TechSpot

Win64 sirefef victim

Solved
By lroman3
Jul 13, 2012
  1. Hello,

    I'm in desperate need to remove both Sirefef.B and Sirefef.Y trojans infecting my desktop computer.
    My computer is running on Windows 7 64-Bit Home Premium.
    I believe that I may have contracted the trojans when I downloaded a "new" video converter for my Nook. Although, I'm not entirely sure if this is the case.

    Regardless of the cause, I noticed the symptoms of a sirefef trojan when my Microsoft Security Essentials disabled real-time updates. I uninstalled MSE and installed a fresh MSE, however I believe this may have made matters worse. I am unable to do very much in terms of erradicating the virus as my computer keeps displaying a pop-up telling me the computer will restart after one minute. I essentially have no time to perform any sort of scan since the computer keeps restarting. I was at least able to identify the trojans through MSE's history of detected malware.

    What can I do to remove the Sirefef.B and Sirefef.Y trojans?​
     
  2. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  3. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    Scan result of Farbar Recovery Scan Tool Version: 14-07-2012 01
    Ran by SYSTEM at 14-07-2012 09:07:23
    Running from K:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet003
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe [172032 2009-02-06] ()
    HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [915512 2009-03-05] (Hewlett-Packard)
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16327712 2009-06-26] (NVIDIA Corporation)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75016 2008-12-04] (Hewlett-Packard)
    HKLM-x32\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
    HKLM-x32\...\Run: [Microsoft Default Manager] "c:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [224616 2009-02-06] (Microsoft Corp.)
    HKLM-x32\...\Run: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" [218408 2008-12-03] (CyberLink Corp.)
    HKLM-x32\...\Run: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [218408 2008-12-03] (CyberLink Corp.)
    HKLM-x32\...\Run: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" [218408 2008-12-03] (CyberLink Corp.)
    HKLM-x32\...\Run: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2009-02-02] (CyberLink Corp.)
    HKLM-x32\...\Run: [KBD] C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.EXE [12288 2008-07-21] (Microsoft)
    HKLM-x32\...\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [x]
    HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
    HKLM-x32\...\Run: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe [x]
    HKLM-x32\...\Run: [Standby] "c:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe" -START [105632 2010-01-07] (Corel)
    HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM-x32\...\Run: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart [1234216 2010-03-26] (Nero AG)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [UVS11 Preload] C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio 11\uvPL.exe [341232 2007-07-23] (InterVideo Digital Technology Corporation)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296056 2012-05-17] (RealNetworks, Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKU\Default\...\Run: [HPADVISOR] [x]
    HKU\Default User\...\Run: [HPADVISOR] [x]
    HKU\Larry Roman\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [1689144 2010-06-29] (Hewlett-Packard)
    HKU\Larry Roman\...\Run: [XBV6RD5SZF] C:\Users\LARRYR~1\AppData\Local\Temp\Fvx.exe [x]
    HKU\Larry Roman\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4240760 2010-11-09] (Microsoft Corporation)
    HKU\Larry Roman\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation)
    HKU\Larry Roman\...\Run: [Corel Photo Downloader] "C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup [523408 2009-12-30] (Corel, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\NovaBACKUP Tray Control.lnk
    ShortcutTarget: NovaBACKUP Tray Control.lnk -> C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe (NovaStor)
    Startup: C:\Users\Larry Roman\Start Menu\Programs\Startup\BUFFALO NAS Navigator2.lnk
    ShortcutTarget: BUFFALO NAS Navigator2.lnk -> C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe (BUFFALO INC.)
    Startup: C:\Users\Larry Roman\Start Menu\Programs\Startup\NAS Scheduler.lnk
    ShortcutTarget: NAS Scheduler.lnk -> C:\Program Files (x86)\BUFFALO\NASNAVI\nassche.exe (BUFFALO INC.)
    ==================== Services (Whitelisted) ======
    2 Capture Device Service; "C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe" [198168 2007-03-06] (InterVideo Inc.)
    2 FileOpenManagerSvc; C:\ProgramData\FileOpen\Services\FileOpenManagerSvc64.exe [331648 2011-03-09] (FileOpen Systems Inc.)
