TechSpot

Sirfef.FC

By Antij
Jul 9, 2012
  1. ESET found this, with the infected file being "Services.exe" in at least one instance, and it is always trying to access system things like Svchost and taskman.

    DNS and internet have been extremely flaky. 2 other people on my router - 1 has had trouble, 1 hasn't. As of around 11:30 PST DNS hasn't been able to resolve even though Pidgin was connecting, so I wonder if I was hit in that FBI DNS shutdown. Not sure because I have been having a ton of DNS issues anyway so it all may be the big DNS thing or it may be independent. Now I can't get on Pidgin now either even though Win7 says I have internet...it is fine on this old XP computer though.

    Here is my log.

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-07-2012 01
    Ran by SYSTEM at 09-07-2012 01:04:44
    Running from H:\
    Windows 7 Professional (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [egui] "D:\Run\Tools\ESET\egui.exe" /hide /waitservice [x]
    HKLM\...\Run: [UnlockerAssistant] "D:\Run\Tools\Unlocker\UnlockerAssistant.exe" [x]
    HKLM\...\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup [358336 2011-08-11] (Citrix Systems, Inc.)
    HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2008-02-15] (IDT, Inc.)
    HKLM\...\Run: [boincmgr] "D:\Run\Internet\BOINC\boincmgr.exe" /a /s [x]
    HKLM\...\Run: [boinctray] "D:\Run\Internet\BOINC\boinctray.exe" [x]
    HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
    HKLM\...\Run: [LogMeIn Hamachi Ui] "D:\Run\Tools\Internet\Hamachi\hamachi-2-ui.exe" --auto-start [x]
    HKLM\...\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-23] (CANON INC.)
    HKU\Bosh\...\Run: [SpybotSD TeaTimer] D:\Run\Tools\Spybot\TeaTimer.exe [x]
    HKU\Bosh\...\Run: [TrueCrypt] "D:\Run\Tools\TC\TrueCrypt.exe" /q preferences /a logon /a favorites [x]
    HKU\Bosh\...\Run: [MusicManager] "D:\Users\Bosh\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [x]
    HKU\Bosh\...\Run: [Google Update] "D:\Users\Bosh\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-05-25] (Google Inc.)
    HKU\Bosh\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation)
    HKU\Bosh\...\Run: [306E1B8E2C99E83119C42FCB48AAF71FCAC5BD78._service_run] "D:\Users\Bosh\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service [x]
    HKU\Bosh\...\Run: [DAEMON Tools Lite] "D:\Run\Tools\DAEMON Tools Pro\DTLite.exe" -autorun [x]
    HKU\Bosh\...\Run: [iCloudServices] D:\Run\Internet\iCloud\iCloudServices.exe [x]
    HKU\Bosh\...\Run: [ApplePhotoStreams] D:\Run\Internet\iCloud\ApplePhotoStreams.exe [x]
    HKU\Bosh\...\Run: [com.apple.dav.bookmarks.daemon] D:\Run\Internet\iCloud\BookmarkDAV_client.exe [x]
    Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll [X]
    Winlogon\Notify\psfus: C:\Windows\system32\psqlpwd.dll (UPEK Inc.)
    Lsa: [Notification Packages] scecli
    psqlpwd
    C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

    ================================ Services (Whitelisted) ==================

    2 AcrSch2Svc; "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [804528 2011-02-01] (Acronis)
    2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\aestsrv.exe [73728 2007-09-20] (Andrea Electronics Corporation)
    2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3246040 2011-05-25] (Acronis)
    2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe [775968 2012-02-01] (Broadcom Corporation.)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 IntuitUpdateService; "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [13672 2010-08-23] (Intuit Inc.)
    2 PanInstaller; C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe [234824 2011-04-12] ()
    2 PanService; C:\Program Files\Palo Alto Networks\Pan Connect\PanService.exe [947528 2011-04-12] (Palo Alto Networks)
    4 SwitchBoard; "C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)
    3 EhttpSrv; C:\Run\Tools\ESET\EHttpSrv.exe [x]
    2 ekrn; C:\Run\Tools\ESET\ekrn.exe [x]
    2 Hamachi2Svc; C:\Run\Tools\Internet\Hamachi\hamachi-2.exe -s [x]
    4 NitroReaderDriverReadSpool; C:\Run\Internet\Nitro\NitroPDFReaderDriverService.exe [x]
    3 SbieSvc; "C:\Run\Tools\Sandboxie\SbieSvc.exe" [x]
    2 SBSDWSCService; C:\Run\Tools\Spybot\SDWinSec.exe [x]
    4 WMPControllerService; "C:\Dell\Utilities\Dell Premium Remote Control\WMPControllerService.exe" [x]

    ========================== Drivers (Whitelisted) =============

    3 afcdp; C:\Windows\System32\DRIVERS\afcdp.sys [167968 2011-05-25] (Acronis)
    3 BTWAMPFL; C:\Windows\System32\DRIVERS\btwampfl.sys [522280 2012-02-27] (Broadcom Corporation.)
    1 ctxusbm; C:\Windows\System32\DRIVERS\ctxusbm.sys [66776 2011-08-10] (Citrix Systems, Inc.)
    2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [137144 2010-12-21] (ESET)
    1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [115008 2010-12-21] (ESET)
    2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [134000 2010-12-21] (ESET)
    3 Epfwndis; C:\Windows\System32\DRIVERS\Epfwndis.sys [33120 2010-12-21] (ESET)
    2 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [41336 2010-12-21] (ESET)
    3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
    3 motandroidusb; C:\Windows\System32\Drivers\motoandroid.sys [25856 2009-07-10] (Motorola)
    3 MotDev; C:\Windows\System32\DRIVERS\motodrv.sys [42752 2009-05-08] (Motorola Inc)
    3 PanSvd; C:\Windows\System32\DRIVERS\pansvd.sys [27136 2011-04-12] (Palo Alto Networks)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [473656 2012-03-03] (Duplex Secure Ltd.)
    0 tdrpman273; C:\Windows\System32\DRIVERS\tdrpm273.sys [752128 2011-05-25] (Acronis)
    0 timounter; C:\Windows\System32\DRIVERS\timntr.sys [600928 2011-05-25] (Acronis)
    1 truecrypt; C:\Windows\System32\drivers\truecrypt.sys [231248 2011-05-25] (TrueCrypt Foundation)
    3 WSDScan; C:\Windows\System32\DRIVERS\WSDScan.sys [20480 2009-07-13] (Microsoft Corporation)
    3 yukonw7; C:\Windows\System32\DRIVERS\yk62x86.sys [315392 2009-09-28] ()
    3 SbieDrv; \??\D:\Run\Tools\Sandboxie\SbieDrv.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-09 01:04 - 2012-07-09 01:04 - 00000000 ____D C:\FRST
    2012-07-08 21:09 - 2011-05-25 00:16 - 00434608 ____A C:\Windows\System32\Drivers\etc\hosts.20120708-220900.backup
    2012-07-08 20:35 - 2012-07-08 20:35 - 00001967 ____A C:\Users\Public\Desktop\Canon IJ Network Tool.lnk
    2012-07-08 20:35 - 2012-07-08 20:35 - 00000000 ____D C:\Program Files\Canon
    2012-07-08 20:35 - 2011-01-06 12:08 - 01310720 ____A (CANON INC.) C:\Windows\System32\CNC870C.dll
    2012-07-08 20:35 - 2011-01-06 12:08 - 00110592 ____A (CANON INC.) C:\Windows\System32\CNC870I.dll
    2012-07-08 20:35 - 2011-01-06 12:07 - 00102400 ____A (CANON INC.) C:\Windows\System32\CNC870U.dll
    2012-07-08 20:35 - 2009-10-19 15:29 - 00307200 ____A (CANON INC.) C:\Windows\System32\CNC870L.dll
    2012-07-08 20:35 - 2009-06-26 09:45 - 00015360 ____A C:\Windows\System32\CNC1743D.TBL
    2012-07-08 20:35 - 2008-08-25 17:02 - 00015872 ____A (CANON INC.) C:\Windows\System32\CNHMCA.dll
    2012-07-08 20:33 - 2012-07-08 20:33 - 00000000 ___HD C:\Program Files\CanonBJ
    2012-07-08 20:33 - 2012-07-08 20:33 - 00000000 ____D C:\Windows\System32\STRING
    2012-07-08 20:33 - 2012-07-08 20:33 - 00000000 ____D C:\Windows\System32\CHM
    2012-07-08 20:33 - 2009-10-09 14:01 - 00354816 ____A (CANON INC.) C:\Windows\System32\CNMNPPM.DLL
    2012-07-08 20:33 - 2009-10-09 14:01 - 00137216 ____A (CANON INC.) C:\Windows\System32\CNMNPUI.DLL
    2012-06-28 20:00 - 2009-03-18 16:35 - 00026176 ___AH (LogMeIn, Inc.) C:\Windows\System32\hamachi.sys
    2012-06-26 21:58 - 2012-06-26 21:58 - 00000000 ____D C:\Program Files\Common Files\Java
    2012-06-26 21:57 - 2012-06-26 21:57 - 00000000 ____D C:\Program Files\Oracle
    2012-06-26 21:57 - 2012-05-04 18:29 - 00772504 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2012-06-26 21:57 - 2012-05-04 18:29 - 00227720 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
    2012-06-26 21:55 - 2012-06-26 21:55 - 00000000 ____D C:\Users\All Users\McAfee
    2012-06-21 10:14 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 10:14 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 10:14 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 10:14 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 10:14 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 10:14 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 10:14 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 10:14 - 2012-06-02 12:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 10:14 - 2012-06-02 12:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-18 22:50 - 2012-06-18 22:50 - 00000000 ____D C:\Users\All Users\Apple
    2012-06-18 11:15 - 2012-05-15 01:28 - 03931456 ____A (NVIDIA Corporation) C:\Windows\System32\nvcpl.dll
    2012-06-18 11:15 - 2012-05-15 01:28 - 02561344 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvcr.dll
    2012-06-18 11:15 - 2012-05-15 01:28 - 00645440 ____A (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    2012-06-18 11:15 - 2012-05-15 01:28 - 00108352 ____A (NVIDIA Corporation) C:\Windows\System32\nvmctray.dll
    2012-06-18 11:15 - 2012-05-15 01:28 - 00062272 ____A (NVIDIA Corporation) C:\Windows\System32\nvshext.dll
    2012-06-18 11:15 - 2012-05-15 01:27 - 02759488 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvc.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 19607872 ____A (NVIDIA Corporation) C:\Windows\System32\nvoglv32.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 17551680 ____A (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 11354944 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys
    2012-06-18 11:11 - 2012-05-15 02:26 - 08105280 ____A (NVIDIA Corporation) C:\Windows\System32\nvwgf2um.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 05982528 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 02524992 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 02445120 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 02368832 ____A (NVIDIA Corporation) C:\Windows\System32\nvapi.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 01000768 ____A (NVIDIA Corporation) C:\Windows\System32\nvdispco32.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 00883008 ____A (NVIDIA Corporation) C:\Windows\System32\nvgenco32.dll
    2012-06-18 11:11 - 2012-05-15 02:26 - 00011190 ____A C:\Windows\System32\nvinfo.pb
    2012-06-18 11:10 - 2012-06-18 11:10 - 00000000 ____D C:\NVIDIA
    2012-06-18 10:57 - 2012-06-18 11:15 - 00000000 ____D C:\Users\All Users\NVIDIA
    2012-06-18 10:47 - 2012-07-08 21:00 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
    2012-06-18 10:47 - 2012-06-18 11:21 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    2012-06-18 10:46 - 2012-06-21 12:19 - 00000000 ____D C:\Users\All Users\PCDr
    2012-06-18 10:46 - 2012-06-18 10:46 - 00000000 ____D C:\Users\All Users\Dell
    2012-06-18 10:45 - 2012-06-18 10:47 - 00000000 ____D C:\Program Files\Dell Support Center
    2012-06-18 10:32 - 2012-06-18 10:32 - 00103784 ____A C:\Users\Bosh\GoToAssistDownloadHelper.exe

    ============ 3 Months Modified Files ========================

    2012-07-09 00:00 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-09 00:00 - 2009-07-13 20:39 - 00089065 ____A C:\Windows\setupact.log
    2012-07-08 23:20 - 2011-05-25 00:18 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2537561138-1596547413-242098265-1000UA.job
    2012-07-08 22:44 - 2011-05-25 00:01 - 01683143 ____A C:\Windows\WindowsUpdate.log
    2012-07-08 21:20 - 2011-05-25 00:18 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2537561138-1596547413-242098265-1000Core.job
    2012-07-08 21:08 - 2009-07-13 20:34 - 00013808 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-08 21:08 - 2009-07-13 20:34 - 00013808 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-08 21:07 - 2011-05-25 00:04 - 00782748 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-08 21:00 - 2012-06-18 10:47 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
    2012-07-08 20:35 - 2012-07-08 20:35 - 00001967 ____A C:\Users\Public\Desktop\Canon IJ Network Tool.lnk
    2012-06-26 21:56 - 2011-07-15 16:57 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
    2012-06-26 21:56 - 2011-07-15 16:57 - 00174064 ____A (Oracle Corporation) C:\Windows\System32\java.exe
    2012-06-20 11:54 - 2011-05-25 00:54 - 00028352 ____A C:\Windows\PFRO.log
    2012-06-18 11:21 - 2012-06-18 10:47 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    2012-06-18 10:32 - 2012-06-18 10:32 - 00103784 ____A C:\Users\Bosh\GoToAssistDownloadHelper.exe
    2012-06-05 10:05 - 2009-07-13 20:33 - 04307016 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-02 14:19 - 2012-06-21 10:14 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 10:14 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 10:14 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 10:14 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 10:14 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-21 10:14 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-21 10:14 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 12:19 - 2012-06-21 10:14 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 12:12 - 2012-06-21 10:14 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-22 11:34 - 2012-05-22 11:34 - 00060304 ____A C:\Users\Bosh\g2mdlhlpx.exe
    2012-05-15 02:26 - 2012-06-18 11:11 - 19607872 ____A (NVIDIA Corporation) C:\Windows\System32\nvoglv32.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 17551680 ____A (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 11354944 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys
    2012-05-15 02:26 - 2012-06-18 11:11 - 08105280 ____A (NVIDIA Corporation) C:\Windows\System32\nvwgf2um.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 05982528 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 02524992 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 02445120 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 02368832 ____A (NVIDIA Corporation) C:\Windows\System32\nvapi.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 01000768 ____A (NVIDIA Corporation) C:\Windows\System32\nvdispco32.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 00883008 ____A (NVIDIA Corporation) C:\Windows\System32\nvgenco32.dll
    2012-05-15 02:26 - 2012-06-18 11:11 - 00011190 ____A C:\Windows\System32\nvinfo.pb
    2012-05-15 02:26 - 2010-10-17 00:55 - 15322432 ____A (NVIDIA Corporation) C:\Windows\System32\nvd3dum.dll
    2012-05-15 02:26 - 2010-10-17 00:55 - 00061248 ____A (Khronos Group) C:\Windows\System32\OpenCL.dll
    2012-05-15 01:28 - 2012-06-18 11:15 - 03931456 ____A (NVIDIA Corporation) C:\Windows\System32\nvcpl.dll
    2012-05-15 01:28 - 2012-06-18 11:15 - 02561344 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvcr.dll
    2012-05-15 01:28 - 2012-06-18 11:15 - 00645440 ____A (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    2012-05-15 01:28 - 2012-06-18 11:15 - 00108352 ____A (NVIDIA Corporation) C:\Windows\System32\nvmctray.dll
    2012-05-15 01:28 - 2012-06-18 11:15 - 00062272 ____A (NVIDIA Corporation) C:\Windows\System32\nvshext.dll
    2012-05-15 01:27 - 2012-06-18 11:15 - 02759488 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvc.dll
    2012-05-04 18:29 - 2012-06-26 21:57 - 00772504 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2012-05-04 18:29 - 2012-06-26 21:57 - 00227720 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
    2012-05-04 18:29 - 2011-07-15 16:57 - 00687504 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
    2012-04-26 19:08 - 2011-05-25 00:27 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-04-17 18:55 - 2011-05-25 00:12 - 00100944 ____A C:\Users\Bosh\AppData\Local\GDIPFONTCACHEV1.DAT

    ZeroAccess:
    C:\Windows\Installer\{72c25dc5-dc4e-ca0f-08b4-af45d073eab5}
    C:\Windows\Installer\{72c25dc5-dc4e-ca0f-08b4-af45d073eab5}\@
    C:\Windows\Installer\{72c25dc5-dc4e-ca0f-08b4-af45d073eab5}\L
    C:\Windows\Installer\{72c25dc5-dc4e-ca0f-08b4-af45d073eab5}\U
    C:\Windows\Installer\{72c25dc5-dc4e-ca0f-08b4-af45d073eab5}\U\00000001.@
    C:\Windows\Installer\{72c25dc5-dc4e-ca0f-08b4-af45d073eab5}\U\800000cb.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 4094.06 MB
    Available physical RAM: 3570.16 MB
    Total Pagefile: 4092.34 MB
    Available Pagefile: 3572.94 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1968.73 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:50.04 GB) (Free:12.84 GB) NTFS
    3 Drive f: (Data) (Fixed) (Total:350 GB) (Free:34.72 GB) NTFS
    4 Drive g: (GRMCPRFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
    5 Drive h: () (Removable) (Total:15.11 GB) (Free:15.1 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 1024 KB
    Disk 1 Online 15 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 50 GB 101 MB
    Partition 3 Primary 350 GB 50 GB
    Partition 0 Extended 65 GB 400 GB
    Partition 4 Logical 65 GB 400 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 50 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F Data NTFS Partition 350 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 D RAW Partition 65 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 15 GB 31 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 H FAT32 Removable 15 GB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-07 23:38

