06 02:14 . 2012-04-06 02:14 59392 ----a-w- c:\windows\system32\atiedu64.dll
    2012-04-06 02:14 . 2012-04-06 02:14 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2012-04-06 02:13 . 2012-02-15 03:07 6800896 ----a-w- c:\windows\SysWow64\atidxx32.dll
    2012-04-06 02:10 . 2012-04-06 02:10 26181632 ----a-w- c:\windows\system32\atio6axx.dll
    2012-04-06 02:00 . 2011-12-06 02:18 64000 ----a-w- c:\windows\system32\coinst.dll
    2012-04-06 01:54 . 2011-12-06 02:51 7479296 ----a-w- c:\windows\system32\atidxx64.dll
    2012-04-06 01:50 . 2012-04-06 01:50 19753984 ----a-w- c:\windows\SysWow64\atioglxx.dll
    2012-04-06 01:35 . 2012-04-06 01:35 1120768 ----a-w- c:\windows\system32\atiumd6v.dll
    2012-04-06 01:34 . 2012-04-06 01:34 1831424 ----a-w- c:\windows\SysWow64\atiumdmv.dll
    2012-04-06 01:34 . 2012-04-06 01:34 4731904 ----a-w- c:\windows\system32\atiumd6a.dll
    2012-04-06 01:34 . 2012-04-06 01:34 6203392 ----a-w- c:\windows\SysWow64\atiumdag.dll
    2012-04-06 01:30 . 2012-04-06 01:30 51200 ----a-w- c:\windows\system32\aticalrt64.dll
    2012-04-06 01:30 . 2012-04-06 01:30 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2012-04-06 01:30 . 2012-04-06 01:30 44544 ----a-w- c:\windows\system32\aticalcl64.dll
    2012-04-06 01:30 . 2012-04-06 01:30 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
    2012-04-06 01:29 . 2012-04-06 01:29 16090624 ----a-w- c:\windows\system32\aticaldd64.dll
    2012-04-06 01:25 . 2012-04-06 01:25 13764096 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2012-04-06 01:23 . 2012-04-06 01:23 7431680 ----a-w- c:\windows\system32\atiumd64.dll
    2012-04-06 01:22 . 2012-04-06 01:22 4795904 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2012-04-06 01:11 . 2012-04-06 01:11 514560 ----a-w- c:\windows\system32\atiadlxx.dll
    2012-04-06 01:11 . 2012-04-06 01:11 360448 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2012-04-06 01:11 . 2012-04-06 01:11 17408 ----a-w- c:\windows\system32\atig6pxx.dll
    2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\system32\atiglpxx.dll
    2012-04-06 01:11 . 2012-04-06 01:11 41984 ----a-w- c:\windows\system32\atig6txx.dll
    2012-04-06 01:10 . 2012-04-06 01:10 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
    2012-04-06 01:10 . 2012-04-06 01:10 343040 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2012-04-06 01:09 . 2011-12-06 02:11 54784 ----a-w- c:\windows\system32\atiuxp64.dll
    2012-04-06 01:09 . 2012-02-15 02:12 41984 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2012-04-06 01:09 . 2012-04-06 01:09 44544 ----a-w- c:\windows\system32\atiu9p64.dll
    2012-04-06 01:09 . 2012-04-06 01:09 32256 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2012-04-06 01:09 . 2012-04-06 01:09 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\atimpc64.dll
    2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\amdpcom64.dll
    2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    2012-03-30 11:35 . 2012-05-11 16:00 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-22 250056]
    R3 ALSysIO;ALSysIO;c:\users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [x]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-15 183560]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-17 113120]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
    R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgx64gps.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-04-06 361984]
    S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-23 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 23:39]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-19 12632168]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/?ilc=17
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
    FF - ProfilePath - c:\users\Calice\AppData\Roaming\Mozilla\Firefox\Profiles\32jjc7vf.default\
    FF - prefs.js: browser.startup.homepage - hxxps://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1&ltmpl=default&ltmplcache=2
    FF - prefs.js: network.proxy.type - 0
    .
     
  8. menka

    menka TS Member Topic Starter Posts: 38

    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{90b49673-5506-483e-b92b-ca0265bd9ca8} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-06-23 19:40:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-23 23:40
    .
    Pre-Run: 447,607,488,512 bytes free
    Post-Run: 447,495,884,800 bytes free
    .
    - - End Of File - - B66B5312C95BEA19F7158D26E1DC11E5
     
  9. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\system32\services.exe.CE47B7580E4127D0
    - c:\windows\system32\services.exe.1EE77193F9BCFE96
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  10. menka

    menka TS Member Topic Starter Posts: 38

    I am trying to open it and I get a popup window stating "illegal operation attempted on a registry key that has been marked for deletion."
     
  11. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    That's because you don't read my instructions carefully:
     
  12. menka

    menka TS Member Topic Starter Posts: 38

    Sorry about that :oops:

    I rebooted it up and everything is working but I cannot upload the files to virustotal, I can see the files in windows explorer but they will not appear in the upload file menu.
     
  13. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    I can see the problem. They're too big for that upload.
    Don't worry about it.

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\services.exe.EC6FB467ADB4FF9C
    c:\windows\system32\services.exe.8735FAF4A73CA8CB
    c:\windows\system32\services.exe.BA177F2C14A4843F
     c:\windows\system32\services.exe.643BBA4CF88C93BC
    c:\windows\system32\services.exe.D45CCEF7CB5FEC72
    c:\windows\system32\services.exe.103CBED513E3C65D
    c:\windows\system32\services.exe.29FC24FA8905EC12
    c:\windows\system32\services.exe.ABBEF8ABF0A3E908
    c:\windows\system32\services.exe.A2007D98A6CD6238
    c:\windows\system32\services.exe.58CAF57F892AF75F
    c:\windows\system32\services.exe.F33C70996493D25B
    c:\windows\system32\services.exe.A0A2B4E64A5EB56A
    c:\windows\system32\services.exe.FD71B6D71538D73C
    c:\windows\system32\services.exe.49D2A407B3219963
    c:\windows\system32\services.exe.C5C946D4B2BF6104
    c:\windows\system32\services.exe.8A63788CF596CCF5
    c:\windows\system32\services.exe.619C4D112007EE12
    c:\windows\system32\services.exe.5994B9A783CBAC2F
    c:\windows\system32\services.exe.CE47B7580E4127D0
    c:\windows\system32\services.exe.1EE77193F9BCFE96
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  14. menka