    2 HPBtnSrv; C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe [192512 2008-09-30] ()
    2 Mcx2Svc; C:\Windows\SysWOW64\Mcx2Svc.dll [1743360 2012-06-20] ()
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    2 NasPmService; C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [251184 2009-05-15] (BUFFALO INC.)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    2 nsService; "C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe" [261256 2010-04-15] (NovaStor)
    4 RemoteAccess; C:\Windows\SysWOW64\mqrdim.dll [x]
    ========================== Drivers (Whitelisted) =============
    2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2009-10-20] (CyberLink Corp.)
    1 bysinawu; \??\C:\Windows\system32\drivers\bysinawu.sys [x]
    1 haahpiot; \??\C:\Windows\system32\drivers\haahpiot.sys [x]
    1 ieuhebnq; \??\C:\Windows\system32\drivers\ieuhebnq.sys [x]
    1 jrcpiymr; \??\C:\Windows\system32\drivers\jrcpiymr.sys [x]
    1 lgruhtzt; \??\C:\Windows\system32\drivers\lgruhtzt.sys [x]
    1 pwtkudjg; \??\C:\Windows\system32\drivers\pwtkudjg.sys [x]
    1 wunyaytn; \??\C:\Windows\system32\drivers\wunyaytn.sys [x]
    ========================== NetSvcs (Whitelisted) ===========
    NETSVCx32: Mcx2Svc -> C:\Windows\SysWOW64\Mcx2Svc.dll ()
    ============ One Month Created Files and Folders ==============
    2012-07-12 13:12 - 2012-07-12 13:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.377035CAFB5A7583
    2012-07-12 13:12 - 2012-07-12 13:12 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\uqdvxptz.sys
    2012-07-12 13:08 - 2012-07-12 13:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0848031FE75A0492
    2012-07-12 13:04 - 2012-07-12 13:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.53B28E72D5B45DF4
    2012-07-12 13:00 - 2012-07-12 13:00 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.496EF3DE1AAF0C23
    2012-07-12 12:56 - 2012-07-12 12:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A5250CD1CB0699F
    2012-07-12 12:52 - 2012-07-12 12:52 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7786A71C960824AC
    2012-07-12 12:48 - 2012-07-12 12:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.183CEB1E67F2153E
    2012-07-12 12:45 - 2012-07-12 12:45 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CE85A4AEC406CEAA
    2012-07-12 12:41 - 2012-07-12 12:41 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.526A857939F96169
    2012-07-12 12:37 - 2012-07-12 12:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B36271541BD20A1E
    2012-07-12 12:33 - 2012-07-12 12:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A9A812C320D929C3
    2012-07-12 12:29 - 2012-07-12 12:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D022178F52F0D4C8
    2012-07-12 12:25 - 2012-07-12 12:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1414EA0F8632980C
    2012-07-12 12:21 - 2012-07-12 12:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D18CF80E24B50E0F
    2012-07-12 12:18 - 2012-07-12 12:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1D524C4F4170096B
    2012-07-12 12:14 - 2012-07-12 12:14 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0890D1B814EEFDDB
    2012-07-12 12:10 - 2012-07-12 12:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.39927F835765988D
    2012-07-12 12:06 - 2012-07-12 12:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BF8F4B5C8434EB2C
    2012-07-12 12:02 - 2012-07-12 12:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.228336AB9C5086AF
    2012-07-12 11:59 - 2012-07-12 11:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5599C82371A3C0E6
    2012-07-12 11:55 - 2012-07-12 11:55 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A2864EEDE8DCC150
    2012-07-12 11:51 - 2012-07-12 11:51 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.083EAAC64EE54378
    2012-07-12 11:47 - 2012-07-12 11:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0C1FC0092B6CB2B5
    2012-07-12 11:44 - 2012-07-12 11:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6AEE75F813EC4A79
    2012-07-12 11:40 - 2012-07-12 11:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.035374B07DF193AF
    2012-07-12 11:36 - 2012-07-12 11:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.507D85F9AA7577EC
    2012-07-12 11:33 - 2012-07-12 11:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B6BFB305EF618654
    2012-07-12 11:29 - 2012-07-12 11:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E7FD5ABD30C9C2E2
    2012-07-12 11:26 - 2012-07-12 11:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.023EF4232929A5CD
    2012-07-12 11:22 - 2012-07-12 11:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5D067B027C4A1A49
    2012-07-12 11:18 - 2012-07-12 11:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6E3E5653B3CB5C0D
    2012-07-12 11:17 - 2012-07-12 11:17 - 00000000 ____D C:\Users\Larry Roman\AppData\Local\{FDFCF7F3-F2F1-4DA9-A0DF-8960617045BA}
    2012-07-12 11:16 - 2012-07-12 11:17 - 00000000 ____D C:\Users\Larry Roman\AppData\Local\{BF0B7291-1125-4AA7-9FCB-31FB0137145C}
    2012-07-12 09:28 - 2012-07-12 09:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AB889A67DF39A398
    2012-07-12 09:22 - 2012-07-12 09:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.25549D9BF731797F