    ======================= End Of Log ==========================
     
  2. Antij

    Antij TS Rookie Topic Starter Posts: 22

    DDS with Attach.txt

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
    Run by Bosh at 1:51:26 on 2012-07-09
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3582.1632 [GMT -7:00]
    .
    AV: ESET Smart Security 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET Smart Security 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\aestsrv.exe
    C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    D:\Run\Tools\ESET\ekrn.exe
    D:\Run\Tools\Internet\Hamachi\hamachi-2.exe
    C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe
    C:\Program Files\Palo Alto Networks\Pan Connect\PanService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    D:\Run\Tools\ESET\egui.exe
    D:\Run\Tools\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    D:\Run\Internet\BOINC\boincmgr.exe
    D:\Run\Internet\BOINC\boinctray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    D:\Run\Tools\Internet\Hamachi\hamachi-2-ui.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    D:\Run\Tools\Spybot\TeaTimer.exe
    C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe
    D:\Run\Tools\TC\TrueCrypt.exe
    C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    D:\Users\Bosh\AppData\Local\Google\Chrome\Application\chrome.exe
    D:\Run\Tools\DAEMON Tools Pro\DTLite.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    D:\Users\Bosh\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Windows\system32\SearchIndexer.exe
    D:\Run\Internet\BOINC\boinc.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    C:\Windows\system32\SearchProtocolHost.exe
    D:\Run\Internet\BOINC\data\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
    D:\Run\Internet\BOINC\data\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Run\Internet\Pidgin\pidgin.exe
    I:\3qe6v5bk.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://www.google.com/
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
    uRun: [SpybotSD TeaTimer] d:\run\tools\spybot\TeaTimer.exe
    uRun: [TrueCrypt] "d:\run\tools\tc\TrueCrypt.exe" /q preferences /a logon /a favorites
    uRun: [MusicManager] "d:\users\bosh\appdata\local\programs\google\musicmanager\MusicManager.exe"
    uRun: [Google Update] "d:\users\bosh\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
    uRun: [306E1B8E2C99E83119C42FCB48AAF71FCAC5BD78._service_run] "d:\users\bosh\appdata\local\google\chrome\application\chrome.exe" --type=service
    uRun: [DAEMON Tools Lite] "d:\run\tools\daemon tools pro\DTLite.exe" -autorun
    uRun: [iCloudServices] d:\run\internet\icloud\iCloudServices.exe
    uRun: [ApplePhotoStreams] d:\run\internet\icloud\ApplePhotoStreams.exe
    uRun: [com.apple.dav.bookmarks.daemon] d:\run\internet\icloud\BookmarkDAV_client.exe
    mRun: [egui] "d:\run\tools\eset\egui.exe" /hide /waitservice
    mRun: [UnlockerAssistant] "d:\run\tools\unlocker\UnlockerAssistant.exe"
    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [boincmgr] "d:\run\internet\boinc\boincmgr.exe" /a /s
    mRun: [boinctray] "d:\run\internet\boinc\boinctray.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [LogMeIn Hamachi Ui] "d:\run\tools\internet\hamachi\hamachi-2-ui.exe" --auto-start
    mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
    StartupFolder: d:\users\bosh\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - d:\users\bosh\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: d:\users\bosh\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    mPolicies-system: DisableCAD = 1 (0x1)
    mPolicies-system: EnableLinkedConnections = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.
    Trusted Zone: intuit.com\ttlc
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
    TCP: Interfaces\{EE415505-B6F6-434A-907F-8DAFFCB30C24} : DhcpNameServer = 192.168.1.1 68.238.64.12
    TCP: Interfaces\{EE415505-B6F6-434A-907F-8DAFFCB30C24}\2456C6B696E6F5052756D2E4F5135383435363 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{EE415505-B6F6-434A-907F-8DAFFCB30C24}\4414E4A594742333 : DhcpNameServer = 192.168.1.1 68.238.64.12
    TCP: Interfaces\{EE415505-B6F6-434A-907F-8DAFFCB30C24}\449414055524C4943475946494 : DhcpNameServer = 205.171.2.65 205.171.3.65
    TCP: Interfaces\{EE415505-B6F6-434A-907F-8DAFFCB30C24}\76F676F696E666C696768647 : DhcpNameServer = 172.19.134.2
    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
    LSA: Notification Packages = scecli psqlpwd c:\program files\widcomm\bluetooth software\BtwProximityCP.dll
    Hosts: 127.0.0.1www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - d:\users\bosh\appdata\roaming\mozilla\firefox\profiles\gaccxglw.default\
    FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
    FF - plugin: d:\run\create\npPicasa3.dll
    FF - plugin: d:\run\entertainment\vlc\npvlc.dll
    FF - plugin: d:\run\internet\firefaux\plugins\np-mswmp.dll
    FF - plugin: d:\run\tools\java\bin\new_plugin\npdeployJava1.dll
    FF - plugin: d:\run\tools\java\bin\new_plugin\npjp2.dll
    FF - plugin: d:\users\bosh\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-5-25 752128]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-8-10 66776]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_24288096a5cd99f6\AEstSrv.exe [2012-2-15 73728]
    R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-5-25 3246040]
    R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
    R2 ekrn;ESET Service;d:\run\tools\eset\ekrn.exe [2011-1-12 810144]
    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;d:\run\tools\internet\hamachi\hamachi-2.exe -s --> d:\run\tools\internet\hamachi\hamachi-2.exe -s [?]
    R2 PanInstaller;PanInstaller;c:\program files\palo alto networks\pan connect\PanInstaller.exe [2011-4-12 234824]
    R2 PanService;PanService;c:\program files\palo alto networks\pan connect\PanService.exe [2011-4-12 947528]
    R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-5-25 167968]
    R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\drivers\btwampfl.sys [2012-1-10 522280]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2012-2-27 33832]
    R3 PanSvd;Pan Virtual Miniport;c:\windows\system32\drivers\pansvd.sys [2011-4-12 27136]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-12-21 41336]
    S2 SBSDWSCService;SBSD Security Center Service;d:\run\tools\spybot\SDWinSec.exe [2011-5-25 1153368]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
    S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2011-4-4 20480]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
    S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-1 23424]
    S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2011-2-7 11008]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 SbieDrv;SbieDrv;d:\run\tools\sandboxie\SbieDrv.sys [2012-2-7 133392]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-25 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-25 1343400]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
    S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
    S4 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;d:\run\internet\nitro\NitroPDFReaderDriverService.exe [2010-9-30 196912]
    S4 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S4 WMPControllerService;WMPControllerService;"c:\dell\utilities\dell premium remote control\wmpcontrollerservice.exe" --> c:\dell\utilities\dell premium remote control\WMPControllerService.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-07-09 09:04:20--------d-----w-C:\FRST
    2012-07-09 04:35:09--------d-----w-c:\program files\Canon
    2012-07-09 04:35:07307200----a-w-c:\windows\system32\CNC870L.dll
    2012-07-09 04:35:0715872----a-w-c:\windows\system32\CNHMCA.dll
    2012-07-09 04:35:071310720----a-w-c:\windows\system32\CNC870C.dll
    2012-07-09 04:35:07110592----a-w-c:\windows\system32\CNC870I.dll
    2012-07-09 04:35:07102400----a-w-c:\windows\system32\CNC870U.dll
    2012-07-09 04:33:52354816----a-w-c:\windows\system32\CNMNPPM.DLL
    2012-07-09 04:33:52137216----a-w-c:\windows\system32\CNMNPUI.DLL
    2012-07-09 04:33:52--------d-----w-c:\windows\system32\STRING
    2012-07-09 04:33:52--------d-----w-c:\windows\system32\CHM
    2012-06-29 04:00:4126176---ha-w-c:\windows\system32\hamachi.sys
    2012-06-27 05:57:32--------d-----w-c:\program files\Oracle
    2012-06-27 05:57:06772504----a-w-c:\windows\system32\npDeployJava1.dll
    2012-06-21 18:14:502422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-21 18:14:4388576----a-w-c:\windows\system32\wudriver.dll
    2012-06-21 18:14:3633792----a-w-c:\windows\system32\wuapp.exe
    2012-06-21 18:14:36171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-19 10:36:496762896----a-w-c:\programdata\microsoft\windows defender\definition updates\{5e19f662-7201-4466-ad15-d253f1dcbd58}\mpengine.dll
    2012-06-19 07:01:23--------d-----w-d:\users\bosh\appdata\local\Apple Computer
    2012-06-18 19:46:07--------d-----w-d:\users\bosh\appdata\roaming\NVIDIA
    2012-06-18 19:15:15645440----a-w-c:\windows\system32\nvvsvc.exe
    2012-06-18 19:15:1562272----a-w-c:\windows\system32\nvshext.dll
    2012-06-18 19:15:153931456----a-w-c:\windows\system32\nvcpl.dll
    2012-06-18 19:15:152759488----a-w-c:\windows\system32\nvsvc.dll
    2012-06-18 19:15:152561344----a-w-c:\windows\system32\nvsvcr.dll
    2012-06-18 19:15:15108352----a-w-c:\windows\system32\nvmctray.dll
    2012-06-18 19:11:49883008----a-w-c:\windows\system32\nvgenco32.dll
    2012-06-18 19:11:498105280----a-w-c:\windows\system32\nvwgf2um.dll
    2012-06-18 19:11:495982528----a-w-c:\windows\system32\nvcuda.dll
    2012-06-18 19:11:492524992----a-w-c:\windows\system32\nvcuvid.dll
    2012-06-18 19:11:492445120----a-w-c:\windows\system32\nvcuvenc.dll
    2012-06-18 19:11:4919607872----a-w-c:\windows\system32\nvoglv32.dll
    2012-06-18 19:11:4911354944----a-w-c:\windows\system32\drivers\nvlddmkm.sys
    2012-06-18 19:11:491000768----a-w-c:\windows\system32\nvdispco32.dll
    2012-06-18 19:11:482368832----a-w-c:\windows\system32\nvapi.dll
    2012-06-18 19:11:4817551680----a-w-c:\windows\system32\nvcompiler.dll
    2012-06-18 19:10:56--------d-----w-C:\NVIDIA
    2012-06-18 18:46:59--------d-----w-d:\users\bosh\appdata\roaming\Dell
    2012-06-18 18:46:51--------d-----w-c:\programdata\PCDr
    2012-06-18 18:45:56--------d-----w-c:\program files\Dell Support Center
    2012-06-18 18:43:36--------d-----w-d:\users\bosh\appdata\roaming\PCDr
    2012-06-18 18:32:19103784----a-w-c:\users\bosh\GoToAssistDownloadHelper.exe
    .
    ==================== Find3M ====================
    .
    2012-05-22 19:34:5160304----a-w-c:\users\bosh\g2mdlhlpx.exe
    2012-05-15 10:26:0061248----a-w-c:\windows\system32\OpenCL.dll
    2012-05-15 10:26:0015322432----a-w-c:\windows\system32\nvd3dum.dll
    2012-05-05 02:29:16687504----a-w-c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 1:52:32.14 ===============
     
  3. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Attach.txt. Malwarebytes reported nothing, but it was 91 days out of date and I couldn't update because of no internet connection on that computer.
     

    Attached Files:

  4. Antij

    Antij TS Rookie Topic Starter Posts: 22

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-07-09 03:43:21
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 ST95005620AS rev.SD24
    Running: 3qe6v5bk.exe; Driver: C:\Temp\pxldqpow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8304F3C9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83088D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8CB9C089]
    PAGE PCIIDEX.SYS!DllUnload 8CC7E606 5 Bytes JMP 86BB01C8
    .text USBPORT.SYS!DllUnload 9308BDB9 5 Bytes JMP 85F4B410
    .text ae8eljdw.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 9315A900 48 Bytes [03, 0D, 5D, 56, 1F, 54, F7, ...]
    ? C:\Windows\System32\Drivers\ae8eljdw.SYS suspicious PE modification
    ? C:\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    ? C:\Windows\system32\services.exe[872] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll
    .text D:\Run\Tools\ESET\ekrn.exe[2096] kernel32.dll!SetUnhandledExceptionFilter 76D2F4FB 4 Bytes [C2, 04, 00, 00]
    .text C:\Windows\Explorer.EXE[3524] SHELL32.dll!SHFileOperationW 76F396AE 5 Bytes JMP 04401102 D:\Run\Tools\Unlocker\UnlockerHook.dll

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8CA89730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8CA89F12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8CA8A232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8CA8A0F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8CA89914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 51EC8B55
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 8B565351
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] FF560875
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] C0510815
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 85D88B00
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] C2840FDB
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 57000000
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] 0068406A
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] FF000010
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 006A5073
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 508415FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] F88B00C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 85FC7D89
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] 9E840FFF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 8B000000
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] A4F3544B
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtFlushKey] 1443B70F
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 0653B70F
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 1818448D
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] 8B0CC083
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 08758B08
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] 03FC7D8B
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 8BF903F1
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] C083FC48
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] A4F34A28
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 758BE975
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 443D8BFC
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 2B00C051
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 458D0875
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 056A50F8
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 75FF016A
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] 85D7FFFC
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] EB2574C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 04488B1D
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 56F84D29
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8B08508D
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] FC450300
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 52F8C183
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 5051E9D1
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 514015FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 7D8300C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] DD7500F8
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 50F8458D
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 016A016A
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FFFC75FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 74C085D7
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 0C488D20
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] C085018B
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] F18B1774
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 03FC4D8B
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] 15FF50C1
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] [00C05080] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8B14C683
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] [75C08506] C:\Windows\system32\SCESRV.dll (Windows Security Configuration Editor Engine/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FC458BEB
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] C95B5E5F
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 560004C2
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] 7140BF57
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 8B5700C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 7C15FFF1
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 6A00C050
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 3C83580F
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] C0715885
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] 09740000
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 8548C88B
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] EBEF75C9
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] 85348907
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] [00C07158] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 3415FF57
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] 5F00C050
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] 5756C35E
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] C07140BF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] F18B5700
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 507C15FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 0F6A00C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 85343958
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] [00C07158] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] C88B0974
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 75C98548
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 8308EBF0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] 71588524
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 570000C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 503415FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 5E5F00C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 800068C3
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 006A0000
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 7815FF51
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 5000C050
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 513C15FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 55C300C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5351EC8B
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 35FF5756
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00C07198] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 513815FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 8D5900C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!TpReleaseWork] E8400044
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!TpPostWork] 00002B4C
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocWork] 75FFFC8B
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] FC7D8908
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 719835FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EC6800C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 5700C053
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 513415FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] DB3300C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 3910C483
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 6E7D085D
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FFF63357
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] C0507415
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 85F88B00
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 8D3774FF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 6A500845
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] FF575602
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] C0513015
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 7CC08500
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF556A25
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 15FFFC75
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] [00C0512C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] C9335959
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] 08896657
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] FFFE1FE8
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85D88BFF
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8B0774DB
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] F72B0875
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF57F303
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] C0507015
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 74F68500
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] FC4D8B53
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] C07084BA
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 85D6FF00
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 684575C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] 00008000
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 15FF5350
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] [00C05078] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] 5D3936EB
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] BB31740C
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] [00C07140] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 7C15FF53
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] BE00C050
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] [00C07194] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] C085068B
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] 4D8B0774
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocPool] FFD78B08
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 83C68BD0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 583D04EE
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] 7500C071
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 15FF53E7
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] [00C05034] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] 5FF0658D
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C2C95B5E
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 8B550008
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] B8EC81EC
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 53000008
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 0B6A5756
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 5420BE59
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] BD8D00C0
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] FFFFFF4C
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 526AA5F3
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] 858DFF33
    IAT C:\Windows\system32\services.exe[872] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] FFFFFF78
    IAT C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe[2304] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe[2304] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe[2304] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe[2304] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe[2304] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe[2304] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3428] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3428] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3428] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75DCFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device 86BB51E8
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