    menka TS Member Topic Starter Posts: 38

    ComboFix 12-06-23.05 - Calice 06/23/2012 21:55:44.2.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8190.6551 [GMT -4:00]
    Running from: c:\users\Calice\Downloads\ComboFix.exe
    Command switches used :: c:\users\Calice\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\services.exe.103CBED513E3C65D"
    "c:\windows\system32\services.exe.1EE77193F9BCFE96"
    "c:\windows\system32\services.exe.29FC24FA8905EC12"
    "c:\windows\system32\services.exe.49D2A407B3219963"
    "c:\windows\system32\services.exe.58CAF57F892AF75F"
    "c:\windows\system32\services.exe.5994B9A783CBAC2F"
    "c:\windows\system32\services.exe.619C4D112007EE12"
    "c:\windows\system32\services.exe.643BBA4CF88C93BC"
    "c:\windows\system32\services.exe.8735FAF4A73CA8CB"
    "c:\windows\system32\services.exe.8A63788CF596CCF5"
    "c:\windows\system32\services.exe.A0A2B4E64A5EB56A"
    "c:\windows\system32\services.exe.A2007D98A6CD6238"
    "c:\windows\system32\services.exe.ABBEF8ABF0A3E908"
    "c:\windows\system32\services.exe.BA177F2C14A4843F"
    "c:\windows\system32\services.exe.C5C946D4B2BF6104"
    "c:\windows\system32\services.exe.CE47B7580E4127D0"
    "c:\windows\system32\services.exe.D45CCEF7CB5FEC72"
    "c:\windows\system32\services.exe.EC6FB467ADB4FF9C"
    "c:\windows\system32\services.exe.F33C70996493D25B"
    "c:\windows\system32\services.exe.FD71B6D71538D73C"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Calice\AppData\Local\Temp\{9A65AD2E-ABFB-4B39-8753-7FD9565ED4D7}\fpb.tmp
    c:\windows\system32\services.exe.103CBED513E3C65D
    c:\windows\system32\services.exe.1EE77193F9BCFE96
    c:\windows\system32\services.exe.29FC24FA8905EC12
    c:\windows\system32\services.exe.49D2A407B3219963
    c:\windows\system32\services.exe.58CAF57F892AF75F
    c:\windows\system32\services.exe.5994B9A783CBAC2F
    c:\windows\system32\services.exe.619C4D112007EE12
    c:\windows\system32\services.exe.643BBA4CF88C93BC
    c:\windows\system32\services.exe.8735FAF4A73CA8CB
    c:\windows\system32\services.exe.8A63788CF596CCF5
    c:\windows\system32\services.exe.A0A2B4E64A5EB56A
    c:\windows\system32\services.exe.A2007D98A6CD6238
    c:\windows\system32\services.exe.ABBEF8ABF0A3E908
    c:\windows\system32\services.exe.BA177F2C14A4843F
    c:\windows\system32\services.exe.C5C946D4B2BF6104
    c:\windows\system32\services.exe.CE47B7580E4127D0
    c:\windows\system32\services.exe.D45CCEF7CB5FEC72
    c:\windows\system32\services.exe.EC6FB467ADB4FF9C
    c:\windows\system32\services.exe.F33C70996493D25B
    c:\windows\system32\services.exe.FD71B6D71538D73C
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-24 01:59 . 2012-06-24 01:59 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E6FBAD79-DB85-4569-9493-E9832F78C40E}\offreg.dll
    2012-06-24 01:59 . 2012-06-24 01:59 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-23 21:31 . 2012-06-23 21:32 -------- d-----w- C:\FRST
    2012-06-23 14:36 . 2012-06-23 14:36 -------- d-----w- c:\users\Calice\AppData\Roaming\Malwarebytes
    2012-06-23 14:33 . 2012-06-23 14:33 -------- d-----w- c:\programdata\Malwarebytes
    2012-06-23 14:33 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-23 14:33 . 2012-06-23 14:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-06-23 14:02 . 2012-06-23 14:02 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5C830568-2D1D-48EF-943B-340EDA25CE9A}\gapaengine.dll
    2012-06-23 14:02 . 2012-05-31 01:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E6FBAD79-DB85-4569-9493-E9832F78C40E}\mpengine.dll
    2012-06-23 14:00 . 2012-06-23 14:00 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-06-23 14:00 . 2012-06-23 14:00 -------- d-----w- c:\program files\Microsoft Security Client
    2012-06-22 22:48 . 2012-06-22 22:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-06-21 17:15 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 17:15 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 17:15 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 17:15 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 17:15 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 17:15 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 17:15 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 17:15 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 17:15 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-17 22:16 . 2012-06-17 22:16 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-17 22:16 . 2012-06-17 22:16 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-16 19:14 . 2012-06-23 23:34 -------- d-----w- c:\programdata\NCH Software
    2012-06-16 19:14 . 2012-06-16 19:14 -------- d-----w- c:\program files (x86)\NCH Software
    2012-06-16 19:14 . 2012-06-23 23:34 -------- d-----w- c:\users\Calice\AppData\Roaming\NCH Software
    2012-06-16 02:35 . 2012-06-16 02:35 -------- d-----w- c:\program files (x86)\Conduit
    2012-06-16 02:35 . 2012-06-16 02:40 -------- d-----w- c:\users\Calice\AppData\Local\Conduit
    2012-06-12 00:01 . 2012-06-12 00:01 -------- d-----w- c:\program files (x86)\LG Electronics
    2012-06-12 00:01 . 2008-11-11 17:42 33792 ----a-w- c:\windows\system32\drivers\lgx64modem.sys
    2012-06-12 00:01 . 2008-11-11 17:42 27136 ----a-w- c:\windows\system32\drivers\lgx64gps.sys
    2012-06-12 00:01 . 2008-11-11 17:42 27136 ----a-w- c:\windows\system32\drivers\lgx64diag.sys
    2012-06-12 00:01 . 2008-11-11 17:42 17920 ----a-w- c:\windows\system32\drivers\lgx64bus.sys
    2012-06-12 00:00 . 2001-09-05 09:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
    2012-06-12 00:00 . 2001-09-05 09:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
    2012-06-12 00:00 . 2001-09-05 09:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
    2012-06-12 00:00 . 2001-09-05 09:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
    2012-06-12 00:00 . 2002-07-25 21:07 614532 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    2012-06-10 21:45 . 2012-06-10 21:45 -------- d-----w- c:\programdata\ATI
    2012-06-10 21:45 . 2012-06-10 21:45 -------- d-----w- c:\program files (x86)\AMD AVT
    2012-06-10 21:45 . 2012-06-10 21:45 -------- d-----w- c:\program files (x86)\AMD APP
    2012-06-09 16:51 . 2012-06-09 16:51 -------- d-----w- c:\users\Calice\AppData\Local\Macromedia
    2012-05-31 22:01 . 2012-05-31 22:01 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-05-31 22:01 . 2012-05-31 22:01 -------- d-----w- c:\program files (x86)\Oracle
    2012-05-31 22:01 . 2012-04-04 22:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-05-31 22:01 . 2012-04-04 22:47 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-05-31 22:00 . 2012-05-31 22:00 -------- d-----w- c:\program files (x86)\Java