    2012-07-12 09:18 - 2012-07-12 09:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F8AF349206B808F7
    2012-07-12 09:15 - 2012-07-12 09:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.30A16FFCAF21695C
    2012-07-12 09:11 - 2012-07-12 09:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CD60AE7ECF78E268
    2012-07-12 09:08 - 2012-07-12 09:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.437176D18550A386
    2012-07-12 09:08 - 2012-07-12 09:08 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\vmsitcvv.sys
    2012-07-12 09:02 - 2012-07-12 09:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.625226F4101B4831
    2012-07-12 08:59 - 2012-07-12 08:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C79C776D0D78C347
    2012-07-12 08:56 - 2012-07-12 08:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2C7E47309EFFCA79
    2012-07-12 08:53 - 2012-07-12 08:53 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E80A048E1553F0A4
    2012-07-12 08:50 - 2012-07-12 08:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C7BD8D6FDB257662
    2012-07-12 08:32 - 2012-07-12 08:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DA723E445D2DE846
    2012-07-12 08:31 - 2012-07-12 08:31 - 00000000 ____D C:\Users\Larry Roman\AppData\Local\{D33DB78D-A1E6-4621-B68A-42214208CBC5}
    2012-07-12 08:25 - 2012-07-12 08:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.04C7A3EFF4CDB446
    2012-07-12 08:11 - 2012-07-12 08:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3D4961CCB00DD006
    2012-07-12 08:09 - 2012-07-12 08:09 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.64BB0E06CD07E4CC
    2012-07-12 08:06 - 2012-07-12 08:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2829CD8C6E8C8A5C
    2012-07-12 08:03 - 2012-07-12 08:03 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7B8A576F2820CA7E
    2012-07-12 07:57 - 2012-07-12 07:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.37D6E42BF4FC3EC3
    2012-07-12 07:47 - 2012-07-12 07:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2BAD1AD266ECD2BB
    2012-07-12 07:44 - 2012-07-12 07:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.67A94D8ADDD79436
    2012-07-12 07:41 - 2012-07-12 07:41 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4922E88B5C719644
    2012-07-12 07:36 - 2012-07-12 07:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.24A6B813722EE018
    2012-07-12 07:33 - 2012-07-12 07:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D264DF0D602436EF
    2012-07-12 07:21 - 2012-07-12 07:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.34EA3771434502C0
    2012-07-12 07:18 - 2012-07-12 07:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.07A2DC39F4C8BE96
    2012-07-12 07:13 - 2012-07-12 07:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7D7E3111F09CA623
    2012-07-12 07:08 - 2012-07-12 07:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3494BB4744177EFF
    2012-07-12 07:05 - 2012-07-12 07:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C41D47FBA97C4A6C
    2012-07-12 07:01 - 2012-07-12 07:01 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A59D751A6ECB0027
    2012-07-12 06:59 - 2012-07-12 06:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EC801479E72C36B7
    2012-07-12 06:49 - 2012-07-12 06:49 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-12 06:49 - 2012-07-12 06:49 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-12 03:59 - 2012-07-12 05:02 - 00000000 ____D C:\Users\Larry Roman\AppData\Roaming\HandBrake
    2012-07-12 03:56 - 2012-07-12 03:56 - 07205327 ____A C:\Users\Larry Roman\Downloads\HandBrake-0.9.6-x86_64-Win_GUI.exe
    2012-07-01 08:35 - 2012-07-01 08:35 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-07-01 08:34 - 2012-07-01 08:35 - 00000000 ____D C:\Program Files\iTunes
    2012-07-01 08:34 - 2012-07-01 08:34 - 00000000 ____D C:\Program Files\iPod
    2012-06-29 05:40 - 2012-06-29 06:17 - 66355978 ____N C:\Users\Larry Roman\Downloads\Electro_Cocktail.rar
    2012-06-29 04:26 - 2012-06-29 04:35 - 75805290 ____N C:\Users\Larry Roman\Downloads\NussDog-Killin_Em.rar
    2012-06-24 09:07 - 2012-06-24 09:07 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-06-24 06:47 - 2012-07-12 11:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-06-24 06:47 - 2012-06-24 06:47 - 00000000 ____D C:\Users\Larry Roman\AppData\Local\{3155872E-04B6-4B1E-AC33-68CFD0FD7293}
    2012-06-24 06:46 - 2012-06-24 06:47 - 00000000 ____D C:\Users\Larry Roman\AppData\Local\{BE75931C-C6B8-4C24-BFCD-E07E70A1725E}
    2012-06-21 11:36 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 11:36 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 11:36 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 11:36 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 11:36 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 11:36 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 11:36 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 11:35 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 11:35 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-20 15:24 - 2012-06-20 15:24 - 01743360 ____A C:\Windows\SysWOW64\Mcx2Svc.dll
    2012-06-20 15:24 - 2012-06-20 15:24 - 00000390 ____A C:\Windows\SysWOW64\Mcx2Svc.ocx