    Device 8AD6C1E8
    Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
    Device 89E421E8
    Device udfs.sys (UDF File System Driver/Microsoft Corporation)
    Device \Driver\NetBT \Device\NetBT_Tcpip_{99FC05CD-F391-4677-B30C-F534C5852BD5} 870AD1E8
    Device \Driver\BTHUSB \Device\0000008e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device \Driver\NetBT \Device\NetBT_Tcpip_{EE415505-B6F6-434A-907F-8DAFFCB30C24} 870AD1E8
    Device 85F47430
    Device 87152430
    Device \Driver\ACPI_HAL \Device\00000061 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
    Device \Driver\NetBT \Device\NetBT_Tcpip_{337D7D88-22C5-4988-BCE9-14B2D752F9F9} 870AD1E8
    Device volmgr.sys (Volume Manager Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device usbhub.sys (Default Hub Driver for USB/Microsoft Corporation)
    Device \Driver\cdrom \Device\CdRom0 86EAC1E8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 86BB21E8
    Device \Driver\atapi \Device\Ide\IdePort0 86BB21E8
    Device \Driver\atapi \Device\Ide\IdePort1 86BB21E8
    Device \Driver\atapi \Device\Ide\IdePort2 86BB21E8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 86BB21E8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpm273.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\cdrom \Device\CdRom1 86EAC1E8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{EDECBA8B-4F6B-4849-9972-B6F82D2B25B7} 870AD1E8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{74EBBAC0-9843-436F-8963-CB0C14693055} 870AD1E8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 870AD1E8
    Device \Driver\USBSTOR \Device\000000a9 89E411E8
    Device \Driver\USBSTOR \Device\000000aa 89E411E8
    Device \Driver\usbuhci \Device\USBFDO-0 85F47430
    Device \Driver\usbuhci \Device\USBFDO-1 85F47430
    Device \Driver\PCI_PNP1396 \Device\0000006e sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)
    Device \Driver\PCI_PNP1396 \Device\0000006e sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.)
    Device \Driver\usbehci \Device\USBFDO-2 87152430
    Device \Driver\usbuhci \Device\USBFDO-3 85F47430
    Device \Driver\NetBT \Device\NetBT_Tcpip_{2DFA2D49-8F47-478B-B8A0-DE33CE680E91} 870AD1E8
    Device \Driver\usbuhci \Device\USBFDO-4 85F47430
    Device \Driver\usbuhci \Device\USBFDO-5 85F47430
    Device \Driver\usbehci \Device\USBFDO-6 87152430
    Device \Driver\BTHUSB \Device\0000008c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device \Driver\ae8eljdw \Device\Scsi\ae8eljdw1 873F21E8
    Device \Driver\ae8eljdw \Device\Scsi\ae8eljdw1Port3Path0Target0Lun0 873F21E8

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272ac537c
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272ac537c@001f8229b3ed 0x35 0x68 0x5F 0xE7 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272ac537c@001f8229a96b 0x47 0x9A 0x0F 0x80 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9e6351f
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9e6351f@40fc890889e2 0x00 0x09 0x6B 0xF0 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9e6351f@001f8229a96b 0xB8 0xF0 0x55 0x5B ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0x41 0x55 0x06 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Run\Tools\DAEMON Tools Pro\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0x7F 0xCE 0x13 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAA 0xDD 0x37 0xF3 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272ac537c (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272ac537c@001f8229b3ed 0x35 0x68 0x5F 0xE7 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272ac537c@001f8229a96b 0x47 0x9A 0x0F 0x80 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9e6351f (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9e6351f@40fc890889e2 0x00 0x09 0x6B 0xF0 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9e6351f@001f8229a96b 0xB8 0xF0 0x55 0x5B ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0x41 0x55 0x06 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Run\Tools\DAEMON Tools Pro\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0x7F 0xCE 0x13 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAA 0xDD 0x37 0xF3 ...

    ---- EOF - GMER 1.0.15 ----
     
  5. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================

    Please observe forum rules:
    So please paste Attach.txt log.

    =======================================

    Next...

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
     
  6. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Ok. Attach.txt first. Farbar soon as it's done.

    .---------------------
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/25/2011 1:00:58 AM
    System Uptime: 7/9/2012 1:06:23 AM (0 hours ago)
    .
    Motherboard: Dell Inc. | |
    Processor: Intel(R) Core(TM)2 Duo CPU T9300 @ 2.50GHz | Microprocessor | 2501/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 50 GiB total, 12.711 GiB free.
    D: is FIXED (NTFS) - 350 GiB total, 34.712 GiB free.
    F: is CDROM (UDF)
    G: is CDROM ()
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description:
    Device ID: USB\VID_413C&PID_8145\5&2F6E3144&0&4
    Manufacturer:
    Name:
    PNP Device ID: USB\VID_413C&PID_8145\5&2F6E3144&0&4
    Service:
    .
    Class GUID:
    Description: Bluetooth Peripheral Device
    Device ID: BTHENUM\{453994D5-D58B-96F9-6616-B37F586BA2EC}_VID&00010008_PID&B008\8&34A8C67B&0&40FC890889E2_C00000000
    Manufacturer:
    Name: Bluetooth Peripheral Device
    PNP Device ID: BTHENUM\{453994D5-D58B-96F9-6616-B37F586BA2EC}_VID&00010008_PID&B008\8&34A8C67B&0&40FC890889E2_C00000000
    Service:
    .
    Class GUID:
    Description: Bluetooth Peripheral Device
    Device ID: BTHENUM\{936DA01F-9ABD-4D9D-80C7-02AF85C822A8}_VID&00010008_PID&B008\8&34A8C67B&0&40FC890889E2_C00000000
    Manufacturer:
    Name: Bluetooth Peripheral Device
    PNP Device ID: BTHENUM\{936DA01F-9ABD-4D9D-80C7-02AF85C822A8}_VID&00010008_PID&B008\8&34A8C67B&0&40FC890889E2_C00000000
    Service:
    .
    ==== System Restore Points ===================
    .
    RP111: 5/25/2012 10:59:20 AM - Scheduled Checkpoint
    RP112: 6/1/2012 11:42:14 PM - Scheduled Checkpoint
    RP113: 6/5/2012 10:31:50 AM - Windows Update
    RP114: 6/5/2012 11:08:11 AM - Windows Update
    RP115: 6/5/2012 11:10:14 AM - Windows Update
    RP116: 6/14/2012 3:50:56 AM - Scheduled Checkpoint
    RP117: 6/18/2012 11:45:10 AM - Installed Dell Support Center
    RP118: 6/18/2012 11:54:54 PM - Installed iCloud
    RP119: 6/19/2012 3:35:57 AM - Windows Update
    RP120: 6/21/2012 11:14:23 AM - Windows Update
    RP121: 6/26/2012 10:56:05 PM - Installed Java(TM) 7 Update 5
    RP122: 6/26/2012 10:57:15 PM - Installed JavaFX 2.1.1
    RP123: 7/4/2012 5:47:35 AM - Scheduled Checkpoint
    RP124: 7/9/2012 12:15:26 AM - Removed Apple Application Support
    .
    ==== Installed Programs ======================
    .
    .
    µTorrent
    7-Zip 9.20
    Acronis True Image Home 2011
    Adobe AIR
    Adobe Community Help
    Adobe Content Viewer
    Adobe Creative Suite 5 Master Collection
    Adobe Creative Suite 5.5 Master Collection
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Widget Browser
    Aimersoft Audio Converter(Build 1.1.52)
    Aimersoft DVD Creator(Build 1.1.52)
    Aimersoft DVD Ripper(Build 1.1.52)
    Aimersoft DVD Studio Pack(Build 1.1.52)
    Aimersoft Video Converter(Build 1.1.52)
    AnswerWorks 5.0 English Runtime
    AxCrypt 1.7.2867.0
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon MG6100 series MP Drivers
    Canon MX870 series MP Drivers
    CCleaner
    CDBurnerXP
    Citrix Receiver
    Citrix Receiver (HDX Flash Redirection)
    Citrix Receiver Inside
    Citrix Receiver(Aero)
    Citrix Receiver(DV)
    Citrix Receiver(USB)
    CutePDF Writer 2.8
    DAEMON Tools Lite
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Defraggler
    Dell Support Center
    Dell Touchpad
    DestroyTwitter 2
    Dropbox
    Duplicate Cleaner 2.0.6
    ESET Smart Security
    Everything 1.2.1.371
    Fingerprint Reader Suite 5.6
    FreeUndelete 2.0.35248.1
    Google Chrome
    GoToAssist Corporate
    GoToMeeting 5.1.0.880
    HP Drive Key Boot Utility
    HP USB Disk Storage Format Tool
    Image Resizer Powertoy Clone for Windows
    iSEEK AnswerWorks English Runtime
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) 7 Update 5
    JavaFX 2.1.1
    Laptop Integrated Webcam Driver (1.04.01.1011)
    LogMeIn Hamachi
    MediaMonkey 3.2
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft XNA Framework Redistributable 4.0
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFCLOC_x86
    Motorola Mobile Drivers Installation 5.2.0
    Mozilla Firefox 8.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music Manager
    MusicBrainz Picard
    NetConnect
    NetConnect Installer
    Nitro PDF Reader
    NTFS Undelete v0.94
    NVIDIA Control Panel 301.42
    NVIDIA Graphics Driver 301.42
    NVIDIA Install Application
    Online Plug-in
    Opera Next 12.00 alpha build 1191
    Opera Next 12.00 alpha build 1306
    PDF Settings CS5
    Picasa 3
    Pidgin
    Portal 2
    Quicken 2012
    Recuva
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.06
    RMPrepUSB
    Sandboxie 3.54 (32-bit)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition
    Sideload Wonder Machine
    SigmaTel Audio
    Spybot - Search & Destroy
    Steam
    TeraCopy 2.2 beta 3
    Terraria 1.1.2
    TrueCrypt
    TurboTax 2010
    TurboTax 2010 wcaiper
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wrapper
    TurboTax 2010 wwiiper
    TweetDeck
    Unlocker 1.9.1
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
    VLC media player 2.0.1
    WIDCOMM Bluetooth Software
    WinDirStat 1.1.2
    Windows 7 USB/DVD Download Tool
    WinRAR 4.01 (32-bit)
    World Community Grid
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/9/2012 1:09:09 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    7/9/2012 1:09:09 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    7/9/2012 1:07:58 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    7/9/2012 1:07:04 AM, Error: Service Control Manager [7003] - The epfwwfp service depends the following service: BFE. This service might not be installed.
    7/9/2012 1:06:57 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    7/9/2012 1:06:54 AM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.
    7/9/2012 1:06:54 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    7/9/2012 1:06:53 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    7/4/2012 11:47:56 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
    .
    ==== End Of File ===========================
     
  7. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Farbar Recovery Scan Tool Version: 08-07-2012 01
    Ran by SYSTEM at 2012-07-09 10:52:21
    Running from H:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
    === End Of Search ===
     
  8. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  9. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-07-2012 01
    Ran by SYSTEM at 2012-07-09 16:38:43 Run:1
    Running from H:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\Installer\{72c25dc5-dc4e-ca0f-08b4-af45d073eab5} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
     