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-22 23:39 . 2012-04-28 00:41 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-22 23:39 . 2012-02-04 00:13 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-04-06 05:22 . 2012-04-06 05:22 11174400 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2012-04-06 02:34 . 2012-04-06 02:34 187392 ----a-w- c:\windows\system32\clinfo.exe
    2012-04-06 02:34 . 2012-04-06 02:34 74752 ----a-w- c:\windows\system32\OpenVideo64.dll
    2012-04-06 02:34 . 2012-04-06 02:34 64512 ----a-w- c:\windows\SysWow64\OpenVideo.dll
    2012-04-06 02:33 . 2012-04-06 02:33 63488 ----a-w- c:\windows\system32\OVDecode64.dll
    2012-04-06 02:33 . 2012-04-06 02:33 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
    2012-04-06 02:33 . 2012-04-06 02:33 16457216 ----a-w- c:\windows\system32\amdocl64.dll
    2012-04-06 02:32 . 2012-04-06 02:32 13007872 ----a-w- c:\windows\SysWow64\amdocl.dll
    2012-04-06 02:22 . 2012-04-06 02:22 159744 ----a-w- c:\windows\system32\atiapfxx.exe
    2012-04-06 02:21 . 2012-02-15 03:18 909312 ----a-w- c:\windows\SysWow64\aticfx32.dll
    2012-04-06 02:20 . 2011-12-06 03:16 1067520 ----a-w- c:\windows\system32\aticfx64.dll
    2012-04-06 02:16 . 2012-04-06 02:16 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2012-04-06 02:16 . 2012-04-06 02:16 503808 ----a-w- c:\windows\system32\atieclxx.exe
    2012-04-06 02:16 . 2012-04-06 02:16 236544 ----a-w- c:\windows\system32\atiesrxx.exe
    2012-04-06 02:14 . 2012-04-06 02:14 120320 ----a-w- c:\windows\system32\atitmm64.dll
    2012-04-06 02:14 . 2012-04-06 02:14 21504 ----a-w- c:\windows\system32\atimuixx.dll
    2012-04-06 02:14 . 2012-04-06 02:14 59392 ----a-w- c:\windows\system32\atiedu64.dll
    2012-04-06 02:14 . 2012-04-06 02:14 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2012-04-06 02:13 . 2012-02-15 03:07 6800896 ----a-w- c:\windows\SysWow64\atidxx32.dll
    2012-04-06 02:10 . 2012-04-06 02:10 26181632 ----a-w- c:\windows\system32\atio6axx.dll
    2012-04-06 02:00 . 2011-12-06 02:18 64000 ----a-w- c:\windows\system32\coinst.dll
    2012-04-06 01:54 . 2011-12-06 02:51 7479296 ----a-w- c:\windows\system32\atidxx64.dll
    2012-04-06 01:50 . 2012-04-06 01:50 19753984 ----a-w- c:\windows\SysWow64\atioglxx.dll
    2012-04-06 01:35 . 2012-04-06 01:35 1120768 ----a-w- c:\windows\system32\atiumd6v.dll
    2012-04-06 01:34 . 2012-04-06 01:34 1831424 ----a-w- c:\windows\SysWow64\atiumdmv.dll
    2012-04-06 01:34 . 2012-04-06 01:34 4731904 ----a-w- c:\windows\system32\atiumd6a.dll
    2012-04-06 01:34 . 2012-04-06 01:34 6203392 ----a-w- c:\windows\SysWow64\atiumdag.dll
    2012-04-06 01:30 . 2012-04-06 01:30 51200 ----a-w- c:\windows\system32\aticalrt64.dll
    2012-04-06 01:30 . 2012-04-06 01:30 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2012-04-06 01:30 . 2012-04-06 01:30 44544 ----a-w- c:\windows\system32\aticalcl64.dll
    2012-04-06 01:30 . 2012-04-06 01:30 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
    2012-04-06 01:29 . 2012-04-06 01:29 16090624 ----a-w- c:\windows\system32\aticaldd64.dll
    2012-04-06 01:25 . 2012-04-06 01:25 13764096 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2012-04-06 01:23 . 2012-04-06 01:23 7431680 ----a-w- c:\windows\system32\atiumd64.dll
    2012-04-06 01:22 . 2012-04-06 01:22 4795904 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2012-04-06 01:11 . 2012-04-06 01:11 514560 ----a-w- c:\windows\system32\atiadlxx.dll
    2012-04-06 01:11 . 2012-04-06 01:11 360448 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2012-04-06 01:11 . 2012-04-06 01:11 17408 ----a-w- c:\windows\system32\atig6pxx.dll
    2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2012-04-06 01:11 . 2012-04-06 01:11 14848 ----a-w- c:\windows\system32\atiglpxx.dll
    2012-04-06 01:11 . 2012-04-06 01:11 41984 ----a-w- c:\windows\system32\atig6txx.dll
    2012-04-06 01:10 . 2012-04-06 01:10 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
    2012-04-06 01:10 . 2012-04-06 01:10 343040 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2012-04-06 01:09 . 2011-12-06 02:11 54784 ----a-w- c:\windows\system32\atiuxp64.dll
    2012-04-06 01:09 . 2012-02-15 02:12 41984 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2012-04-06 01:09 . 2012-04-06 01:09 44544 ----a-w- c:\windows\system32\atiu9p64.dll
    2012-04-06 01:09 . 2012-04-06 01:09 32256 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2012-04-06 01:09 . 2012-04-06 01:09 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\atimpc64.dll
    2012-04-06 01:06 . 2012-04-06 01:06 54784 ----a-w- c:\windows\system32\amdpcom64.dll
    2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2012-04-06 01:06 . 2012-04-06 01:06 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    2012-03-30 11:35 . 2012-05-11 16:00 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-06-23_23.36.25 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-06-24 01:59 . 2012-06-24 01:59 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    - 2012-06-23 23:35 . 2012-06-23 23:35 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    + 2010-11-21 03:09 . 2012-06-24 01:34 32366 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-06-24 01:34 37860 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2012-03-16 08:00 . 2012-06-24 00:27 3330 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    + 2012-03-15 03:52 . 2012-06-24 01:34 9556 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-876829241-3342464797-2240709727-1002_UserData.bin
    - 2012-06-23 23:35 . 2012-06-23 23:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-06-24 01:59 . 2012-06-24 01:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-06-24 01:59 . 2012-06-24 01:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-06-23 23:35 . 2012-06-23 23:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 02:36 . 2012-06-23 23:30 664350 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-06-24 01:37 664350 c:\windows\system32\perfh009.dat
    - 2009-07-14 02:36 . 2012-06-23 23:30 122960 c:\windows\system32\perfc009.dat
    + 2009-07-14 02:36 . 2012-06-24 01:37 122960 c:\windows\system32\perfc009.dat
    - 2012-02-04 00:27 . 2012-06-23 23:35 815232 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2012-02-04 00:27 . 2012-06-24 01:59 815232 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2009-07-14 05:01 . 2012-06-23 23:35 255488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-06-24 01:59 255488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-03-15 04:20 . 2012-06-24 01:59 4917330 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-876829241-3342464797-2240709727-1002-4096.dat
    - 2012-03-15 04:20 . 2012-06-23 23:35 27343641 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-876829241-3342464797-2240709727-1002-8192.dat
    + 2012-03-15 04:20 . 2012-06-24 01:59 27343641 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-876829241-3342464797-2240709727-1002-8192.dat
     