    2012-06-16 05:27 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-16 05:27 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-16 05:27 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-16 05:27 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-16 05:27 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-16 05:27 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-16 05:27 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-16 05:27 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-16 05:27 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-16 05:27 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-16 05:27 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-16 05:27 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-16 05:27 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-16 05:27 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-16 05:27 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-16 05:27 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-16 05:27 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-16 05:27 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-16 05:27 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-16 05:27 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-16 05:27 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-16 05:27 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-16 05:27 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-16 05:27 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-16 05:27 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-16 05:27 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-16 05:27 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-16 05:27 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-16 05:26 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-06-16 05:26 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-06-16 05:26 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-06-16 05:26 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-06-16 05:26 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-06-16 05:26 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-06-16 05:25 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-16 05:25 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
    2012-06-16 05:25 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
    2012-06-16 05:25 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-06-16 05:25 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-16 05:25 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-06-16 05:25 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-06-16 05:25 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-06-16 05:25 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-06-16 05:25 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
    2012-06-16 05:24 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-06-16 05:24 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-06-16 05:24 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-06-14 14:02 - 2012-06-14 14:02 - 00001213 ____A C:\Users\Public\Desktop\Xilisoft Audio Converter Pro.lnk
    2012-06-14 14:02 - 2012-06-14 14:02 - 00000000 ____D C:\Users\All Users\Xilisoft
    2012-06-14 08:51 - 2012-06-14 08:51 - 00001291 ____N C:\Users\Larry Roman\Desktop\AVS4YOU Software Navigator.lnk
    2012-06-14 08:50 - 2012-06-14 08:50 - 00001235 ____N C:\Users\Larry Roman\Desktop\AVS Audio Converter.lnk

    ============ 3 Months Modified Files ========================
    2012-07-12 13:12 - 2012-07-12 13:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.377035CAFB5A7583
    2012-07-12 13:12 - 2012-07-12 13:12 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\uqdvxptz.sys
    2012-07-12 13:10 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-12 13:10 - 2009-07-13 20:51 - 02182252 ____A C:\Windows\setupact.log
    2012-07-12 13:08 - 2012-07-12 13:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0848031FE75A0492
    2012-07-12 13:04 - 2012-07-12 13:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.53B28E72D5B45DF4
    2012-07-12 13:00 - 2012-07-12 13:00 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.496EF3DE1AAF0C23
    2012-07-12 12:56 - 2012-07-12 12:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A5250CD1CB0699F
    2012-07-12 12:52 - 2012-07-12 12:52 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7786A71C960824AC
    2012-07-12 12:48 - 2012-07-12 12:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.183CEB1E67F2153E
    2012-07-12 12:45 - 2012-07-12 12:45 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CE85A4AEC406CEAA
    2012-07-12 12:43 - 2010-11-16 10:51 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-12 12:43 - 2010-11-16 10:51 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-12 12:41 - 2012-07-12 12:41 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.526A857939F96169
    2012-07-12 12:37 - 2012-07-12 12:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B36271541BD20A1E
    2012-07-12 12:33 - 2012-07-12 12:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A9A812C320D929C3
    2012-07-12 12:29 - 2012-07-12 12:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D022178F52F0D4C8
    2012-07-12 12:25 - 2012-07-12 12:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1414EA0F8632980C