  10. Antij

    Antij TS Rookie Topic Starter Posts: 22

    I manually disabled ESET, ran ComboFix, then ESET asked me if I really wanted to close it (I believe ComboFix tried to kill it because I don't usually get that prompt). I agreed, but then ComboFix said ESET was still running. I tried disabling again and told Combofix to continue. CF said ESET was STILL running but would proceed anyway. It appeared to be closed but ekrn.exe was still running. I tried to kill the process and service manually but was denied access. Right clicking the icon before CF killed it always said that the AV/FW/Malware stuff was disabled.
    ComboFix 12-07-08.02 - Bosh 07/09/2012 16:53:02.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3582.2262 [GMT -7:00]
    Running from: I:\ComboFix.exe
    AV: ESET Smart Security 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
    SP: ESET Smart Security 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Bosh\g2mdlhlpx.exe
    c:\users\Bosh\GoToAssistDownloadHelper.exe
    c:\windows\system32\drivers\etc\hosts.txt
    d:\docs\~calendar.pst.tmp
    d:\docs\~WRL0100.tmp
    d:\docs\~WRL0374.tmp
    d:\docs\~WRL0566.tmp
    d:\docs\~WRL0616.tmp
    d:\docs\~WRL0651.tmp
    d:\docs\~WRL0840.tmp
    d:\docs\~WRL1427.tmp
    d:\docs\~WRL1443.tmp
    d:\docs\~WRL2932.tmp
    d:\run\TEMP\~DFA23D05169F4BCF45.TMP
    d:\run\TEMP\~DFB2D0C791B5C08BD4.TMP
    d:\run\TEMP\0C5WZS53.txt
    d:\run\TEMP\0CHZCR4I.txt
    d:\run\TEMP\0E2OJJBP.txt
    d:\run\TEMP\0FCQRP0A.txt
    d:\run\TEMP\0FY1T92K.txt
    d:\run\TEMP\0HA615BR.txt
    d:\run\TEMP\0JBMZ1MS.txt
    d:\run\TEMP\0KO6I6OJ.txt
    d:\run\TEMP\0ODD0TGX.txt
    d:\run\TEMP\0QDY81LD.txt
    d:\run\TEMP\0TTMQTNK.txt
    d:\run\TEMP\0W44QJJX.txt
    d:\run\TEMP\0X5VBB8V.txt
    d:\run\TEMP\119ROR6L.txt
    d:\run\TEMP\180KZZ88.txt
    d:\run\TEMP\19KO1OUQ.txt
    d:\run\TEMP\19TZI923.txt
    d:\run\TEMP\1A5J1YDT.txt
    d:\run\TEMP\1GV5CO09.txt
    d:\run\TEMP\1HHYY4NW.txt
    d:\run\TEMP\1HWUQCA1.txt
    d:\run\TEMP\1K452HCQ.txt
    d:\run\TEMP\1NLHUHQ4.txt
    d:\run\TEMP\1T9XCRYD.txt
    d:\run\TEMP\1TK1E6YN.txt
    d:\run\TEMP\1TOOR1XW.txt
    d:\run\TEMP\1W2QCJHW.txt
    d:\run\TEMP\1XGTZRH3.txt
    d:\run\TEMP\1YDNVDDZ.txt
    d:\run\TEMP\1YE0HYL9.txt
    d:\run\TEMP\1Z0ETGDG.txt
    d:\run\TEMP\22RWH1WX.txt
    d:\run\TEMP\242ERIJB.txt
    d:\run\TEMP\24BXKM4H.txt
    d:\run\TEMP\25EYNTM2.txt
    d:\run\TEMP\26IXC4HM.txt
    d:\run\TEMP\274VMJYH.txt
    d:\run\TEMP\29UNKAQ7.txt
    d:\run\TEMP\2D1Y67UO.txt
    d:\run\TEMP\2D9SBCT6.txt
    d:\run\TEMP\2ECC.tmp
    d:\run\TEMP\2FXY583E.txt
    d:\run\TEMP\2LV61IV5.txt
    d:\run\TEMP\2MKUN0GR.txt
    d:\run\TEMP\2NAWA2MM.txt
    d:\run\TEMP\2OX6M3VT.txt
    d:\run\TEMP\2S1G908V.txt
    d:\run\TEMP\2SKZBXZC.txt
    d:\run\TEMP\2T06ZGXI.txt
    d:\run\TEMP\2UHK90BU.txt
    d:\run\TEMP\2W0FR8RC.txt
    d:\run\TEMP\31CM23UN.txt
    d:\run\TEMP\31RBWRBF.txt
    d:\run\TEMP\33PRRWRY.txt
    d:\run\TEMP\35PYE6TK.txt
    d:\run\TEMP\362410JH.txt
    d:\run\TEMP\36W7S00E.txt
    d:\run\TEMP\374IKA03.txt
    d:\run\TEMP\39F9E2VP.txt
    d:\run\TEMP\3B5CPSRD.txt
    d:\run\TEMP\3BVV9OTZ.txt
    d:\run\TEMP\3CKQHRNM.txt
    d:\run\TEMP\3DDQLEKZ.txt
    d:\run\TEMP\3HID1238.txt
    d:\run\TEMP\3JFQO1NY.txt
    d:\run\TEMP\3KYZG0Y3.txt
    d:\run\TEMP\3MC558MY.txt
    d:\run\TEMP\3U4KC380.txt
    d:\run\TEMP\3VGBXT4F.txt
    d:\run\TEMP\3VPT4JTR.txt
    d:\run\TEMP\3VVL520K.txt
    d:\run\TEMP\3W6F1HXH.txt
    d:\run\TEMP\3Z4G7V0K.txt
    d:\run\TEMP\3ZNPNEWT.txt
    d:\run\TEMP\40P2VI4Y.txt
    d:\run\TEMP\4334O03R.txt
    d:\run\TEMP\43PC6B54.txt
    d:\run\TEMP\4COW3XDH.txt
    d:\run\TEMP\4E8VCEBP.txt
    d:\run\TEMP\4HS06JWF.txt
    d:\run\TEMP\4KV6QXXP.txt
    d:\run\TEMP\4M7V47HM.txt
    d:\run\TEMP\4OG4JJYC.txt
    d:\run\TEMP\4P1YD996.txt
    d:\run\TEMP\4TL5UNRO.txt
    d:\run\TEMP\4W9Z3HDI.txt
    d:\run\TEMP\4ZJZG3J3.txt
    d:\run\TEMP\50CULTSD.txt
    d:\run\TEMP\51RE6ZXJ.txt
    d:\run\TEMP\542C74R0.txt
    d:\run\TEMP\54UI3G64.txt
    d:\run\TEMP\56E7GIDR.txt
    d:\run\TEMP\5EW8ZUJB.txt
    d:\run\TEMP\5J03E8GJ.txt
    d:\run\TEMP\5KNOVDLQ.txt
    d:\run\TEMP\5TPM02MW.txt
    d:\run\TEMP\5TWV8RZA.txt
    d:\run\TEMP\5VCB8WHO.txt
    d:\run\TEMP\5W3SH4V6.txt
    d:\run\TEMP\5XB0QR9J.txt
    d:\run\TEMP\5XT8DGR8.txt
    d:\run\TEMP\5YSZLAEL.txt
    d:\run\TEMP\625J6G6M.txt
    d:\run\TEMP\62K8MORY.txt
    d:\run\TEMP\652U6GVT.txt
    d:\run\TEMP\6A9UL0BX.txt
    d:\run\TEMP\6AT83GD1.txt
    d:\run\TEMP\6C3ZSZ07.txt
    d:\run\TEMP\6J6UD28Z.txt
    d:\run\TEMP\6NDQLZHN.txt
    d:\run\TEMP\6SMVV7C2.txt
    d:\run\TEMP\6UCYW9XF.txt
    d:\run\TEMP\6WF0WXIL.txt
    d:\run\TEMP\6ZDKCUWI.txt
    d:\run\TEMP\78XCRKCB.txt
    d:\run\TEMP\79QIB2JK.txt
    d:\run\TEMP\7A3G1FVM.txt
    d:\run\TEMP\7EAPUAPV.txt
    d:\run\TEMP\7F121AC9.txt
    d:\run\TEMP\7JL9BBH1.txt
    d:\run\TEMP\7LHCPUZC.txt
    d:\run\TEMP\7M92XWIE.txt
    d:\run\TEMP\7MVQHA78.txt
    d:\run\TEMP\7NYVH62N.txt
    d:\run\TEMP\7P6QIEQP.txt
    d:\run\TEMP\7QRHQIJ8.txt
    d:\run\TEMP\7T25ELER.txt
    d:\run\TEMP\7T9F13NH.txt
    d:\run\TEMP\7TY88G39.txt
    d:\run\TEMP\7V7SEOLZ.txt
    d:\run\TEMP\8094BB53.txt
    d:\run\TEMP\8263.tmp
    d:\run\TEMP\83C0ADXZ.txt
    d:\run\TEMP\840JO9A9.txt
    d:\run\TEMP\85RJ7QZC.txt
    d:\run\TEMP\89STDF59.txt
    d:\run\TEMP\8CXJH29O.txt
    d:\run\TEMP\8E403Z1X.txt
    d:\run\TEMP\8EAVN815.txt
    d:\run\TEMP\8FPAU3HB.txt
    d:\run\TEMP\8GTA02NU.txt
    d:\run\TEMP\8H5AUKYX.txt
    d:\run\TEMP\8HSAHW94.txt
    d:\run\TEMP\8I3Q91NS.txt
    d:\run\TEMP\8JTDV1TW.txt
    d:\run\TEMP\8MJJ1KR3.txt
    d:\run\TEMP\8MX59HSS.txt
    d:\run\TEMP\8RDTHQIC.txt
    d:\run\TEMP\8S86BC9O.txt
    d:\run\TEMP\8XOZF23O.txt
    d:\run\TEMP\8Z481ZFZ.txt
    d:\run\TEMP\9AD4P0S3.txt
    d:\run\TEMP\9C174628.txt
    d:\run\TEMP\9C4QRN7Q.txt
    d:\run\TEMP\9F1HCY7K.txt
    d:\run\TEMP\9HYH7R5E.txt
    d:\run\TEMP\9IIQNW9N.txt
    d:\run\TEMP\9JG3SJTK.txt
    d:\run\TEMP\9OOW9HGW.txt
    d:\run\TEMP\9OQKSA3C.txt
    d:\run\TEMP\9RA44YCE.txt
    d:\run\TEMP\9RANWLDH.txt
    d:\run\TEMP\9TQ5IJEN.txt
    d:\run\TEMP\9W238CX9.txt
    d:\run\TEMP\9WTZB4Z8.txt
    d:\run\TEMP\9X094RWO.txt
    d:\run\TEMP\A2C124ZI.txt
    d:\run\TEMP\ACN8L1XI.txt
    d:\run\TEMP\ACUVZ75W.txt
    d:\run\TEMP\ADTDLURP.txt
    d:\run\TEMP\ADV6F6PN.txt
    d:\run\TEMP\AGO5O0T5.txt
    d:\run\TEMP\AI2M0Z7Z.txt
    d:\run\TEMP\AKQ2RQXC.txt
    d:\run\TEMP\ARZ9Z729.txt
    d:\run\TEMP\AskSLib.dll
    d:\run\TEMP\ATPJQYTS.txt
    d:\run\TEMP\AXQD9AB2.txt
    d:\run\TEMP\B07YE58N.txt
    d:\run\TEMP\B09TVID2.txt
    d:\run\TEMP\B1G7OFJU.txt
    d:\run\TEMP\B807AN17.txt
    d:\run\TEMP\BATE309N.txt
    d:\run\TEMP\BKPCVQ4W.txt
    d:\run\TEMP\BKQJ0DBJ.txt
    d:\run\TEMP\bosh@anrtx.tacoda[1].txt
    d:\run\TEMP\bosh@facebook[2].txt
    d:\run\TEMP\bosh@kuler-api.adobe[2].txt
    d:\run\TEMP\bosh@live[1].txt
    d:\run\TEMP\bosh@microsoft[1].txt
    d:\run\TEMP\bosh@moms.today[1].txt
    d:\run\TEMP\bosh@msn[1].txt
    d:\run\TEMP\bosh@msn[3].txt
    d:\run\TEMP\bosh@msnbc.112.2o7[1].txt
    d:\run\TEMP\bosh@office.microsoft[2].txt
    d:\run\TEMP\bosh@office14client.microsoft[2].txt
    d:\run\TEMP\bosh@onlinestores.metaservices.microsoft[1].txt
    d:\run\TEMP\bosh@onlinestores.metaservices.microsoft[2].txt
    d:\run\TEMP\bosh@outbrain[1].txt
    d:\run\TEMP\bosh@scanscout[1].txt
    d:\run\TEMP\bosh@showadsak.pubmatic[1].txt
    d:\run\TEMP\bosh@today.msnbc.msn[1].txt
    d:\run\TEMP\bosh@trafficmp[2].txt
    d:\run\TEMP\bosh@tweetdeck[1].txt
    d:\run\TEMP\bosh@twitpic[2].txt
    d:\run\TEMP\bosh@www.bing[1].txt
    d:\run\TEMP\bosh@yahoo[1].txt
    d:\run\TEMP\BOWYBN7Z.txt
    d:\run\TEMP\btwinlog.txt
    d:\run\TEMP\BWLN9HJZ.txt
    d:\run\TEMP\BWP30J10.txt
    d:\run\TEMP\C0G0N0MT.txt
    d:\run\TEMP\C4LMU7EE.txt
    d:\run\TEMP\C96YA9SG.txt
    d:\run\TEMP\CACHEDIR.TAG
    d:\run\TEMP\chrome_installer.log
    d:\run\TEMP\CP5GQC63.txt
    d:\run\TEMP\CR443YRW.txt
    d:\run\TEMP\CSDY8XAG.txt
    d:\run\TEMP\CYEKADWI.txt
    d:\run\TEMP\D1DED3AU.txt
    d:\run\TEMP\D3REPOU3.txt
    d:\run\TEMP\D7FSP5IQ.txt
    d:\run\TEMP\dd_clwireg.txt
    d:\run\TEMP\dd_dotNetFx40_Client_x86_decompression_log.txt
    d:\run\TEMP\dd_SetupUtility.txt
    d:\run\TEMP\DFFMLFJR.txt
    d:\run\TEMP\DMFGTFEZ.txt
    d:\run\TEMP\DMI59D2.tmp
    d:\run\TEMP\DRIL5921.txt
    d:\run\TEMP\DSK3YQNP.txt
    d:\run\TEMP\DuplicateCleaner_Installer.exe
    d:\run\TEMP\E0QEQRFZ.txt
    d:\run\TEMP\E0RIA57W.txt
    d:\run\TEMP\E4CCMTLJ.txt
    d:\run\TEMP\E5KZJZHY.txt
    d:\run\TEMP\E65XRRF1.txt
    d:\run\TEMP\E97HFX9W.txt
    d:\run\TEMP\E9FCS5QZ.txt
    d:\run\TEMP\EAO2CTJI.txt
    d:\run\TEMP\EAXXPV3U.txt
    d:\run\TEMP\EDKT10YM.txt
    d:\run\TEMP\EFYEMA3N.txt
    d:\run\TEMP\EOML1OF6.txt
    d:\run\TEMP\EPIE826P.txt
    d:\run\TEMP\EUDR1OJB.txt
    d:\run\TEMP\EUM7PSA4.txt
    d:\run\TEMP\EVLK7MKE.txt
    d:\run\TEMP\F2818CNO.txt
    d:\run\TEMP\F2NQYPC8.txt
    d:\run\TEMP\F5QU0RAJ.txt
    d:\run\TEMP\F68LG81D.txt
    d:\run\TEMP\F7ZVX0BL.txt
    d:\run\TEMP\F8ONBSG9.txt
    d:\run\TEMP\FBRRY9J0.txt
    d:\run\TEMP\FD0BEIU1.txt
    d:\run\TEMP\FDD72VG8.txt
    d:\run\TEMP\FGZ05I1M.txt
    d:\run\TEMP\FKQSR4NU.txt
    d:\run\TEMP\FO1OMDPS.txt
    d:\run\TEMP\FO33XCNZ.txt
    d:\run\TEMP\FO7V7BKD.txt
    d:\run\TEMP\FPBE0I0A.txt
    d:\run\TEMP\FPVROWUO.txt
    d:\run\TEMP\FQ2DHMIA.txt
    d:\run\TEMP\fwtsqmfile00.sqm
    d:\run\TEMP\fwtsqmfile01.sqm
    d:\run\TEMP\fwtsqmfile02.sqm
    d:\run\TEMP\fwtsqmfile03.sqm
    d:\run\TEMP\fwtsqmfile04.sqm
    d:\run\TEMP\fwtsqmfile05.sqm
    d:\run\TEMP\fwtsqmfile06.sqm
    d:\run\TEMP\fwtsqmfile07.sqm
    d:\run\TEMP\fwtsqmfile08.sqm
    d:\run\TEMP\fwtsqmfile09.sqm
    d:\run\TEMP\fwtsqmfile10.sqm
    d:\run\TEMP\fwtsqmfile11.sqm
    d:\run\TEMP\fwtsqmfile12.sqm
    d:\run\TEMP\fwtsqmfile13.sqm
    d:\run\TEMP\fwtsqmfile14.sqm
    d:\run\TEMP\fwtsqmfile15.sqm
    d:\run\TEMP\fwtsqmfile16.sqm
    d:\run\TEMP\fwtsqmfile17.sqm
    d:\run\TEMP\fwtsqmfile18.sqm
    d:\run\TEMP\fwtsqmfile19.sqm
    d:\run\TEMP\FXSAPIDebugLogFile.txt
    d:\run\TEMP\FXSTIFFDebugLogFile.txt
    d:\run\TEMP\FYVA7MB3.txt
    d:\run\TEMP\FZ3163KR.txt
    d:\run\TEMP\G04I2U5K.txt
    d:\run\TEMP\G6ECKK38.txt
    d:\run\TEMP\G87V0Z9I.txt
    d:\run\TEMP\G8E7MPKO.txt
    d:\run\TEMP\GEPT9I3C.txt
    d:\run\TEMP\GGWYKNWX.txt
    d:\run\TEMP\GH8Q56OA.txt
    d:\run\TEMP\GKCX0W0C.txt
    d:\run\TEMP\GKIYIR02.txt
    d:\run\TEMP\GLCP9EIJ.txt
    d:\run\TEMP\GMRP92N9.txt
    d:\run\TEMP\GO886H1O.txt
    d:\run\TEMP\GP7852XW.txt
    d:\run\TEMP\GP9XFJA9.txt
    d:\run\TEMP\GQ17ZAHS.txt
    d:\run\TEMP\GQY6XW5T.txt
    d:\run\TEMP\GS7LWFJ5.txt
    d:\run\TEMP\GS8IUWI8.txt
    d:\run\TEMP\GVJTVGVK.txt
    d:\run\TEMP\H2N630HT.txt
    d:\run\TEMP\H48AMS94.txt
    d:\run\TEMP\H49DFIC9.txt
    d:\run\TEMP\H8QUR2U5.txt
    d:\run\TEMP\H8RAMY2G.txt
    d:\run\TEMP\H9HHYJW0.txt
    d:\run\TEMP\H9KM1H5H.txt
    d:\run\TEMP\HamachiSetup.log
    d:\run\TEMP\HB8ANQKI.txt
    d:\run\TEMP\HGT58S1G.txt
    d:\run\TEMP\HIQ6JXRE.txt
    d:\run\TEMP\HMKNYI1F.txt
    d:\run\TEMP\HOE3WXGY.txt
    d:\run\TEMP\hpzEN4v2.chm
    d:\run\TEMP\hpzEN4v2.hlp
    d:\run\TEMP\HRCZ4M7K.txt
    d:\run\TEMP\HSA3H760.txt
    d:\run\TEMP\HTGDXFKN.txt
    d:\run\TEMP\HTO0VBWH.txt
    d:\run\TEMP\HTT17CA.tmp
    d:\run\TEMP\HTT2FD4.tmp