  15. menka

    menka TS Member Topic Starter Posts: 38

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-22 250056]
    R3 ALSysIO;ALSysIO;c:\users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [x]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-15 183560]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-17 113120]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
    R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgx64gps.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-04-06 361984]
    S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 23:39]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-19 12632168]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/?ilc=17
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
    FF - ProfilePath - c:\users\Calice\AppData\Roaming\Mozilla\Firefox\Profiles\32jjc7vf.default\
    FF - prefs.js: browser.startup.homepage - hxxps://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1&ltmpl=default&ltmplcache=2
    FF - prefs.js: network.proxy.type - 0
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-06-23 22:03:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-24 02:03
    ComboFix2.txt 2012-06-23 23:40
    .
    Pre-Run: 447,404,347,392 bytes free
    Post-Run: 447,080,497,152 bytes free
    .
    - - End Of File - - 84A377482A697B1B8ABCA9F09B42DCA4
     
  16. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Good.

    Any current issues?

    Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ====================================================

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /I " " /c
    dir /b "%systemroot%\*.exe" | find /I " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  17. menka

    menka TS Member Topic Starter Posts: 38

    Everything is going well so far thank you so much for helping me. :)

    Quick question I downloaded malbytes earlier today do I uninstall it and redownload or just use the current version?
     
  18. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Just make sure it's updated.
     
  19. menka

    menka TS Member Topic Starter Posts: 38

    OTL Text

    OTL logfile created on: 6/23/2012 10:27:32 PM - Run 1
    OTL by OldTimer - Version 3.2.52.0 Folder = C:\Users\Calice\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    8.00 Gb Total Physical Memory | 6.73 Gb Available Physical Memory | 84.16% Memory free
    16.00 Gb Paging File | 14.53 Gb Available in Paging File | 90.81% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 465.66 Gb Total Space | 416.34 Gb Free Space | 89.41% Space Free | Partition Type: NTFS

    Computer Name: CALICE-PC | User Name: Calice | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/06/23 22:25:43 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Calice\Downloads\OTL.exe
    PRC - [2012/06/22 18:46:16 | 000,686,280 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
    PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2011/10/01 08:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    PRC - [2011/10/01 08:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    PRC - [2011/02/14 05:30:50 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE


    ========== Modules (No Company Name) ==========


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2012/04/05 22:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
    SRV:64bit: - [2012/04/05 21:57:34 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
    SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2010/09/22 22:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
    SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2012/06/22 19:39:11 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/06/17 18:16:49 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/04/20 13:13:19 | 000,489,256 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/10/01 08:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
    SRV - [2011/10/01 08:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
    SRV - [2011/02/15 05:59:26 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
    SRV - [2011/02/14 05:30:50 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
    SRV - [2010/03/18 17:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/04/06 01:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
    DRV:64bit: - [2012/04/05 21:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
    DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2012/03/08 18:40:52 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
    DRV:64bit: - [2012/03/05 16:04:30 | 000,053,888 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Stopped] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys -- (AODDriver4.1)
    DRV:64bit: - [2012/03/05 16:04:30 | 000,053,888 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys -- (AODDriver4.01)
    DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2012/02/23 08:32:04 | 000,095,760 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
    DRV:64bit: - [2011/10/01 08:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
    DRV:64bit: - [2011/10/01 08:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
    DRV:64bit: - [2011/10/01 08:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
    DRV:64bit: - [2011/10/01 08:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
    DRV:64bit: - [2011/05/13 03:21:04 | 000,177,640 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdm.sys -- (ssadmdm)
    DRV:64bit: - [2011/05/13 03:21:04 | 000,146,920 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadserd.sys -- (ssadserd) SAMSUNG Android USB Diagnostic Serial Port (WDM)
    DRV:64bit: - [2011/05/13 03:21:02 | 000,157,672 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
    DRV:64bit: - [2011/05/13 03:21:02 | 000,016,872 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
    DRV:64bit: - [2010/09/08 15:42:16 | 000,295,272 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\VMM.sys -- (vmm)
    DRV:64bit: - [2010/08/12 16:07:50 | 000,350,952 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvmf6264.sys -- (NVNET)
    DRV:64bit: - [2010/02/18 13:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64)
    DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 16:35:42 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2009/06/10 16:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
    DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2008/11/11 13:42:00 | 000,033,792 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lgx64modem.sys -- (USBModem)
    DRV:64bit: - [2008/11/11 13:42:00 | 000,027,136 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lgx64gps.sys -- (UsbGps)
    DRV:64bit: - [2008/11/11 13:42:00 | 000,027,136 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lgx64diag.sys -- (UsbDiag)
    DRV:64bit: - [2008/11/11 13:42:00 | 000,017,920 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lgx64bus.sys -- (usbbus)
    DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-876829241-3342464797-2240709727-1002\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-876829241-3342464797-2240709727-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=17
    IE - HKU\S-1-5-21-876829241-3342464797-2240709727-1002\..\SearchScopes,DefaultScope = {72A90F3A-30DB-43FF-AFA7-642317F2C2DD}
    IE - HKU\S-1-5-21-876829241-3342464797-2240709727-1002\..\SearchScopes\{72A90F3A-30DB-43FF-AFA7-642317F2C2DD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
    IE - HKU\S-1-5-21-876829241-3342464797-2240709727-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.suggest.enabled: false
    FF - prefs.js..browser.startup.homepage: "https://accounts.google.com/Service...m/mail/&ss=1&scc=1&ltmpl=default&ltmplcache=2"
    FF - prefs.js..network.proxy.type: 0
    FF - user.js - File not found

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_262.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/06/17 18:16:50 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/06/17 18:16:50 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

    [2012/03/14 23:55:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Calice\AppData\Roaming\Mozilla\Extensions
    [2012/06/16 12:42:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Calice\AppData\Roaming\Mozilla\Firefox\Profiles\32jjc7vf.default\extensions
    [2012/03/14 23:54:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2012/06/17 18:16:49 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/06/17 18:16:47 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/06/17 18:16:47 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/06/23 22:00:04 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2:64bit: - BHO: (SteadyVideoBHO Class) - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
    O2 - BHO: (SteadyVideoBHO Class) - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
    O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
    O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-876829241-3342464797-2240709727-1002\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-876829241-3342464797-2240709727-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.32.5.111 65.32.5.112
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{737D2B0F-1E9D-46A0-9F95-16C70E2BB9E8}: DhcpNameServer = 65.32.5.111 65.32.5.112
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
    O18:64bit: - Protocol\Filter\video/mp4 {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
    O18:64bit: - Protocol\Filter\video/x-flv {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
    O18 - Protocol\Filter\video/mp4 {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
    O18 - Protocol\Filter\video/x-flv {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)


    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/06/23 22:03:05 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/06/23 22:00:06 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2012/06/23 19:31:02 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/06/23 19:31:02 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/06/23 19:31:02 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/06/23 19:30:56 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/06/23 19:30:43 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/06/23 17:31:37 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/06/23 10:36:13 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Roaming\Malwarebytes
    [2012/06/23 10:33:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/06/23 10:33:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/06/23 10:33:44 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/06/23 10:33:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/06/23 10:00:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
    [2012/06/23 10:00:16 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/06/22 18:48:52 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
    [2012/06/20 17:53:50 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{F9624A5F-E9A5-4818-A833-33DEB9BA90A6}
    [2012/06/20 17:53:40 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{1ED868E8-4FB4-413F-8AE7-73D41338ED21}
    [2012/06/16 15:14:40 | 000,000,000 | ---D | C] -- C:\ProgramData\NCH Software
    [2012/06/16 15:14:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite
    [2012/06/16 15:14:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audio Related Programs
    [2012/06/16 15:14:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NCH Software
    [2012/06/16 15:14:21 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Roaming\NCH Software
    [2012/06/15 22:35:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
    [2012/06/15 22:35:13 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\Conduit
    [2012/06/12 18:14:14 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{02FA11B7-A6B4-4E03-9B22-D26A4597B86D}
    [2012/06/12 18:14:04 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{534D160A-FEC6-4DCB-B9BD-D8918E279241}
    [2012/06/11 21:24:44 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{38813479-1E4D-4561-BC86-455119DF3FC6}
    [2012/06/11 21:24:33 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{6E639B70-DCF1-4026-8059-E2922519EDB0}
    [2012/06/11 20:01:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LG Electronics
    [2012/06/10 22:03:52 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{48546F70-1B0B-4D93-B9DE-56FECC9245EA}
    [2012/06/10 17:45:58 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
    [2012/06/10 17:45:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD AVT
    [2012/06/10 17:45:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD APP
    [2012/06/10 17:45:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD VISION Engine Control Center
    [2012/06/09 12:51:52 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\Macromedia
    [2012/06/01 15:09:37 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{357542D8-B6DA-467B-AE3F-A44F5405331A}
    [2012/06/01 15:09:27 | 000,000,000 | ---D | C] -- C:\Users\Calice\AppData\Local\{89318356-0E99-4C8E-9B05-31F38A440C16}
    [2012/05/31 18:36:41 | 000,000,000 | ---D | C] -- C:\Users\Calice\Documents\Activities
    [2012/05/31 18:01:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
    [2012/05/31 18:01:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
    [2012/05/31 18:01:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Oracle
    [2012/05/31 18:00:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/06/23 22:12:57 | 000,021,872 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/06/23 22:12:57 | 000,021,872 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/06/23 22:09:57 | 000,783,160 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/06/23 22:09:57 | 000,664,350 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/06/23 22:09:57 | 000,122,960 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/06/23 22:05:36 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/06/23 22:05:33 | 2146,275,327 | -HS- | M] () -- C:\hiberfil.sys
    [2012/06/23 22:00:04 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/06/23 21:39:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/06/23 10:33:49 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/06/23 10:00:30 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/06/23 10:00:19 | 000,799,314 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2012/06/13 17:02:25 | 000,299,160 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2012/05/30 15:01:49 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/06/23 19:31:02 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/06/23 19:31:02 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/06/23 19:31:02 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/06/23 19:31:02 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/06/23 19:31:02 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/06/23 10:33:49 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/06/23 10:00:21 | 000,001,915 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/06/16 15:14:43 | 000,001,130 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WavePad Sound Editor.lnk
    [2012/06/16 15:14:25 | 000,001,134 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Switch Sound File Converter.lnk
    [2012/03/15 00:23:55 | 000,799,314 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2012/03/09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
    [2012/02/14 22:36:36 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
    [2012/02/14 22:36:36 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
    [2012/02/03 20:06:42 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
    [2012/02/03 19:52:29 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
    [2011/09/12 19:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