    2012-07-12 12:21 - 2012-07-12 12:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D18CF80E24B50E0F
    2012-07-12 12:20 - 2010-09-03 05:36 - 00000304 ___AH C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
    2012-07-12 12:18 - 2012-07-12 12:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1D524C4F4170096B
    2012-07-12 12:15 - 2010-09-03 05:36 - 00000304 ___AH C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
    2012-07-12 12:14 - 2012-07-12 12:14 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0890D1B814EEFDDB
    2012-07-12 12:10 - 2012-07-12 12:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.39927F835765988D
    2012-07-12 12:06 - 2012-07-12 12:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BF8F4B5C8434EB2C
    2012-07-12 12:02 - 2012-07-12 12:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.228336AB9C5086AF
    2012-07-12 11:59 - 2012-07-12 11:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5599C82371A3C0E6
    2012-07-12 11:55 - 2012-07-12 11:55 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A2864EEDE8DCC150
    2012-07-12 11:51 - 2012-07-12 11:51 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.083EAAC64EE54378
    2012-07-12 11:47 - 2012-07-12 11:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0C1FC0092B6CB2B5
    2012-07-12 11:44 - 2012-07-12 11:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6AEE75F813EC4A79
    2012-07-12 11:40 - 2012-07-12 11:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.035374B07DF193AF
    2012-07-12 11:36 - 2012-07-12 11:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.507D85F9AA7577EC
    2012-07-12 11:33 - 2012-07-12 11:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B6BFB305EF618654
    2012-07-12 11:29 - 2012-07-12 11:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E7FD5ABD30C9C2E2
    2012-07-12 11:26 - 2012-07-12 11:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.023EF4232929A5CD
    2012-07-12 11:22 - 2012-07-12 11:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5D067B027C4A1A49
    2012-07-12 11:20 - 2012-06-24 06:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-12 11:18 - 2012-07-12 11:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6E3E5653B3CB5C0D
    2012-07-12 09:28 - 2012-07-12 09:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AB889A67DF39A398
    2012-07-12 09:22 - 2012-07-12 09:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.25549D9BF731797F
    2012-07-12 09:18 - 2012-07-12 09:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F8AF349206B808F7
    2012-07-12 09:15 - 2012-07-12 09:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.30A16FFCAF21695C
    2012-07-12 09:11 - 2012-07-12 09:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CD60AE7ECF78E268
    2012-07-12 09:08 - 2012-07-12 09:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.437176D18550A386
    2012-07-12 09:08 - 2012-07-12 09:08 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\vmsitcvv.sys
    2012-07-12 09:02 - 2012-07-12 09:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.625226F4101B4831
    2012-07-12 08:59 - 2012-07-12 08:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C79C776D0D78C347
    2012-07-12 08:56 - 2012-07-12 08:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2C7E47309EFFCA79
    2012-07-12 08:53 - 2012-07-12 08:53 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E80A048E1553F0A4
    2012-07-12 08:50 - 2012-07-12 08:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C7BD8D6FDB257662
    2012-07-12 08:32 - 2012-07-12 08:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DA723E445D2DE846
    2012-07-12 08:25 - 2012-07-12 08:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.04C7A3EFF4CDB446
    2012-07-12 08:11 - 2012-07-12 08:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3D4961CCB00DD006
    2012-07-12 08:09 - 2012-07-12 08:09 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.64BB0E06CD07E4CC
    2012-07-12 08:06 - 2012-07-12 08:06 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2829CD8C6E8C8A5C
    2012-07-12 08:03 - 2012-07-12 08:03 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7B8A576F2820CA7E
    2012-07-12 07:59 - 2009-07-13 21:08 - 00032582 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-12 07:57 - 2012-07-12 07:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.37D6E42BF4FC3EC3
    2012-07-12 07:47 - 2012-07-12 07:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2BAD1AD266ECD2BB
    2012-07-12 07:44 - 2012-07-12 07:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.67A94D8ADDD79436
    2012-07-12 07:41 - 2012-07-12 07:41 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4922E88B5C719644
    2012-07-12 07:36 - 2012-07-12 07:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.24A6B813722EE018
    2012-07-12 07:33 - 2012-07-12 07:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D264DF0D602436EF
    2012-07-12 07:21 - 2012-07-12 07:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.34EA3771434502C0
    2012-07-12 07:18 - 2012-07-12 07:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.07A2DC39F4C8BE96
    2012-07-12 07:13 - 2012-07-12 07:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7D7E3111F09CA623