    d:\run\TEMP\HTT3080.tmp
    d:\run\TEMP\HTT311D.tmp
    d:\run\TEMP\HTT312E.tmp
    d:\run\TEMP\HTT31EC.tmp
    d:\run\TEMP\HTT321C.tmp
    d:\run\TEMP\HTTAB58.tmp
    d:\run\TEMP\HTTB4A9.tmp
    d:\run\TEMP\HTTEBD0.tmp
    d:\run\TEMP\HX3E08GX.txt
    d:\run\TEMP\HZ1DPBPP.txt
    d:\run\TEMP\I7L8EJC1.txt
    d:\run\TEMP\IFSF4WQX.txt
    d:\run\TEMP\IHZ244M3.txt
    d:\run\TEMP\ILLO2XQY.txt
    d:\run\TEMP\IN1SMC28.txt
    d:\run\TEMP\index.dat
    d:\run\TEMP\installChecker.exe
    d:\run\TEMP\Intuit.Spc.Map.Features.WindowsFirewallLog.txt
    d:\run\TEMP\IOCKJU3C.txt
    d:\run\TEMP\ISUJR7K2.txt
    d:\run\TEMP\IUPGH7S1.txt
    d:\run\TEMP\IX65UFSW.txt
    d:\run\TEMP\IYVMFF0Y.txt
    d:\run\TEMP\J0GKU5UJ.txt
    d:\run\TEMP\J1E6CXQT.txt
    d:\run\TEMP\J1Q0TQCN.txt
    d:\run\TEMP\J37X895E.txt
    d:\run\TEMP\J4NN88BB.txt
    d:\run\TEMP\J5B8ESD9.txt
    d:\run\TEMP\J988IKTR.txt
    d:\run\TEMP\J9OG2A7Q.txt
    d:\run\TEMP\J9WSHVQY.txt
    d:\run\TEMP\JAFYMHH8.txt
    d:\run\TEMP\JCAM92DN.txt
    d:\run\TEMP\JDCFRRXY.txt
    d:\run\TEMP\JDOQ7R8W.txt
    d:\run\TEMP\JEDDGKLB.txt
    d:\run\TEMP\JGA89T6A.txt
    d:\run\TEMP\JINZSW0M.txt
    d:\run\TEMP\JKAB8XQ7.txt
    d:\run\TEMP\JLYTTIY9.txt
    d:\run\TEMP\JO5B8AMM.txt
    d:\run\TEMP\JPU4UKWJ.txt
    d:\run\TEMP\JQNUE8ZR.txt
    d:\run\TEMP\JSR84FVZ.txt
    d:\run\TEMP\JTPB79M1.txt
    d:\run\TEMP\JXIX4YOJ.txt
    d:\run\TEMP\JY80Z02B.txt
    d:\run\TEMP\JYCK4YRF.txt
    d:\run\TEMP\JYFMPQ62.txt
    d:\run\TEMP\JZ7FC88C.txt
    d:\run\TEMP\K0S24C7I.txt
    d:\run\TEMP\K1H4J9JH.txt
    d:\run\TEMP\K57VUI17.txt
    d:\run\TEMP\KB2446708_20110525_055534500-Microsoft .NET Framework 4 Client Profile-MSP0.txt
    d:\run\TEMP\KB2446708_20110525_055534500.html
    d:\run\TEMP\KCOILDKB.txt
    d:\run\TEMP\KD6YX3PO.txt
    d:\run\TEMP\KDN0O8JC.txt
    d:\run\TEMP\KHIBCR95.txt
    d:\run\TEMP\KHQNW3V5.txt
    d:\run\TEMP\KKE6LEH3.txt
    d:\run\TEMP\KLBY3SL3.txt
    d:\run\TEMP\KPG5AJS6.txt
    d:\run\TEMP\L0DCUAQC.txt
    d:\run\TEMP\L0QPDII7.txt
    d:\run\TEMP\L1MRIO3L.txt
    d:\run\TEMP\L35FUFYK.txt
    d:\run\TEMP\L3FKY8TK.txt
    d:\run\TEMP\L3PFID3T.txt
    d:\run\TEMP\L3XUJ1EH.txt
    d:\run\TEMP\L5S8JJXB.txt
    d:\run\TEMP\L7U244HE.txt
    d:\run\TEMP\LE5WO40X.txt
    d:\run\TEMP\LG4U812W.txt
    d:\run\TEMP\LHVMTGY2.txt
    d:\run\TEMP\LIA4VLZT.txt
    d:\run\TEMP\LOAXHF88.txt
    d:\run\TEMP\LRLR0172.txt
    d:\run\TEMP\LW7BVVV3.txt
    d:\run\TEMP\LZ3OS8J5.txt
    d:\run\TEMP\M05RRR3R.txt
    d:\run\TEMP\M0CTRERW.txt
    d:\run\TEMP\M0FLEA4L.txt
    d:\run\TEMP\M2S8ANGE.txt
    d:\run\TEMP\M6FH99YQ.txt
    d:\run\TEMP\M70CCN2Y.txt
    d:\run\TEMP\MAPW28VT.txt
    d:\run\TEMP\MBJLWR20.txt
    d:\run\TEMP\MBZG0DZ1.txt
    d:\run\TEMP\MCCL4KNG.txt
    d:\run\TEMP\MDONLSE3.txt
    d:\run\TEMP\MFF9UVTH.txt
    d:\run\TEMP\MFP2RPWK.txt
    d:\run\TEMP\MHRO3S82.txt
    d:\run\TEMP\Microsoft .NET Framework 4 Client Profile Setup_20110525_023953768-MSI_netfx_Core_x86.msi.txt
    d:\run\TEMP\Microsoft .NET Framework 4 Client Profile Setup_20110525_023953768.html
    d:\run\TEMP\MJV3FZRF.txt
    d:\run\TEMP\MLVUQNRG.txt
    d:\run\TEMP\MMPRRSEC.txt
    d:\run\TEMP\MO5U88AJ.txt
    d:\run\TEMP\MONCF6YL.txt
    d:\run\TEMP\MpCmdRun.log
    d:\run\TEMP\MPUR2HEY.txt
    d:\run\TEMP\MRTO3X31.txt
    d:\run\TEMP\MZKR2DFN.txt
    d:\run\TEMP\N0C8EMDL.txt
    d:\run\TEMP\N4ZQH6ET.txt
    d:\run\TEMP\N56CVR5X.txt
    d:\run\TEMP\N97FQ0OV.txt
    d:\run\TEMP\N9C23Y42.txt
    d:\run\TEMP\NERIDRHI.txt
    d:\run\TEMP\NFAY5J4R.txt
    d:\run\TEMP\NK7DFP8F.txt
    d:\run\TEMP\NNNN3Z5U.txt
    d:\run\TEMP\NNO0O5QY.txt
    d:\run\TEMP\NNTTUZ01.txt
    d:\run\TEMP\NOFC3V1L.txt
    d:\run\TEMP\NP034K70.txt
    d:\run\TEMP\NPNSKDLD.txt
    d:\run\TEMP\nsa657.tmp
    d:\run\TEMP\nsc43BD.tmp
    d:\run\TEMP\nsuCF65.tmp
    d:\run\TEMP\nsuCFA1.tmp
    d:\run\TEMP\NT7BRO3B.txt
    d:\run\TEMP\NTA7YZPN.txt
    d:\run\TEMP\NVDSAVDP.txt
    d:\run\TEMP\NVRY53BV.txt
    d:\run\TEMP\NY74JADG.txt
    d:\run\TEMP\NZ7SYI7N.txt
    d:\run\TEMP\O1D55XIY.txt
    d:\run\TEMP\O661XDU9.txt
    d:\run\TEMP\O81I7LM7.txt
    d:\run\TEMP\O8F62CMT.txt
    d:\run\TEMP\OB00B066.txt
    d:\run\TEMP\OCWOXOB9.txt
    d:\run\TEMP\ODDAP6WZ.txt
    d:\run\TEMP\ODZFO02F.txt
    d:\run\TEMP\OGB34UWF.txt
    d:\run\TEMP\OKMEJW73.txt
    d:\run\TEMP\OLJVN3XS.txt
    d:\run\TEMP\OM4XYXHG.txt
    d:\run\TEMP\OMLX47AE.txt
    d:\run\TEMP\ONVSW9L0.txt
    d:\run\TEMP\OPLLDFHW.txt
    d:\run\TEMP\OSZXOBRT.txt
    d:\run\TEMP\OU2W26T9.txt
    d:\run\TEMP\OWDCH168.txt
    d:\run\TEMP\OXW71Y2T.txt
    d:\run\TEMP\OXY8S71U.txt
    d:\run\TEMP\P02I1U2F.txt
    d:\run\TEMP\P02LZYFD.txt
    d:\run\TEMP\PDEW0X48.txt
    d:\run\TEMP\PFJLKMQC.txt
    d:\run\TEMP\PH0IWERY.txt
    d:\run\TEMP\PicasaUpdater_27e9.exe
    d:\run\TEMP\PicasaUpdater_3f8.exe
    d:\run\TEMP\PicasaUpdater_508a.exe
    d:\run\TEMP\PicasaUpdater_728a.exe
    d:\run\TEMP\PLB7JQ1G.txt
    d:\run\TEMP\PRE3RDWS.txt
    d:\run\TEMP\PRG1DPLT.txt
    d:\run\TEMP\PTCLF5I0.txt
    d:\run\TEMP\PTF8FFU5.txt
    d:\run\TEMP\PUL3Q3BM.txt
    d:\run\TEMP\Q2K45SZH.txt
    d:\run\TEMP\Q2RN2YZ5.txt
    d:\run\TEMP\Q45C6O2I.txt
    d:\run\TEMP\Q57DEKTI.txt
    d:\run\TEMP\Q96T1U0N.txt
    d:\run\TEMP\QBS99XJX.txt
    d:\run\TEMP\QDW9BV45.txt
    d:\run\TEMP\QFQ0ZS3L.txt
    d:\run\TEMP\QG4572HG.txt
    d:\run\TEMP\QGK1KFR3.txt
    d:\run\TEMP\QK92ERYC.txt
    d:\run\TEMP\QLAOOXOR.txt
    d:\run\TEMP\QNPVMHEQ.txt
    d:\run\TEMP\QP42E89K.txt
    d:\run\TEMP\QSCNRP2T.txt
    d:\run\TEMP\QSDDFY9P.txt
    d:\run\TEMP\QTHTKXV3.txt
    d:\run\TEMP\QVXKZR58.txt
    d:\run\TEMP\QY4RI5RQ.txt
    d:\run\TEMP\QZ4FGAMP.txt
    d:\run\TEMP\QZMGK4A0.txt
    d:\run\TEMP\R1RZAYII.txt
    d:\run\TEMP\R49NGO42.txt
    d:\run\TEMP\R5XJN5YH.txt
    d:\run\TEMP\R7CP2B14.txt
    d:\run\TEMP\RCJS33K3.txt
    d:\run\TEMP\REG842E.tmp
    d:\run\TEMP\REG8D42.tmp
    d:\run\TEMP\REHIBU9C.txt
    d:\run\TEMP\RFB3FYCS.txt
    d:\run\TEMP\RFK7BIP9.txt
    d:\run\TEMP\RG6WV791.txt
    d:\run\TEMP\RGZVHFHD.txt
    d:\run\TEMP\RH8X1O7F.txt
    d:\run\TEMP\RNW22V97.txt
    d:\run\TEMP\RR1US2LT.txt
    d:\run\TEMP\RVHK1ZQ6.txt
    d:\run\TEMP\RW3EFDT9.txt
    d:\run\TEMP\S0FGGAP6.txt
    d:\run\TEMP\S2FYYZU3.txt
    d:\run\TEMP\S50F0W5G.txt
    d:\run\TEMP\SAKOXI0I.txt
    d:\run\TEMP\SEXY9H8G.txt
    d:\run\TEMP\SJ4MHWPS.txt
    d:\run\TEMP\SKU32TCZ.txt
    d:\run\TEMP\SLF39L6I.txt
    d:\run\TEMP\SN4N5KBV.txt
    d:\run\TEMP\SPJWR2JF.txt
    d:\run\TEMP\SPTF1N6G.txt
    d:\run\TEMP\SR90M50O.txt
    d:\run\TEMP\SSZSEACU.txt
    d:\run\TEMP\SUWA7VEV.txt
    d:\run\TEMP\SYZBOQIX.txt
    d:\run\TEMP\T5HPMZ8C.txt
    d:\run\TEMP\T5UX2NCJ.txt
    d:\run\TEMP\T621A207.txt
    d:\run\TEMP\T7CAI8M3.txt
    d:\run\TEMP\TDNJ580S.txt
    d:\run\TEMP\THQ9Z9LH.txt
    d:\run\TEMP\TKZVM6CH.txt
    d:\run\TEMP\TMP00000661F958E6D8BAAA9FE5
    d:\run\TEMP\TS_888.tmp
    d:\run\TEMP\TTR0YJCW.txt
    d:\run\TEMP\TTUT4877.txt
    d:\run\TEMP\TTV83196.txt
    d:\run\TEMP\TU63QT81.txt
    d:\run\TEMP\TVXRCRLN.txt
    d:\run\TEMP\TY8FVJTF.txt
    d:\run\TEMP\U0HJN6M8.txt
    d:\run\TEMP\U3UN4P9P.txt
    d:\run\TEMP\U744ZA0T.txt
    d:\run\TEMP\U7NO7KIK.txt
    d:\run\TEMP\UAR86XT8.txt
    d:\run\TEMP\UBOMA9VC.txt
    d:\run\TEMP\UEFVS9RJ.txt
    d:\run\TEMP\UH7Q6V19.txt
    d:\run\TEMP\UKWMPVM5.txt
    d:\run\TEMP\UNJW0FMF.txt
    d:\run\TEMP\UP0S2338.txt
    d:\run\TEMP\UP6S3NFI.txt
    d:\run\TEMP\UQK3YLV6.txt
    d:\run\TEMP\UQPG9TRU.txt
    d:\run\TEMP\URJ3GR80.txt
    d:\run\TEMP\V2EKQEAJ.txt
    d:\run\TEMP\V2WR0WJU.txt
    d:\run\TEMP\V32KKI5M.txt
    d:\run\TEMP\V5EWZ1K4.txt
    d:\run\TEMP\V75GMNC3.txt
    d:\run\TEMP\VCKH80I6.txt
    d:\run\TEMP\VGX48A6.tmp
    d:\run\TEMP\VI1G2I2J.txt
    d:\run\TEMP\VJVSRKOS.txt
    d:\run\TEMP\VJZ099TO.txt
    d:\run\TEMP\VNAQ8AUV.txt
    d:\run\TEMP\VQYMSG33.txt
    d:\run\TEMP\VTM4SS19.txt
    d:\run\TEMP\VW7ZKU9T.txt
    d:\run\TEMP\VZ1JWMX1.txt
    d:\run\TEMP\W1FL61H7.txt
    d:\run\TEMP\W4Q20WOD.txt
    d:\run\TEMP\W5WA8F6U.txt
    d:\run\TEMP\W6F5SOHI.txt
    d:\run\TEMP\WAFA3W2J.txt
    d:\run\TEMP\WAH162U4.txt
    d:\run\TEMP\WAQXZUK8.txt
    d:\run\TEMP\WAWRGZYP.txt
    d:\run\TEMP\WBFA0O1B.txt
    d:\run\TEMP\WCVM9I4V.txt
    d:\run\TEMP\WDY8L8WY.txt
    d:\run\TEMP\WER3092.tmp.hdmp
    d:\run\TEMP\WER4AA1.tmp.hdmp
    d:\run\TEMP\WERC4CE.tmp.xml
    d:\run\TEMP\WEREB3E.tmp.xml
    d:\run\TEMP\WEVVI2SO.txt
    d:\run\TEMP\WI74M2MK.txt
    d:\run\TEMP\wmsetup.log
    d:\run\TEMP\WNZ15TNB.txt
    d:\run\TEMP\WSRJQRME.txt
    d:\run\TEMP\WT793KRP.txt
    d:\run\TEMP\WTZDWYZM.txt
    d:\run\TEMP\WUNNXJQ9.txt
    d:\run\TEMP\WW5POG5S.txt
    d:\run\TEMP\X0H50Z7K.txt
    d:\run\TEMP\X28NYVOD.txt
    d:\run\TEMP\X2WHYEV2.txt
    d:\run\TEMP\X4Q6RMKO.txt
    d:\run\TEMP\X5OWG6ZI.txt
    d:\run\TEMP\X9QLJMIT.txt
    d:\run\TEMP\XAGU6R1I.txt
    d:\run\TEMP\XC7WE4T0.txt
    d:\run\TEMP\XEHUA1JW.txt
    d:\run\TEMP\XI8FZWS6.txt
    d:\run\TEMP\XIF7ORSI.txt
    d:\run\TEMP\XLWUC97R.txt
    d:\run\TEMP\XMLEC9Y3.txt
    d:\run\TEMP\XOGIQUD8.txt
    d:\run\TEMP\XT1I0VA2.txt
    d:\run\TEMP\XYZJG9AZ.txt
    d:\run\TEMP\Y004SM5D.txt
    d:\run\TEMP\Y0H4OSNV.txt
    d:\run\TEMP\Y0WSY91Z.txt
    d:\run\TEMP\Y3UYH0VK.txt
    d:\run\TEMP\Y3XIJAU2.txt
    d:\run\TEMP\Y75F8JI0.txt
    d:\run\TEMP\YFP7LO2T.txt
    d:\run\TEMP\YJ7F1UO4.txt
    d:\run\TEMP\YJC7SJIL.txt
    d:\run\TEMP\YK7D5LRF.txt
    d:\run\TEMP\YKFI5GWU.txt
    d:\run\TEMP\YMZHPRR8.txt
    d:\run\TEMP\YPI1HKCU.txt
    d:\run\TEMP\YQVJZOCM.txt
    d:\run\TEMP\YR54I10L.txt
    d:\run\TEMP\YUXP6LOC.txt
    d:\run\TEMP\YV46K5MD.txt
    d:\run\TEMP\Z267HYV3.txt
    d:\run\TEMP\Z2C9GUSA.txt
    d:\run\TEMP\Z5H3J153.txt
    d:\run\TEMP\Z5JWIHTM.txt
    d:\run\TEMP\ZD0UQ2ND.txt
    d:\run\TEMP\ZDWQE9JC.txt
    d:\run\TEMP\ZPFTGXHI.txt
    d:\run\TEMP\ZQOLVXII.txt
    d:\run\TEMP\ZRL2EBH0.txt
    d:\run\TEMP\ZSK12FI9.txt
    d:\run\TEMP\ZTZTOVWY.txt
    d:\run\TEMP\ZVAT2R33.txt
    d:\run\TEMP\ZXQKAA5D.txt
    d:\run\TEMP\ZYLDC1SH.txt
    d:\run\TEMP\ZZ1GWI63.txt
    d:\run\TEMP\ZZ5DAVBF.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-10 00:01 . 2012-07-10 00:01--------d-----w-d:\users\Bosh\AppData\Local\temp
    2012-07-09 09:04 . 2012-07-09 09:04--------d-----w-C:\FRST
    2012-07-09 08:54 . 2012-07-09 08:54--------d-----w-d:\users\Bosh\AppData\Roaming\Malwarebytes
    2012-07-09 08:54 . 2012-07-09 08:54--------d-----w-c:\programdata\Malwarebytes
    2012-07-09 08:54 . 2012-04-04 22:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-07-09 04:35 . 2012-07-09 04:35--------d-----w-c:\program files\Canon
    2012-07-09 04:35 . 2011-01-06 20:081310720----a-w-c:\windows\system32\CNC870C.dll
    2012-07-09 04:35 . 2011-01-06 20:08110592----a-w-c:\windows\system32\CNC870I.dll
    2012-07-09 04:35 . 2011-01-06 20:07102400----a-w-c:\windows\system32\CNC870U.dll
    2012-07-09 04:35 . 2009-10-19 23:29307200----a-w-c:\windows\system32\CNC870L.dll
    2012-07-09 04:35 . 2008-08-26 01:0215872----a-w-c:\windows\system32\CNHMCA.dll
    2012-07-09 04:33 . 2012-07-09 04:33--------d-----w-c:\windows\system32\STRING
    2012-07-09 04:33 . 2012-07-09 04:33--------d-----w-c:\windows\system32\CHM
    2012-07-09 04:33 . 2009-10-09 22:01137216----a-w-c:\windows\system32\CNMNPUI.DLL
    2012-07-09 04:33 . 2009-10-09 22:01354816----a-w-c:\windows\system32\CNMNPPM.DLL
    2012-06-29 04:00 . 2009-03-19 00:3526176---ha-w-c:\windows\system32\hamachi.sys