    ========== LOP Check ==========

    [2012/03/15 14:38:40 | 000,000,000 | ---D | M] -- C:\Users\Calice\AppData\Roaming\Blender Foundation
    [2012/06/14 16:03:52 | 000,000,000 | ---D | M] -- C:\Users\Calice\AppData\Roaming\SoftGrid Client
    [2012/04/07 21:52:52 | 000,000,000 | ---D | M] -- C:\Users\Calice\AppData\Roaming\TP
    [2012/06/23 21:59:48 | 000,032,560 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.* >
    [2012/06/23 22:03:03 | 000,025,803 | ---- | M] () -- C:\ComboFix.txt
    [2012/02/03 19:56:37 | 000,000,086 | ---- | M] () -- C:\CSB.LOG
    [2012/06/23 22:05:33 | 2146,275,327 | -HS- | M] () -- C:\hiberfil.sys
    [2012/02/03 19:53:57 | 000,000,086 | ---- | M] () -- C:\Install.log
    [2012/06/23 22:05:35 | 4293,357,567 | -HS- | M] () -- C:\pagefile.sys
    [2012/02/03 19:54:54 | 000,002,213 | ---- | M] () -- C:\RHDSetup.log
    [2010/03/19 19:55:52 | 002,073,703 | ---- | M] () -- C:\VS_EXPBSLN_x64_enu.CAB
    [2010/03/19 19:58:20 | 000,551,424 | ---- | M] () -- C:\VS_EXPBSLN_x64_enu.MSI

    < %systemroot%\Fonts\*.com >
    [2009/07/14 01:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/14 01:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/14 01:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/14 01:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 16:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2012/03/08 18:37:20 | 000,302,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/14 00:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2012/03/14 23:51:52 | 000,000,221 | -HS- | M] () -- C:\Users\Calice\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012/06/23 21:39:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/06/23 22:05:39 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2012/06/23 21:59:48 | 000,032,560 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 17:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2012/03/15 03:09:36 | 000,000,402 | -HS- | M] () -- C:\Users\Calice\Favorites\desktop.ini
    [2012/06/16 15:14:44 | 000,000,276 | ---- | M] () -- C:\Users\Calice\Favorites\NCH Software Download Site.lnk

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /I " " /c >

    < dir /b "%systemroot%\*.exe" | find /I " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs >

    < >
    < End of report >
     
  20. menka

    menka TS Member Topic Starter Posts: 38

    OTL Extras

    OTL Extras logfile created on: 6/23/2012 10:27:32 PM - Run 1
    OTL by OldTimer - Version 3.2.52.0 Folder = C:\Users\Calice\Downloads
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    8.00 Gb Total Physical Memory | 6.73 Gb Available Physical Memory | 84.16% Memory free
    16.00 Gb Paging File | 14.53 Gb Available in Paging File | 90.81% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 465.66 Gb Total Space | 416.34 Gb Free Space | 89.41% Space Free | Partition Type: NTFS

    Computer Name: CALICE-PC | User Name: Calice | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-876829241-3342464797-2240709727-1002\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{027E5FAB-1476-4C59-AAB4-32EF28520399}" = Windows Live Language Selector
    "{02A5BD31-16AC-45DF-BE9F-A3167BC4AFB2}" = Windows Live Family Safety
    "{0CC4F67D-D41D-8C1A-C605-39154DDEAC63}" = AMD Fuel
    "{0D87AE67-14EB-4C10-88A5-DA6C3181EB18}" = Windows Live Family Safety
    "{0F7861E5-3B24-33CA-AECF-B5477194CEEB}" = Windows Phone Emulator x64 - ENU
    "{119B2F5A-2A06-DB96-FF28-992EC2A10BDF}" = AMD Accelerated Video Transcoding
    "{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
    "{2E8D6204-D656-8355-1ED3-2988AC52EB0F}" = ccc-utility64
    "{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
    "{5831C6D6-309D-DBB5-14F7-FEE57086CEE7}" = AMD Catalyst Install Manager
    "{5F92DAD2-FD95-DD12-50DF-A6F66C7E67C8}" = AMD Drag and Drop Transcoding
    "{63CE6C32-1EB3-4C51-89FC-9FD96A661A9C}" = AMD Media Foundation Decoders
    "{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
    "{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
    "{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
    "{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
    "{94D70749-4281-39AC-AD90-B56A0E0A402E}" = Microsoft Visual C++ 2010 x64 Runtime - 10.0.30319
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
    "{BCA26999-EC22-3007-BB79-638913079C9A}" = Microsoft Visual Studio 2010 Express Prerequisites x64 - ENU
    "{DA2737A4-B639-96F4-1CC2-30D2919EE1FB}" = AMD Steady Video Plug-In
    "{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
    "{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    "{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
    "{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "{FCADA26A-5672-31DD-BF0E-BA76ECF9B02D}" = Microsoft Help Viewer 1.0
    "Blender" = Blender
    "CCleaner" = CCleaner
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "Microsoft Help Viewer 1.0" = Microsoft Help Viewer 1.0
    "Microsoft Security Client" = Microsoft Security Essentials
    "NVIDIA Drivers" = NVIDIA Drivers