    2012-06-27 05:58 . 2012-06-27 05:58--------d-----w-c:\program files\Common Files\Java
    2012-06-27 05:57 . 2012-06-27 05:57--------d-----w-c:\program files\Oracle
    2012-06-27 05:57 . 2012-05-05 02:29772504----a-w-c:\windows\system32\npDeployJava1.dll
    2012-06-27 05:55 . 2012-06-27 05:55--------d-----w-c:\programdata\McAfee
    2012-06-21 18:14 . 2012-06-02 22:1953784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-21 18:14 . 2012-06-02 22:1945080----a-w-c:\windows\system32\wups2.dll
    2012-06-21 18:14 . 2012-06-02 22:191933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-21 18:14 . 2012-06-02 22:122422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-21 18:14 . 2012-06-02 22:1935864----a-w-c:\windows\system32\wups.dll
    2012-06-21 18:14 . 2012-06-02 22:19577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-21 18:14 . 2012-06-02 22:1288576----a-w-c:\windows\system32\wudriver.dll
    2012-06-21 18:14 . 2012-06-02 20:19171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-21 18:14 . 2012-06-02 20:1233792----a-w-c:\windows\system32\wuapp.exe
    2012-06-19 10:36 . 2012-05-31 03:416762896----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{5E19F662-7201-4466-AD15-D253F1DCBD58}\mpengine.dll
    2012-06-19 07:01 . 2012-06-20 19:58--------d-----w-d:\users\Bosh\AppData\Local\Apple Computer
    2012-06-19 06:55 . 2012-07-09 07:15--------d-----w-d:\users\Bosh\AppData\Roaming\Apple Computer
    2012-06-19 06:50 . 2012-06-19 06:50--------d-----w-c:\programdata\Apple
    2012-06-18 19:46 . 2012-06-18 19:46--------d-----w-d:\users\Bosh\AppData\Roaming\NVIDIA
    2012-06-18 19:15 . 2012-05-15 09:282561344----a-w-c:\windows\system32\nvsvcr.dll
    2012-06-18 19:15 . 2012-05-15 09:28645440----a-w-c:\windows\system32\nvvsvc.exe
    2012-06-18 19:15 . 2012-05-15 09:2862272----a-w-c:\windows\system32\nvshext.dll
    2012-06-18 19:15 . 2012-05-15 09:28108352----a-w-c:\windows\system32\nvmctray.dll
    2012-06-18 19:15 . 2012-05-15 09:283931456----a-w-c:\windows\system32\nvcpl.dll
    2012-06-18 18:46 . 2012-06-18 18:46--------d-----w-d:\users\Bosh\AppData\Roaming\Dell
    2012-06-18 18:46 . 2012-06-21 20:19--------d-----w-c:\programdata\PCDr
    2012-06-18 18:46 . 2012-06-18 18:46--------d-----w-c:\programdata\Dell
    2012-06-18 18:45 . 2012-06-18 18:47--------d-----w-c:\program files\Dell Support Center
    2012-06-18 18:43 . 2012-06-18 18:43--------d-----w-d:\users\Bosh\AppData\Roaming\PCDr
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-15 10:26 . 2010-10-17 08:5561248----a-w-c:\windows\system32\OpenCL.dll
    2012-05-15 10:26 . 2010-10-17 08:5515322432----a-w-c:\windows\system32\nvd3dum.dll
    2012-05-05 02:29 . 2011-07-16 00:57687504----a-w-c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:4994208----a-w-d:\users\Bosh\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:4994208----a-w-d:\users\Bosh\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:4994208----a-w-d:\users\Bosh\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-09-10 23:502957312----a-w-c:\program files\Fingerprint Reader Suite\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-09-10 23:502957312----a-w-c:\program files\Fingerprint Reader Suite\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TrueCrypt"="d:\run\Tools\TC\TrueCrypt.exe" [2011-05-25 1496528]
    "MusicManager"="d:\users\Bosh\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-06-01 13806592]
    "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
    "306E1B8E2C99E83119C42FCB48AAF71FCAC5BD78._service_run"="d:\users\Bosh\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-06-28 1250328]
    "DAEMON Tools Lite"="d:\run\Tools\DAEMON Tools Pro\DTLite.exe" [2012-02-13 3481408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "egui"="d:\run\Tools\ESET\egui.exe" [2011-01-12 2219184]
    "UnlockerAssistant"="d:\run\Tools\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-08-11 358336]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-02-16 405504]
    "boincmgr"="d:\run\Internet\BOINC\boincmgr.exe" [2010-09-24 4543232]
    "boinctray"="d:\run\Internet\BOINC\boinctray.exe" [2010-09-24 58112]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "LogMeIn Hamachi Ui"="d:\run\Tools\Internet\Hamachi\hamachi-2-ui.exe" [2012-06-27 1996200]
    "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
    .
    d:\users\Bosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - d:\users\Bosh\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2012-2-1 1102624]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2012-06-18 18:3213672----a-w-c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-04-17 06:0486528----a-w-c:\windows\System32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification PackagesREG_MULTI_SZ scecli psqlpwd c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
    backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\D:^Users^Bosh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
    path=d:\users\Bosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
    2011-02-02 02:53390720----a-w-c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
    2011-03-30 15:46499608----a-w-c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
    2011-01-12 14:081523360----a-w-c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
    2010-02-22 11:57406992----a-w-c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
    2010-04-05 23:46288040----a-w-c:\program files\DellTPad\Apoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
    2010-03-13 21:5491520----a-w-c:\program files\Microsoft Office\Office14\BCSSync.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Everything]
    2009-03-13 01:18602624----a-w-d:\run\Tools\Everything\Everything.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2011-01-09 01:06136176----a-w-d:\users\Bosh\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
    2007-05-10 08:0136864----a-w-c:\windows\OEM02Mon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
    2007-04-17 05:5049168----a-w-c:\program files\Fingerprint Reader Suite\launcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
    2012-02-07 23:11451856----a-w-d:\run\Tools\Sandboxie\SbieCtrl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAOB Monitor]
    2010-11-16 10:522536448----a-w-c:\program files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2012-01-17 18:07252296----a-w-c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
    2010-02-19 20:37517096----a-w-c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
    2011-02-02 02:525546376----a-w-d:\run\Tools\AcronisTrueImage\TrueImageMonitor.exe
    .
    R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [x]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
    R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [x]
    R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
    R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
    R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]
    R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [x]
    R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
    R4 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;d:\run\Internet\Nitro\NitroPDFReaderDriverService.exe [x]
    R4 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
    R4 WMPControllerService;WMPControllerService;c:\dell\Utilities\Dell Premium Remote Control\WMPControllerService.exe [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\DRIVERS\tdrpm273.sys [x]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\aestsrv.exe [x]
    S2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [x]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;d:\run\Tools\ESET\ekrn.exe [x]
    S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [x]
    S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;d:\run\Tools\Internet\Hamachi\hamachi-2.exe [x]
    S2 PanInstaller;PanInstaller;c:\program files\Palo Alto Networks\Pan Connect\PanInstaller.exe [x]
    S2 PanService;PanService;c:\program files\Palo Alto Networks\Pan Connect\PanService.exe [x]
    S2 SBSDWSCService;SBSD Security Center Service;d:\run\Tools\Spybot\SDWinSec.exe [x]
    S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [x]
    S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 PanSvd;Pan Virtual Miniport;c:\windows\system32\DRIVERS\pansvd.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2537561138-1596547413-242098265-1000Core.job
    - d:\users\Bosh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 01:06]
    .
    2012-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2537561138-1596547413-242098265-1000UA.job
    - d:\users\Bosh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 01:06]
    .
    2012-06-18 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
    .
    2012-07-09 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.google.com/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
    Trusted Zone: intuit.com\ttlc
    FF - ProfilePath - d:\users\Bosh\AppData\Roaming\Mozilla\Firefox\Profiles\gaccxglw.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-iCloudServices - d:\run\Internet\iCloud\iCloudServices.exe
    HKCU-Run-ApplePhotoStreams - d:\run\Internet\iCloud\ApplePhotoStreams.exe
    HKCU-Run-com.apple.dav.bookmarks.daemon - d:\run\Internet\iCloud\BookmarkDAV_client.exe
    MSConfigStartUp-DAEMON Tools Pro Agent - d:\run\Tools\DAEMON Tools Pro\DTAgent.exe
    MSConfigStartUp-DellRemote - c:\dell\Utilities\Dell Premium Remote Control\WMPRemoteTray.exe
    MSConfigStartUp-Steam - d:\run\Games\Steam\Steam.exe
    AddRemove-Terraria 1.1.2 - c:\program files\Terraria\Uninstall.exe
    AddRemove-uTorrent - h:\run\uTorrent\uTorrent.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
    76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
    "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
    72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
    2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:63,75,c8,97,be,57,cd,01
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(944)
    c:\windows\system32\psqlpwd.DLL
    c:\program files\Fingerprint Reader Suite\homefus2.dll
    c:\program files\Fingerprint Reader Suite\infra.dll
    .
    - - - - - - - > 'Explorer.exe'(3804)
    d:\users\Bosh\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Fingerprint Reader Suite\upeksvr.exe
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\System32\rundll32.exe
    c:\windows\system32\conhost.exe
    c:\program files\Citrix\ICA Client\Receiver\Receiver.exe
    c:\program files\NVIDIA Corporation\Display\nvtray.exe
    d:\run\Internet\BOINC\boinc.exe
    c:\windows\system32\conhost.exe
    c:\program files\Citrix\ICA Client\wfcrun32.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\windows\system32\sppsvc.exe
    d:\run\Internet\BOINC\data\projects\www.worldcommunitygrid.org\wcg_hcc1_img_6.42_windows_intelx86
    c:\windows\system32\conhost.exe
    d:\run\Internet\BOINC\data\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
    c:\windows\system32\conhost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-09 17:05:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-10 00:05
    .
    Pre-Run: 14,314,889,216 bytes free
    Post-Run: 14,127,820,800 bytes free
    .
    - - End Of File - - 7B7CEC7C245A39144FFFA291A6CD9435
     