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{01C79EF3-DE84-4B56-B638-8BEA0D507506}" = Microsoft XNA Game Studio 4.0 (XnaLiveProxy)
    "{03D4C700-2BFE-43E0-A0B4-9512B43C5B9F}" = Catalyst Control Center - Branding
    "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
    "{05855322-BE43-41FE-B583-D3AE0C326D58}" = Microsoft Silverlight 4 SDK
    "{0666E46E-A860-4353-BE6D-13AA72FABB57}" = Microsoft XNA Game Studio Platform Tools
    "{08C84CC6-E7FD-4B2D-BBF9-B02CC90EE031}" = Microsoft XNA Game Studio 4.0 (Shared Components)
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{19D614EB-D62A-AEE7-2391-E74126601D59}" = CCC Help Italian
    "{1C373820-B9C8-0F7F-8F84-FC1B76A85F27}" = CCC Help Portuguese
    "{1C997E1C-5CE9-4AF3-AAA9-DC65E6090827}" = Microsoft Expression Blend SDK for Silverlight 4
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{2012098D-EEE9-4769-8DD3-B038050854D4}" = Microsoft Silverlight 3 SDK
    "{256E7DAC-9BE8-494E-8DE7-7857BF96B774}" = Microsoft Expression Blend 3 SDK
    "{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java(TM) 7 Update 4
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
    "{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}" = Microsoft XNA Framework Redistributable 4.0
    "{2C3AB990-1F33-3D6B-9F34-8D5189FA04D3}" = Windows Phone 7 Add-in for Visual Studio 2010 - ENU
    "{2D35BC33-7D08-D529-DF91-8A15FBF2600E}" = CCC Help Polish
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{337788D1-43D1-9A0F-9787-DD00DB512D41}" = Catalyst Control Center Localization All
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{3F4EB5FE-B5BE-4069-A5A8-6D9262E1B379}" = Microsoft XNA Game Studio 4.0 Documentation
    "{4725833D-4325-5C34-57D4-1FE23E5AE578}" = CCC Help Chinese Standard
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4B271648-43CB-DD31-FF24-E7B06D3EE72A}" = Catalyst Control Center InstallProxy
    "{4C6D5779-A766-45DF-9938-D6F595A66F2B}" = Microsoft Expression Blend 4
    "{4DC37F33-7AEC-A4CB-56B1-69A402828763}" = CCC Help Japanese
    "{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
    "{558358E5-E4F3-4374-BA1D-26FF39EF87D9}" = Microsoft Silverlight Tools for Visual Studio 2010
    "{5710DAC2-8F2A-503C-CFC2-A973ADE0EA4C}" = CCC Help Czech
    "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
    "{5C763682-4C40-86DA-9C46-31924D7D2C34}" = CCC Help Thai
    "{5DDF31D2-63BB-4268-895B-FB05A82A1C00}" = Microsoft XNA Game Studio 4.0 Windows Phone Extensions
    "{5EE6E987-1B79-4A93-832B-27472C7D1579}" = WPF Toolkit February 2010 (Version 3.5.50211.1)
    "{60E5022D-FA4B-C6A2-1E80-B46EC39096F3}" = CCC Help Chinese Traditional
    "{60F34FDF-267C-408F-290E-EC90D841C8CB}" = CCC Help German
    "{66B79AE1-C6E2-B958-689C-D0812DE86BAB}" = CCC Help Greek
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{68BD57D3-D606-411E-A7E0-3EB6EA5660F6}" = Microsoft XNA Game Studio 4.0 (Redists)
    "{69E11501-75F7-4ACE-8103-52513DDCFE26}" = Microsoft Expression Blend SDK for Windows Phone 7
    "{6B39BE0F-0F5E-A8FA-33E4-8481AE39D96C}" = CCC Help Russian
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{73BE04D9-BA0E-4BAF-9C9D-677278BDB3DC}" = Microsoft XNA Game Studio 4.0 (ARP entry)
    "{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8C496FBF-DB4A-468D-A3A1-15E127382218}" = Microsoft XNA Game Studio 4.0 (Visual Studio)
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{8E19F2AF-7145-51DE-E395-7729A9374973}" = Catalyst Control Center Graphics Previews Common
    "{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable
    "{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
    "{91CB5B8B-4EC8-DBA1-A88D-99FD480567B0}" = CCC Help English
    "{924FBAC4-60D2-7981-3C3E-979DF9CBB346}" = CCC Help Finnish
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
    "{9B3A1C97-A361-463E-8817-444F9F88CDFE}" = Microsoft Expression Blend SDK for .NET 4
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{9DC939DC-B7A4-D0E2-C582-A442DF1B3EBE}" = CCC Help Spanish
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A1BD938B-F006-6E6D-70B2-47E1DD56F7DE}" = CCC Help Swedish
    "{A29C5DD5-B21E-474F-AA96-6A7FC0B2B248}" = Microsoft Expression Blend 4 Add-in for Adobe FXG Import
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
    "{B45FABE7-D101-4D99-A671-E16DA40AF7F0}" = Microsoft Games for Windows - LIVE
    "{B86149D3-18A2-41FD-A153-60AF944E47FE}" = Microsoft Windows Phone 7 Developer Resources
    "{BABF7852-C2DD-6A8A-9956-101720C715C7}" = CCC Help Turkish
    "{BB7C2A56-9706-43B8-5A8C-210AF5816106}" = CCC Help French
    "{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{CFB91CB0-17D9-44EB-BFB2-5307AB7E7DDC}" = Microsoft Visual Studio 2010 Express for Windows Phone - ENU
    "{CFC2CB60-5654-05A7-4D30-C661800A3A92}" = CCC Help Korean
    "{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}" = Microsoft .NET Framework 4 Multi-Targeting Pack
    "{D04CE005-D1D2-80F3-84C8-B3524FCD39C3}" = CCC Help Norwegian
    "{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
    "{D2FCA41E-AC01-4DCD-B3A7-DC9E32363065}}_is1" = Rapture3D 2.3.26 Game
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{D544AE4C-4152-225B-A897-6756C8986B14}" = AMD VISION Engine Control Center
    "{D81E9069-3CCC-4405-3751-71E4AFEACC52}" = CCC Help Hungarian
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
    "{E93FF166-DF14-2537-8FB4-96BB5810A96C}" = CCC Help Danish
    "{F0839DB3-FBB8-4D14-936F-1D457A088224}" = Bing Bar
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{FA9827E1-8A8E-C176-4923-0840A67ED4DE}" = CCC Help Dutch
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Blend_4.0.20901.0" = Microsoft Expression Blend 4
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
    "Microsoft Visual Studio 2010 Express for Windows Phone - ENU" = Microsoft Windows Phone Developer Tools - ENU
    "Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "Office14.Click2Run" = Microsoft Office Click-to-Run 2010
    "OpenAL" = OpenAL
    "Steam App 31270" = Puzzle Agent
    "Steam App 70400" = Recettear: An Item Shop's Tale
    "Switch" = Switch Sound File Converter
    "WavePad" = WavePad Sound Editor
    "WinLiveSuite" = Windows Live Essentials
    "XNA Game Studio 4.0" = Microsoft XNA Game Studio 4.0