  11. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Looks good :)

    Any current issues?

    =====================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ===================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  12. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Internet is working again after going dark around 11pm PST last night.

    ESET Smart Scan (instructed not to fix anything) only shows Sirefef in C:\FRST\Quarantine.
     
  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You can delete FRST folder. We don't need it anymore.
     
  14. Antij

    Antij TS Rookie Topic Starter Posts: 22

    PART 1

    OTL logfile created on: 7/9/2012 6:01:46 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = D:\Users\Bosh\Desktop
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.50 Gb Total Physical Memory | 0.67 Gb Available Physical Memory | 19.08% Memory free
    6.99 Gb Paging File | 2.27 Gb Available in Paging File | 32.39% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 50.04 Gb Total Space | 13.24 Gb Free Space | 26.46% Space Free | Partition Type: NTFS
    Drive D: | 350.00 Gb Total Space | 41.84 Gb Free Space | 11.96% Space Free | Partition Type: NTFS
    Drive F: | 2.33 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive H: | 14.90 Gb Total Space | 10.90 Gb Free Space | 73.17% Space Free | Partition Type: FAT32

    Computer Name: B0SH | User Name: Bosh | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/09 17:59:45 | 000,595,968 | ---- | M] (OldTimer Tools) -- D:\Users\Bosh\Desktop\OTL.exe
    PRC - [2012/06/27 12:29:26 | 001,996,200 | ---- | M] (LogMeIn Inc.) -- D:\Run\Tools\Internet\Hamachi\hamachi-2-ui.exe
    PRC - [2012/06/27 12:29:22 | 001,385,896 | ---- | M] (LogMeIn Inc.) -- D:\Run\Tools\Internet\Hamachi\hamachi-2.exe
    PRC - [2012/05/24 11:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- D:\Users\Bosh\AppData\Roaming\Dropbox\bin\Dropbox.exe
    PRC - [2012/05/15 02:28:16 | 001,820,480 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    PRC - [2012/05/15 02:27:34 | 000,857,920 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    PRC - [2012/04/04 15:56:38 | 000,981,680 | ---- | M] (Malwarebytes Corporation) -- D:\Run\Security\Malwarebytes\mbam.exe
    PRC - [2012/03/25 21:28:40 | 000,049,340 | ---- | M] (The Pidgin developer community) -- D:\Run\Internet\Pidgin\pidgin.exe
    PRC - [2012/02/26 11:15:17 | 006,006,784 | ---- | M] (New York University Center For Comparative Functional Genomics in collaboration with the University of Washington and IBM Corporation) -- D:\Run\Internet\BOINC\data\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
    PRC - [2012/02/26 07:13:12 | 001,462,784 | ---- | M] () -- D:\Run\Internet\BOINC\data\projects\www.worldcommunitygrid.org\wcg_hcc1_img_6.42_windows_intelx86
    PRC - [2012/02/13 01:06:56 | 003,481,408 | ---- | M] (DT Soft Ltd) -- D:\Run\Tools\DAEMON Tools Pro\DTLite.exe
    PRC - [2012/02/01 19:31:28 | 001,102,624 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    PRC - [2012/02/01 19:31:28 | 000,775,968 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    PRC - [2012/02/01 19:31:26 | 003,720,480 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
    PRC - [2011/09/02 01:15:40 | 000,227,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    PRC - [2011/08/11 11:28:10 | 000,862,144 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    PRC - [2011/08/11 11:27:02 | 000,358,336 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
    PRC - [2011/07/21 23:07:38 | 000,718,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    PRC - [2011/07/19 17:59:04 | 000,964,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe
    PRC - [2011/06/23 21:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
    PRC - [2011/05/25 06:08:04 | 003,246,040 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    PRC - [2011/05/25 01:14:50 | 001,496,528 | ---- | M] (TrueCrypt Foundation) -- D:\Run\Tools\TC\TrueCrypt.exe
    PRC - [2011/04/12 14:43:52 | 000,947,528 | ---- | M] (Palo Alto Networks) -- C:\Program Files\Palo Alto Networks\Pan Connect\PanService.exe
    PRC - [2011/04/12 14:43:20 | 000,234,824 | ---- | M] () -- C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe
    PRC - [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2011/02/01 19:53:26 | 000,804,528 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    PRC - [2011/01/12 16:41:42 | 000,810,144 | ---- | M] (ESET) -- D:\Run\Tools\ESET\ekrn.exe
    PRC - [2011/01/12 16:41:24 | 002,219,184 | ---- | M] (ESET) -- D:\Run\Tools\ESET\egui.exe
    PRC - [2010/11/20 05:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/09/23 19:59:44 | 004,543,232 | ---- | M] (World Community Grid) -- D:\Run\Internet\BOINC\boincmgr.exe
    PRC - [2010/09/23 19:59:42 | 000,058,112 | ---- | M] (Space Sciences Laboratory) -- D:\Run\Internet\BOINC\boinctray.exe
    PRC - [2010/09/23 19:59:40 | 000,537,344 | ---- | M] (World Community Grid) -- D:\Run\Internet\BOINC\boinc.exe
    PRC - [2010/08/23 20:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    PRC - [2010/08/23 09:11:28 | 000,206,240 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- D:\Run\Tools\Spybot\SDWinSec.exe
    PRC - [2008/02/15 19:23:20 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    PRC - [2007/09/20 16:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\AEstSrv.exe
    PRC - [2007/04/16 23:05:52 | 000,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Fingerprint Reader Suite\upeksvr.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/06/28 03:28:56 | 000,438,296 | ---- | M] () -- D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\ppgooglenaclpluginchrome.dll
    MOD - [2012/06/28 03:28:54 | 003,972,120 | ---- | M] () -- D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\pdf.dll
    MOD - [2012/06/28 03:27:40 | 000,554,520 | ---- | M] () -- D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\libglesv2.dll
    MOD - [2012/06/28 03:27:38 | 000,117,784 | ---- | M] () -- D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\libegl.dll
    MOD - [2012/06/28 03:27:29 | 000,140,328 | ---- | M] () -- D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\avutil-51.dll
    MOD - [2012/06/28 03:27:28 | 000,262,184 | ---- | M] () -- D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\avformat-54.dll
    MOD - [2012/06/28 03:27:26 | 002,386,984 | ---- | M] () -- D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\avcodec-54.dll
    MOD - [2012/06/28 01:27:26 | 009,252,040 | ---- | M] () -- D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\gcswf32.dll
    MOD - [2012/03/25 21:28:42 | 000,036,068 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\xmppdisco.dll
    MOD - [2012/03/25 21:28:42 | 000,030,333 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\xmppconsole.dll
    MOD - [2012/03/25 21:28:42 | 000,023,455 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\winprefs.dll
    MOD - [2012/03/25 21:28:42 | 000,022,901 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\win2ktrans.dll
    MOD - [2012/03/25 21:28:40 | 000,338,072 | ---- | M] () -- D:\Run\Internet\Pidgin\libjabber.dll
    MOD - [2012/03/25 21:28:40 | 000,302,791 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libmsn.dll
    MOD - [2012/03/25 21:28:40 | 000,256,529 | ---- | M] () -- D:\Run\Internet\Pidgin\liboscar.dll
    MOD - [2012/03/25 21:28:40 | 000,194,434 | ---- | M] () -- D:\Run\Internet\Pidgin\libymsg.dll
    MOD - [2012/03/25 21:28:40 | 000,184,224 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libgg.dll
    MOD - [2012/03/25 21:28:40 | 000,149,384 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libsilc.dll
    MOD - [2012/03/25 21:28:40 | 000,121,476 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libmxit.dll
    MOD - [2012/03/25 21:28:40 | 000,096,443 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libsametime.dll
    MOD - [2012/03/25 21:28:40 | 000,092,138 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libnovell.dll
    MOD - [2012/03/25 21:28:40 | 000,088,548 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libmyspace.dll
    MOD - [2012/03/25 21:28:40 | 000,079,922 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libirc.dll
    MOD - [2012/03/25 21:28:40 | 000,073,584 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libbonjour.dll
    MOD - [2012/03/25 21:28:40 | 000,063,229 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\spellchk.dll
    MOD - [2012/03/25 21:28:40 | 000,045,348 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libsimple.dll
    MOD - [2012/03/25 21:28:40 | 000,039,509 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\log_reader.dll
    MOD - [2012/03/25 21:28:40 | 000,024,487 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\themeedit.dll
    MOD - [2012/03/25 21:28:40 | 000,024,106 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\ticker.dll
    MOD - [2012/03/25 21:28:40 | 000,023,390 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\pidginrc.dll
    MOD - [2012/03/25 21:28:40 | 000,022,335 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\notify.dll
    MOD - [2012/03/25 21:28:40 | 000,019,854 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\ssl-nss.dll
    MOD - [2012/03/25 21:28:40 | 000,019,058 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\convcolors.dll
    MOD - [2012/03/25 21:28:40 | 000,018,502 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libyahoo.dll
    MOD - [2012/03/25 21:28:40 | 000,017,951 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\timestamp_format.dll
    MOD - [2012/03/25 21:28:40 | 000,017,519 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libxmpp.dll
    MOD - [2012/03/25 21:28:40 | 000,014,951 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libyahoojp.dll
    MOD - [2012/03/25 21:28:40 | 000,014,905 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\markerline.dll
    MOD - [2012/03/25 21:28:40 | 000,014,619 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\autoaccept.dll
    MOD - [2012/03/25 21:28:40 | 000,013,589 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\timestamp.dll
    MOD - [2012/03/25 21:28:40 | 000,013,528 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\history.dll
    MOD - [2012/03/25 21:28:40 | 000,012,665 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\idle.dll
    MOD - [2012/03/25 21:28:40 | 000,012,177 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\joinpart.dll
    MOD - [2012/03/25 21:28:40 | 000,011,669 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\offlinemsg.dll
    MOD - [2012/03/25 21:28:40 | 000,011,163 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libicq.dll
    MOD - [2012/03/25 21:28:40 | 000,010,860 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\extplacement.dll
    MOD - [2012/03/25 21:28:40 | 000,010,624 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\statenotify.dll
    MOD - [2012/03/25 21:28:40 | 000,010,232 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\libaim.dll
    MOD - [2012/03/25 21:28:40 | 000,010,203 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\sendbutton.dll
    MOD - [2012/03/25 21:28:40 | 000,010,075 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\relnot.dll
    MOD - [2012/03/25 21:28:40 | 000,010,026 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\psychic.dll
    MOD - [2012/03/25 21:28:40 | 000,009,126 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\newline.dll
    MOD - [2012/03/25 21:28:40 | 000,008,793 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\gtkbuddynote.dll
    MOD - [2012/03/25 21:28:40 | 000,007,899 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\buddynote.dll
    MOD - [2012/03/25 21:28:40 | 000,007,511 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\iconaway.dll
    MOD - [2012/03/25 21:28:40 | 000,007,162 | ---- | M] () -- D:\Run\Internet\Pidgin\plugins\ssl.dll
    MOD - [2012/03/25 21:28:36 | 000,582,656 | ---- | M] () -- D:\Run\Internet\Pidgin\exchndl.dll
    MOD - [2012/03/25 21:28:36 | 000,475,580 | ---- | M] () -- D:\Run\Internet\Pidgin\spellcheck\libgtkspell-0.dll
    MOD - [2012/03/25 21:26:20 | 000,417,501 | ---- | M] () -- D:\Run\Internet\Pidgin\sqlite3.dll
    MOD - [2012/03/25 21:26:16 | 002,719,062 | ---- | M] () -- D:\Run\Internet\Pidgin\libsilc-1-1-2.dll
    MOD - [2012/03/25 21:26:16 | 001,206,642 | ---- | M] () -- D:\Run\Internet\Pidgin\libsilcclient-1-1-2.dll
    MOD - [2012/03/25 21:26:14 | 000,173,805 | ---- | M] () -- D:\Run\Internet\Pidgin\libmeanwhile-1.dll
    MOD - [2012/03/25 21:26:04 | 001,213,633 | ---- | M] () -- D:\Run\Internet\Pidgin\libxml2-2.dll
    MOD - [2012/02/26 07:13:12 | 001,462,784 | ---- | M] () -- D:\Run\Internet\BOINC\data\projects\www.worldcommunitygrid.org\wcg_hcc1_img_6.42_windows_intelx86
    MOD - [2011/09/22 19:03:57 | 000,904,525 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\bin\libcairo-2.dll
    MOD - [2011/09/22 19:03:57 | 000,482,872 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\bin\libgio-2.0-0.dll
    MOD - [2011/09/22 19:03:57 | 000,279,059 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\bin\libfontconfig-1.dll
    MOD - [2011/09/22 19:03:57 | 000,219,305 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\bin\libpng14-14.dll
    MOD - [2011/09/22 19:03:57 | 000,143,096 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\bin\libexpat-1.dll
    MOD - [2011/09/22 19:03:57 | 000,095,189 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\bin\libpangocairo-1.0-0.dll
    MOD - [2011/09/22 19:03:57 | 000,090,496 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\lib\gtk-2.0\2.10.0\engines\libwimp.dll
    MOD - [2011/09/22 19:03:57 | 000,055,808 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\bin\zlib1.dll
    MOD - [2011/09/22 19:03:56 | 000,535,264 | ---- | M] () -- D:\Run\Internet\Pidgin\Gtk\bin\freetype6.dll
    MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
    MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    MOD - [2010/07/04 14:32:36 | 000,004,608 | ---- | M] () -- D:\Run\Tools\Unlocker\UnlockerHook.dll
    MOD - [2009/08/18 13:02:42 | 000,061,952 | ---- | M] () -- D:\Run\Internet\BOINC\zlib1.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\Dell\Utilities\Dell Premium Remote Control\WMPControllerService.exe -- (WMPControllerService)
    SRV - [2012/06/27 12:29:22 | 001,385,896 | ---- | M] (LogMeIn Inc.) [Auto | Stopped] -- D:\Run\Tools\Internet\Hamachi\hamachi-2.exe -- (Hamachi2Svc)
    SRV - [2012/06/18 11:32:23 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
    SRV - [2012/02/07 16:11:42 | 000,074,512 | ---- | M] (SANDBOXIE L.T.D) [On_Demand | Stopped] -- D:\Run\Tools\Sandboxie\SbieSvc.exe -- (SbieSvc)
    SRV - [2012/02/01 19:31:28 | 000,775,968 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
    SRV - [2011/06/12 11:15:00 | 031,125,880 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
    SRV - [2011/05/25 06:08:04 | 003,246,040 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
    SRV - [2011/05/25 02:27:20 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2011/04/12 14:43:52 | 000,947,528 | ---- | M] (Palo Alto Networks) [Auto | Running] -- C:\Program Files\Palo Alto Networks\Pan Connect\PanService.exe -- (PanService)
    SRV - [2011/04/12 14:43:20 | 000,234,824 | ---- | M] () [Auto | Running] -- C:\Program Files\Palo Alto Networks\Pan Connect\PanInstaller.exe -- (PanInstaller)
    SRV - [2011/02/01 19:53:26 | 000,804,528 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
    SRV - [2011/01/12 16:44:02 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- D:\Run\Tools\ESET\EHttpSrv.exe -- (EhttpSrv)
    SRV - [2011/01/12 16:41:42 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- D:\Run\Tools\ESET\ekrn.exe -- (ekrn)
    SRV - [2010/09/30 14:01:50 | 000,196,912 | ---- | M] (Nitro PDF Software) [Disabled | Stopped] -- D:\Run\Internet\Nitro\NitroPDFReaderDriverService.exe -- (NitroReaderDriverReadSpool)
    SRV - [2010/09/10 16:50:28 | 000,411,432 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2010/08/23 20:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
    SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
    SRV - [2009/07/13 18:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
    SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 18:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- D:\Run\Tools\Spybot\SDWinSec.exe -- (SBSDWSCService)
    SRV - [2007/09/20 16:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\AEstSrv.exe -- (AESTFilters)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Temp\mbr.sys -- (mbr)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\Temp\catchme.sys -- (catchme)
    DRV - File not found [Kernel | On_Demand | Unknown] -- -- (auqcrd5e)
    DRV - [2012/07/09 18:00:40 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
    DRV - [2012/05/15 03:26:00 | 011,354,944 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2012/03/03 20:05:31 | 000,473,656 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
    DRV - [2012/02/07 16:11:42 | 000,133,392 | ---- | M] (SANDBOXIE L.T.D) [Kernel | On_Demand | Stopped] -- D:\Run\Tools\Sandboxie\SbieDrv.sys -- (SbieDrv)
    DRV - [2011/08/10 22:20:24 | 000,066,776 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
    DRV - [2011/05/25 06:08:04 | 000,167,968 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\afcdp.sys -- (afcdp)
    DRV - [2011/05/25 06:08:00 | 000,752,128 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tdrpm273.sys -- (tdrpman273) Acronis Try&Decide and Restore Points filter (build 273)
    DRV - [2011/05/25 06:07:57 | 000,600,928 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\timntr.sys -- (timounter)
    DRV - [2011/05/25 06:07:52 | 000,170,528 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\snapman.sys -- (snapman)
    DRV - [2011/05/25 01:14:50 | 000,231,248 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)
    DRV - [2011/04/12 14:42:58 | 000,027,136 | ---- | M] (Palo Alto Networks) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pansvd.sys -- (PanSvd)
    DRV - [2011/04/04 14:55:38 | 000,020,480 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motccgp.sys -- (motccgp)
    DRV - [2011/03/31 14:53:22 | 000,024,064 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motmodem.sys -- (motmodem)
    DRV - [2011/02/07 17:36:00 | 000,011,008 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motusbdevice.sys -- (motusbdevice)
    DRV - [2010/12/21 15:04:06 | 000,137,144 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)
    DRV - [2010/12/21 15:04:06 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
    DRV - [2010/12/21 13:47:38 | 000,134,000 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfw.sys -- (epfw)
    DRV - [2010/12/21 13:47:38 | 000,041,336 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfp.sys -- (epfwwfp)
    DRV - [2010/12/21 13:47:38 | 000,033,120 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\epfwndis.sys -- (Epfwndis)
    DRV - [2010/11/20 05:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
    DRV - [2010/11/20 05:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
    DRV - [2010/11/20 05:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
    DRV - [2010/11/20 03:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/11/20 02:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
    DRV - [2010/11/20 02:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
    DRV - [2010/11/20 02:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
    DRV - [2010/04/15 13:36:40 | 000,252,536 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2010/04/14 01:01:48 | 000,045,736 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)
    DRV - [2010/04/01 14:31:50 | 000,023,424 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Motousbnet.sys -- (Motousbnet)
    DRV - [2009/09/28 09:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
    DRV - [2009/07/13 17:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
    DRV - [2009/07/13 17:14:49 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
    DRV - [2009/07/13 16:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
    DRV - [2009/07/10 13:01:06 | 000,025,856 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motoandroid.sys -- (motandroidusb)
    DRV - [2009/05/08 11:56:12 | 000,042,752 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motodrv.sys -- (MotDev)
    DRV - [2009/03/18 16:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
    DRV - [2009/01/29 17:18:00 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motccgpfl.sys -- (motccgpfl)
    DRV - [2009/01/29 17:11:20 | 000,006,016 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motfilt.sys -- (BTCFilterService)
    DRV - [2008/02/15 18:27:02 | 000,330,752 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
    DRV - [2008/02/15 18:01:18 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2007/11/02 15:51:30 | 000,006,400 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motswch.sys -- (MotoSwitchService)
    DRV - [2007/10/10 17:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
    DRV - [2007/07/30 11:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
    DRV - [2007/07/30 10:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
    DRV - [2007/03/05 18:45:00 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = D:\Users\Bosh\Desktop\DCIM
    IE - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
    IE - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    IE - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 12 A7 7A 90 EA AB CC 01 [binary data]
    IE - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\..\SearchScopes,DefaultScope = {30B1B7D1-9B11-4D56-BCC2-4D6895FD3707}
    IE - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\..\SearchScopes\{30B1B7D1-9B11-4D56-BCC2-4D6895FD3707}: "URL" = http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}
    IE - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
     
  15. Antij

    Antij TS Rookie Topic Starter Posts: 22

    PART 2 OTL

    ========== FireFox ==========

    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: D:\Run\Create\npPicasa3.dll (Google, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: D:\Run\Entertainment\VLC\npvlc.dll (VideoLAN)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Users\Bosh\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Users\Bosh\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: D:\Run\Internet\Failfox\components [2011/12/27 15:13:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: D:\Run\Internet\Failfox\plugins [2011/12/27 15:13:57 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: D:\Run\Tools\ESET\Mozilla Thunderbird [2011/05/25 04:05:28 | 000,000,000 | ---D | M]

    [2011/11/19 12:56:15 | 000,000,000 | ---D | M] (No name found) -- D:\Users\Bosh\AppData\Roaming\Mozilla\Extensions
    [2012/02/08 16:20:19 | 000,000,000 | ---D | M] (No name found) -- D:\Users\Bosh\AppData\Roaming\Mozilla\Firefox\Profiles\gaccxglw.default\extensions
    [2011/11/19 12:58:57 | 000,000,000 | ---D | M] (Greasemonkey) -- D:\Users\Bosh\AppData\Roaming\Mozilla\Firefox\Profiles\gaccxglw.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    [2012/02/08 16:20:20 | 000,000,000 | ---D | M] (No name found) -- D:\Users\Bosh\AppData\Roaming\Mozilla\Firefox\Profiles\gaccxglw.default\extensions\staged
    [2011/11/19 12:59:54 | 000,131,843 | ---- | M] () (No name found) -- D:\USERS\BOSH\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GACCXGLW.DEFAULT\EXTENSIONS\{95C9A302-8557-4052-91B7-2BB6BA33C885}.XPI

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms},
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = D:\Users\Bosh\AppData\Local\Google\Chrome\Application\20.0.1132.47\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\NPAPIFlash\gcswf32.dll
    CHR - plugin: Shockwave Flash (Disabled) = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.132\pepflashplayer.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
    CHR - plugin: Citrix ICA Client (Enabled) = D:\Run\Internet\Failfox\plugins\npicaN.dll
    CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = D:\Run\Tools\Java\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = D:\Run\Tools\Java\bin\new_plugin\npjp2.dll
    CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL
    CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL
    CHR - plugin: Picasa (Enabled) = D:\Run\Create\npPicasa3.dll
    CHR - plugin: VLC Web Plugin (Enabled) = D:\Run\Entertainment\VLC\npvlc.dll
    CHR - plugin: Google Update (Enabled) = D:\Users\Bosh\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll
    CHR - Extension: RapidShare Extension for Google Chrome\u2122 = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\alnniagnighkjjnaebfggchaaagfjocb\2.2_0\
    CHR - Extension: QR-Code Tag Extension = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcfddoencoiedfjgepnlhcpfikgaogdg\0.7.9_0\
    CHR - Extension: Video Downloader - All videos from all sites = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdglijkhmmniffomkalmhiplpfoofplo\1.1_0\
    CHR - Extension: Autoplayer for Mafia Wars (Facebook) = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgagpckjofhomehafhognmangbjdiaap\3.0.96_0\
    CHR - Extension: Add to Amazon Wish List = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciagpekplgpbepdgggflgmahnjgiaced\1.0.0.8_0\
    CHR - Extension: RapidShare Auto-Downloader = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcngaibjigkbcpniopoogeojkjljfpil\3.0.1_0\
    CHR - Extension: IBA Opt-out (by Google) = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbiekjoijknlhijdjbaadobpkdhmoebb\1.0_0\
    CHR - Extension: Select and Speak = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfjopfpjmkcfgjpogepmdjmcnihfpokn\0.1.8_0\
    CHR - Extension: The Camelizer = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghnomdcacenbmilgjigehppbamfndblo\1.5_0\
    CHR - Extension: AdBlock = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.37_0\
    CHR - Extension: FB MafiaWars Addon = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\hidacfabgnpddbiiaplgdpnbeegooihd\2.9.51_1\
    CHR - Extension: goo.gl URL Shortener = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\iblijlcdoidgdpfknkckljiocdbnlagk\0.7.2_0\
    CHR - Extension: Google Voice (by Google) = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcnhkahnjcbndmmehfkdnkjomaanaooo\2.3.6.8_0\
    CHR - Extension: InstallFree Nexus with Microsoft Office = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkbdmlhfkcpbokoofbgohenkmpohfnpe\1.0.3_0\
    CHR - Extension: TweetDeck Launcher = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmjdnkpkpnjblbgbnkeedepgnomafojk\1.0_0\
    CHR - Extension: JDownloader Integration for Google Chrome\u2122 = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\laeghehalempfenbefbjbhccjcoakpmm\1.2.3_0\
    CHR - Extension: MegaUpload DownloadHelper = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekjckogogidfhpejjmaaekecplpdcg\1.2_0\
    CHR - Extension: Boomerang for Gmail = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdkdbdadolokifeomchamhifddohomii\1.0_0\
    CHR - Extension: Chrome Speak = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgpmlgbbboameedkldbfbhoigbabcbhk\1.2_0\
    CHR - Extension: Personal Blocklist (by Google) = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\nolijncfnkgaikbjbdaogikpmpbdcdef\2.3_0\
    CHR - Extension: Face Book Mafia Gift Acceptor = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\oagdpocbmcbhfomikopeabjeahenmmio\0.10.143_0\
    CHR - Extension: Microformats for Google Chrome\u2122 = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\oalbifknmclbnmjlljdemhjjlkmppjjl\0.4.11_0\
    CHR - Extension: SpeakIt! = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgeolalilifpodheeocdmbhehgnkkbak\0.2.5_0\
    CHR - Extension: Evernote Web Clipper = D:\Users\Bosh\AppData\Local\Google\Chrome\User Data\Default\Extensions\pioclpoplcdbaefihamjohnefbikjilc\5.5.1_0\