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 9000
    Description =

    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 7040
    Description =

    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 7042
    Description =

    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 9002
    Description =

    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 3029
    Description =

    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 3029
    Description =

    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 3028
    Description =

    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 3058
    Description =

    Error - 6/19/2012 8:42:05 PM | Computer Name = Calice-PC | Source = Windows Search Service | ID = 7010
    Description =

    Error - 6/19/2012 8:43:41 PM | Computer Name = Calice-PC | Source = WinMgmt | ID = 10
    Description =

    [ System Events ]
    Error - 6/23/2012 10:32:53 AM | Computer Name = Calice-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 10:31:14 AM on ?6/?23/?2012 was unexpected.

    Error - 6/23/2012 10:32:57 AM | Computer Name = Calice-PC | Source = Service Control Manager | ID = 7000
    Description = The AODDriver4.1 service failed to start due to the following error:
    %%2

    Error - 6/23/2012 10:32:57 AM | Computer Name = Calice-PC | Source = Service Control Manager | ID = 7003
    Description = The IKE and AuthIP IPsec Keying Modules service depends the following
    service: BFE. This service might not be installed.

    Error - 6/23/2012 10:32:57 AM | Computer Name = Calice-PC | Source = Service Control Manager | ID = 7003
    Description = The IPsec Policy Agent service depends the following service: BFE.
    This service might not be installed.

    Error - 6/23/2012 10:32:57 AM | Computer Name = Calice-PC | Source = Service Control Manager | ID = 7023
    Description = The Function Discovery Resource Publication service terminated with
    the following error: %%-2147024891

    Error - 6/23/2012 10:32:59 AM | Computer Name = Calice-PC | Source = Service Control Manager | ID = 7023
    Description = The Computer Browser service terminated with the following error:
    %%1060

    Error - 6/23/2012 10:33:08 AM | Computer Name = Calice-PC | Source = Service Control Manager | ID = 7023
    Description = The Function Discovery Resource Publication service terminated with
    the following error: %%-2147024891

    Error - 6/23/2012 10:33:08 AM | Computer Name = Calice-PC | Source = Service Control Manager | ID = 7001
    Description = The HomeGroup Provider service depends on the Function Discovery Resource
    Publication service which failed to start because of the following error: %%-2147024891

    Error - 6/23/2012 10:33:52 AM | Computer Name = Calice-PC | Source = Microsoft Antimalware | ID = 1119
    Description = %%860 has encountered a critical error when taking action on malware
    or other potentially unwanted software. For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win64/Sirefef.Y&threatid=2147655285
    Name:
    Trojan:Win64/Sirefef.Y ID: 2147655285 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Windows\System32\services.exe->731;process:_pid:564
    Detection
    Origin: %%845 Detection Type: %%822 Detection Source: %%820 User: NT AUTHORITY\SYSTEM
    Process
    Name: C:\Windows\system32\services.exe Action: %%809 Action Status: No additional
    actions required Error Code: 0x800704ec Error description: This program is blocked
    by group policy. For more information, contact your system administrator. Signature
    Version: AV: 1.129.349.0, AS: 1.129.349.0, NIS: 11.137.0.0 Engine Version: AM: 1.1.8502.0,
    NIS: 2.0.8001.0

    Error - 6/23/2012 10:35:29 AM | Computer Name = Calice-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 10:33:48 AM on ?6/?23/?2012 was unexpected.


    < End of report >
     
  21. menka

    menka TS Member Topic Starter Posts: 38

    Malwarebytes

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.23.06
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Calice :: CALICE-PC [administrator]
    6/23/2012 10:44:31 PM
    mbam-log-2012-06-23 (22-44-31).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 205854
    Time elapsed: 1 minute(s), 25 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  22. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    OTL logs are clean.

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  23. menka

    menka TS Member Topic Starter Posts: 38

    Security Check

    Results of screen317's Security Check version 0.99.24
    Windows 7 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    JavaFX 2.1.0
    Java(TM) 7 Update 4
    Out of date Java installed!
    Adobe Flash Player 11.3.300.262
    Adobe Reader X (10.1.3)
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    ``````````End of Log````````````
     
  24. menka

    menka TS Member Topic Starter Posts: 38

    FSS

    Farbar Service Scanner Version: 23-06-2012
    Ran by Calice (administrator) on 23-06-2012 at 23:03:58
    Running from "C:\Users\Calice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TG1B6WX"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
     
  25. menka

    menka TS Member Topic Starter Posts: 38

    Okay ESET report

    C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan deleted - quarantined
    C:\FRST\Quarantine\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\U\00000001.@ Win64/Sirefef.AI trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{56e4f66d-7128-2dc0-ce2c-5df33ffe5938}\U\80000000.@ Win64/Sirefef.AE trojan cleaned by deleting - quarantined
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...