    O1 HOSTS File: ([2012/07/09 17:02:29 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
    O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
    O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [boincmgr] D:\Run\Internet\BOINC\boincmgr.exe (World Community Grid)
    O4 - HKLM..\Run: [boinctray] D:\Run\Internet\BOINC\boinctray.exe (Space Sciences Laboratory)
    O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
    O4 - HKLM..\Run: [egui] D:\Run\Tools\ESET\egui.exe (ESET)
    O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
    O4 - HKLM..\Run: [LogMeIn Hamachi Ui] D:\Run\Tools\Internet\Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
    O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
    O4 - HKLM..\Run: [UnlockerAssistant] D:\Run\Tools\Unlocker\UnlockerAssistant.exe ()
    O4 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000..\Run: [DAEMON Tools Lite] D:\Run\Tools\DAEMON Tools Pro\DTLite.exe (DT Soft Ltd)
    O4 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000..\Run: [MusicManager] D:\Users\Bosh\AppData\Local\Programs\Google\MusicManager\MusicManager.exe (Google Inc.)
    O4 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation)
    O4 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000..\Run: [TrueCrypt] D:\Run\Tools\TC\TrueCrypt.exe (TrueCrypt Foundation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
    O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
    O15 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 10.5.1)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 10.5.1)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.64.12
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE415505-B6F6-434A-907F-8DAFFCB30C24}: DhcpNameServer = 192.168.1.1 68.238.64.12
    O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\System32\vrlogon.dll (UPEK Inc.)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\615\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
    O20 - Winlogon\Notify\psfus: DllName - (C:\Windows\system32\psqlpwd.dll) - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
    O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2009/07/14 02:26:40 | 000,000,043 | R--- | M] () - F:\autorun.inf -- [ UDF ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/09 17:59:56 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2012/07/09 17:59:41 | 000,595,968 | ---- | C] (OldTimer Tools) -- D:\Users\Bosh\Desktop\OTL.exe
    [2012/07/09 17:05:22 | 000,000,000 | ---D | C] -- D:\Users\Bosh\AppData\Local\temp
    [2012/07/09 17:05:22 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/07/09 17:02:33 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2012/07/09 16:51:24 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/07/09 16:51:24 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/07/09 16:51:24 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/07/09 16:48:40 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/09 16:48:24 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/07/09 02:04:20 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/07/09 01:54:22 | 000,000,000 | ---D | C] -- D:\Users\Bosh\AppData\Roaming\Malwarebytes
    [2012/07/09 01:54:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sec
    [2012/07/09 01:54:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/07/09 01:54:17 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/07/08 21:35:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon IJ Network Utilities
    [2012/07/08 21:35:09 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
    [2012/07/08 21:35:07 | 001,310,720 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNC870C.dll
    [2012/07/08 21:35:07 | 000,307,200 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNC870L.dll
    [2012/07/08 21:35:07 | 000,110,592 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNC870I.dll
    [2012/07/08 21:35:07 | 000,102,400 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNC870U.dll
    [2012/07/08 21:35:07 | 000,015,872 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNHMCA.dll
    [2012/07/08 21:33:52 | 000,354,816 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNMNPPM.DLL
    [2012/07/08 21:33:52 | 000,137,216 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNMNPUI.DLL
    [2012/07/08 21:33:52 | 000,000,000 | ---D | C] -- C:\Windows\System32\STRING
    [2012/07/08 21:33:52 | 000,000,000 | ---D | C] -- C:\Windows\System32\CHM
    [2012/07/08 21:33:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MX870 series
    [2012/07/08 21:33:23 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
    [2012/07/08 15:09:35 | 000,000,000 | ---D | C] -- D:\Users\Bosh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth Devices
    [2012/06/30 02:21:20 | 000,000,000 | ---D | C] -- D:\Users\Bosh\Desktop\Corporate Espionage
    [2012/06/28 21:00:41 | 000,026,176 | -H-- | C] (LogMeIn, Inc.) -- C:\Windows\System32\hamachi.sys
    [2012/06/28 21:00:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hamachi
    [2012/06/26 22:58:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2012/06/26 22:57:32 | 000,000,000 | ---D | C] -- C:\Program Files\Oracle
    [2012/06/26 22:57:06 | 000,772,504 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
    [2012/06/26 22:57:06 | 000,227,720 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
    [2012/06/26 22:55:50 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
    [2012/06/21 11:14:50 | 002,422,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll
    [2012/06/21 11:14:50 | 000,045,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll
    [2012/06/21 11:14:43 | 000,577,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
    [2012/06/21 11:14:43 | 000,088,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
    [2012/06/21 11:14:43 | 000,035,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
    [2012/06/21 11:14:36 | 000,171,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
    [2012/06/21 11:14:36 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
    [2012/06/21 00:17:57 | 000,000,000 | ---D | C] -- D:\Users\Bosh\Desktop\docsoh
    [2012/06/19 00:01:23 | 000,000,000 | ---D | C] -- D:\Users\Bosh\AppData\Local\Apple Computer
    [2012/06/18 23:55:31 | 000,000,000 | ---D | C] -- D:\Users\Bosh\AppData\Roaming\Apple Computer
    [2012/06/18 23:50:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
    [2012/06/18 12:46:07 | 000,000,000 | ---D | C] -- D:\Users\Bosh\AppData\Roaming\NVIDIA
    [2012/06/18 12:15:15 | 003,931,456 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcpl.dll
    [2012/06/18 12:15:15 | 002,759,488 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvsvc.dll
    [2012/06/18 12:15:15 | 002,561,344 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvsvcr.dll
    [2012/06/18 12:15:15 | 000,108,352 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvmctray.dll
    [2012/06/18 12:15:15 | 000,062,272 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvshext.dll
    [2012/06/18 12:11:49 | 019,607,872 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvoglv32.dll
    [2012/06/18 12:11:49 | 011,354,944 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys
    [2012/06/18 12:11:49 | 008,105,280 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvwgf2um.dll
    [2012/06/18 12:11:49 | 005,982,528 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuda.dll
    [2012/06/18 12:11:49 | 002,524,992 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvid.dll
    [2012/06/18 12:11:49 | 002,445,120 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvenc.dll
    [2012/06/18 12:11:49 | 001,000,768 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvdispco32.dll
    [2012/06/18 12:11:49 | 000,883,008 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvgenco32.dll
    [2012/06/18 12:11:48 | 017,551,680 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcompiler.dll
    [2012/06/18 12:11:48 | 002,368,832 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvapi.dll
    [2012/06/18 12:10:56 | 000,000,000 | ---D | C] -- C:\NVIDIA
    [2012/06/18 11:57:04 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
    [2012/06/18 11:48:24 | 000,000,000 | ---D | C] -- D:\Users\Bosh\Desktop\DCIM
    [2012/06/18 11:46:59 | 000,000,000 | ---D | C] -- D:\Users\Bosh\AppData\Roaming\Dell
    [2012/06/18 11:46:51 | 000,000,000 | ---D | C] -- C:\ProgramData\PCDr
    [2012/06/18 11:46:32 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center
    [2012/06/18 11:46:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Dell
    [2012/06/18 11:45:56 | 000,000,000 | ---D | C] -- C:\Program Files\Dell Support Center
    [2012/06/18 11:43:36 | 000,000,000 | ---D | C] -- D:\Users\Bosh\AppData\Roaming\PCDr

    ========== Files - Modified Within 30 Days ==========

    [2012/07/09 18:00:40 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2012/07/09 17:59:45 | 000,595,968 | ---- | M] (OldTimer Tools) -- D:\Users\Bosh\Desktop\OTL.exe
    [2012/07/09 17:23:17 | 000,000,506 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
    [2012/07/09 17:20:51 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2537561138-1596547413-242098265-1000UA.job
    [2012/07/09 17:10:35 | 000,013,808 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/09 17:10:35 | 000,013,808 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/09 17:06:23 | 000,663,260 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/07/09 17:06:23 | 000,122,096 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/07/09 17:02:29 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/07/09 17:02:07 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
    [2012/07/09 17:02:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/09 17:01:57 | 2817,048,576 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/09 05:01:56 | 000,001,908 | ---- | M] () -- C:\Windows\diagwrn.xml
    [2012/07/09 05:01:56 | 000,001,908 | ---- | M] () -- C:\Windows\diagerr.xml
    [2012/07/09 01:54:18 | 000,000,747 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/09 00:15:06 | 000,000,535 | ---- | M] () -- C:\Windows\System32\mapisvc.inf
    [2012/07/08 22:55:19 | 000,367,934 | ---- | M] () -- D:\Users\Bosh\Desktop\****EVERY****INGTHING************.pdf
    [2012/07/08 22:20:14 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2537561138-1596547413-242098265-1000Core.job
    [2012/07/08 21:35:10 | 000,001,967 | ---- | M] () -- C:\Users\Public\Desktop\Canon IJ Network Tool.lnk
    [2012/07/05 07:00:59 | 000,096,721 | ---- | M] () -- D:\Users\Bosh\Desktop\AuntClaireBday7-5-12.pdf
    [2012/06/28 22:18:46 | 000,001,276 | ---- | M] () -- D:\Users\Bosh\Desktop\Bluetooth Software - Shortcut.lnk
    [2012/06/26 22:56:40 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
    [2012/06/26 22:56:40 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
    [2012/06/19 22:40:21 | 000,084,550 | ---- | M] () -- D:\Users\Bosh\Desktop\Hydraulic rotary pumps-hIL.pdf
    [2012/06/18 12:21:44 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
    [2012/06/18 11:48:30 | 006,105,008 | ---- | M] () -- D:\Users\Bosh\Desktop\R182249.exe

    ========== Files Created - No Company Name ==========

    [2012/07/09 16:51:24 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/07/09 16:51:24 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/07/09 16:51:24 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/07/09 16:51:24 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/07/09 16:51:24 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/07/09 05:00:30 | 000,001,908 | ---- | C] () -- C:\Windows\diagwrn.xml
    [2012/07/09 05:00:30 | 000,001,908 | ---- | C] () -- C:\Windows\diagerr.xml
    [2012/07/09 01:54:18 | 000,000,747 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/08 22:55:48 | 000,367,934 | ---- | C] () -- D:\Users\Bosh\Desktop\****EVERY****INGTHING************.pdf
    [2012/07/08 21:35:10 | 000,001,967 | ---- | C] () -- C:\Users\Public\Desktop\Canon IJ Network Tool.lnk
    [2012/07/08 21:35:07 | 000,015,360 | ---- | C] () -- C:\Windows\System32\CNC1743D.TBL
    [2012/07/05 07:01:26 | 000,096,721 | ---- | C] () -- D:\Users\Bosh\Desktop\AuntClaireBday7-5-12.pdf
    [2012/06/28 22:18:46 | 000,001,276 | ---- | C] () -- D:\Users\Bosh\Desktop\Bluetooth Software - Shortcut.lnk
    [2012/06/19 22:40:20 | 000,084,550 | ---- | C] () -- D:\Users\Bosh\Desktop\Hydraulic rotary pumps-hIL.pdf
    [2012/06/18 12:11:49 | 000,011,190 | ---- | C] () -- C:\Windows\System32\nvinfo.pb
    [2012/06/18 11:48:30 | 006,105,008 | ---- | C] () -- D:\Users\Bosh\Desktop\R182249.exe
    [2012/06/18 11:47:02 | 000,000,564 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
    [2012/06/18 11:47:00 | 000,000,506 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
    [2012/02/21 02:27:37 | 000,000,600 | ---- | C] () -- D:\Users\Bosh\AppData\Local\PUTTY.RND
    [2011/10/14 22:34:48 | 000,000,116 | ---- | C] () -- C:\Windows\QUICKEN.INI
    [2011/08/18 23:59:17 | 000,000,132 | ---- | C] () -- D:\Users\Bosh\AppData\Roaming\Adobe PNG Format CS5 Prefs
    [2011/05/25 05:22:45 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2011/05/25 03:50:48 | 000,001,658 | ---- | C] () -- C:\Windows\Sandboxie.ini
    [2011/05/25 01:25:08 | 000,087,552 | ---- | C] () -- C:\Windows\System32\cpwmon2k.dll
    [2011/05/09 22:36:30 | 000,007,599 | ---- | C] () -- D:\Users\Bosh\AppData\Local\Resmon.ResmonCfg
    [2011/05/05 02:40:59 | 000,001,456 | ---- | C] () -- D:\Users\Bosh\AppData\Local\Adobe Save for Web 12.0 Prefs
    [2011/01/11 02:02:23 | 000,003,584 | ---- | C] () -- D:\Users\Bosh\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 332 bytes -> D:\Users\Bosh\Desktop\JR Explains Internet.jpg:com.dropbox.attributes

    < End of report >
     
  16. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.07.09.14
    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Bosh :: B0SH [administrator]
    7/9/2012 6:00:57 PM
    mbam-log-2012-07-09 (18-00-57).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 233107
    Time elapsed: 5 minute(s), 16 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  17. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Unknown] -- -- (auqcrd5e)
      O15 - HKU\S-1-5-21-2537561138-1596547413-242098265-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
      @Alternate Data Stream - 332 bytes -> D:\Users\Bosh\Desktop\JR Explains Internet.jpg:com.dropbox.attributes
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please, run F-Secure Online Scanner

    • Disable your Antivirus program.
    • Checkmark I have read and accepted the license terms.
    • Click on Run Check button.
    • Quick scan (recommended) option will come pre-checked. Don't change it.
    • Click on Start button.
    • When scan is done, in Step 3: Clean the files, leave all settings as they're.
    • Click Next button.
    • Click Full report... button.
    • Copy report's content and paste it into your next reply.
     
  18. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Checkup

    Results of screen317's Security Check version 0.99.24
    Windows 7 Service Pack 1 x86 (UAC is disabled!)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:
    Windows Firewall Enabled!
    ESET Smart Security
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Spybot - Search & Destroy
    CCleaner
    Duplicate Cleaner 2.0.6
    JavaFX 2.1.1
    Java(TM) 6 Update 26
    Java(TM) 7 Update 5
    Out of date Java installed!
    Adobe Flash Player (10.3.183.5) Flash Player Out of Date!
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    Spybot Teatimer.exe is disabled!
    ``````````End of Log```````````All processes killed











    ========== OTL ==========
    Error: No service named auqcrd5e was found to stop!
    Service\Driver key auqcrd5e not found.
    Registry key HKEY_USERS\S-1-5-21-2537561138-1596547413-242098265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ not found.
    ADS D:\Users\Bosh\Desktop\JR Explains Internet.jpg:com.dropbox.attributes deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Bosh

    User: Default

    User: Default User

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    Session Manager Temp folder emptied: 49554 bytes
    Session Manager Tmp folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Bosh

    User: Default

    User: Default User

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Bosh

    User: Default

    User: Default User

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.53.1 log created on 07092012_191334

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...


     
  19. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Farbar Service Scanner Version: 08-07-2012
    Ran by Bosh (administrator) on 09-07-2012 at 19:18:18
    Running from "I:\"
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.
    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    System Restore:
    ============
    System Restore Disabled Policy:
    ========================
    Action Center:
    ============
    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    Windows Autoupdate Disabled Policy:
    ============================
    Windows Defender:
    ==============
    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit
    **** End of log ****
     
  20. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Scanning Report

    Monday, July 9, 2012 19:43:20 - 19:45:52

    Computer name: B0SH
    Scanning type: Quick scan
    Target: System


    No malware found


    Statistics

    Scanned:
    • Files: 4550
    • System: 4550
    • Not scanned: 0
    Actions:
    • Disinfected: 0
    • Renamed: 0
    • Deleted: 0
    • Not cleaned: 0
    • Submitted: 0

    Options

    Scanning engines:

    Copyright © 1998-2009 Product support | Send virus sample to F-Secure

    F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
     
  21. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Uninstall:
    JavaFX 2.1.1
    Java(TM) 6 Update 26

    ===============================

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    ================================

    We have one registry key corrupted affecting Windows updates.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on bits.reg file and confirm the prompt.
    Restart computer.
    Post new FSS log.
     
  22. Antij

    Antij TS Rookie Topic Starter Posts: 22

    Ha, almost reinfected my machine with adware with that big green Download Now! button in the 404techsupport.com post. Have just been clicking and installing the numerous programs without checking them out. Ok...here's FSS now.

    Farbar Service Scanner Version: 08-07-2012
    Ran by Bosh (administrator) on 09-07-2012 at 21:03:20
    Running from "I:\"
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  23. Antij

    Antij TS Rookie Topic Starter Posts: 22

    By the way thanks so much for fixing my computer and for the help. You are awesome. Threw a tip your way via PayPal (though you deserve a bigger one).
    H
     
  24. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Thank you :)

    Can you access Windows updates now?
     
  25. Antij

    Antij TS Rookie Topic Starter Posts: 22

    I don't recall NOT being able to access them (had access at least as late as 6/21), but they are functional now, yes.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...