    2012-07-12 07:08 - 2012-07-12 07:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3494BB4744177EFF
    2012-07-12 07:05 - 2012-07-12 07:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C41D47FBA97C4A6C
    2012-07-12 07:01 - 2012-07-12 07:01 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A59D751A6ECB0027
    2012-07-12 06:59 - 2012-07-12 06:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EC801479E72C36B7
    2012-07-12 06:50 - 2010-09-02 16:09 - 01389176 ____A C:\Windows\WindowsUpdate.log
    2012-07-12 06:49 - 2011-01-27 16:13 - 00743364 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-12 06:49 - 2011-01-27 16:13 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-12 03:56 - 2012-07-12 03:56 - 07205327 ____A C:\Users\Larry Roman\Downloads\HandBrake-0.9.6-x86_64-Win_GUI.exe
    2012-07-12 03:43 - 2011-10-28 03:54 - 00002338 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-07-11 16:19 - 2012-04-08 09:20 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-11 16:19 - 2011-08-21 09:42 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-09 12:13 - 2010-09-06 12:29 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
    2012-07-02 06:32 - 2009-07-13 21:13 - 00729706 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-01 08:35 - 2012-07-01 08:35 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-29 06:17 - 2012-06-29 05:40 - 66355978 ____N C:\Users\Larry Roman\Downloads\Electro_Cocktail.rar
    2012-06-29 04:35 - 2012-06-29 04:26 - 75805290 ____N C:\Users\Larry Roman\Downloads\NussDog-Killin_Em.rar
    2012-06-28 04:44 - 2010-09-02 15:52 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-06-28 04:44 - 2010-09-02 15:52 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-06-20 15:24 - 2012-06-20 15:24 - 01743360 ____A C:\Windows\SysWOW64\Mcx2Svc.dll
    2012-06-20 15:24 - 2012-06-20 15:24 - 00000390 ____A C:\Windows\SysWOW64\Mcx2Svc.ocx
    2012-06-16 16:35 - 2009-07-13 20:45 - 00467392 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-16 16:34 - 2010-09-02 16:02 - 00169726 ____A C:\Windows\PFRO.log
    2012-06-16 05:34 - 2010-09-18 13:33 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-14 14:02 - 2012-06-14 14:02 - 00001213 ____A C:\Users\Public\Desktop\Xilisoft Audio Converter Pro.lnk
    2012-06-14 08:51 - 2012-06-14 08:51 - 00001291 ____N C:\Users\Larry Roman\Desktop\AVS4YOU Software Navigator.lnk
    2012-06-14 08:50 - 2012-06-14 08:50 - 00001235 ____N C:\Users\Larry Roman\Desktop\AVS Audio Converter.lnk
    2012-06-02 14:19 - 2012-06-21 11:36 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 11:36 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 11:36 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 11:36 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 11:36 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-21 11:36 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 11:36 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 11:35 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-21 11:35 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-28 07:21 - 2012-05-28 07:21 - 00001847 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-21 11:52 - 2010-09-12 16:32 - 00011270 __ASH C:\Users\All Users\KGyGaAvL.sys
    2012-05-17 18:47 - 2012-06-16 05:27 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-16 05:27 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-16 05:27 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-16 05:27 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-16 05:27 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-16 05:27 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-16 05:27 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-16 05:27 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-16 05:27 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-16 05:27 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-16 05:27 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-16 05:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-16 05:27 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-16 05:27 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 16:30 - 2012-05-17 16:30 - 00001038 ____A C:\Users\Public\Desktop\RealPlayer.lnk
    2012-05-17 16:29 - 2012-05-17 16:29 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
    2012-05-17 16:29 - 2012-05-17 16:29 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
    2012-05-17 16:29 - 2012-05-17 16:29 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
    2012-05-17 16:29 - 2012-05-17 16:29 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
    2012-05-17 16:29 - 2012-05-17 16:29 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
    2012-05-17 15:11 - 2012-06-16 05:27 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-16 05:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-16 05:27 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-16 05:27 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-16 05:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-16 05:27 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-16 05:27 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-16 05:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-16 05:27 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-16 05:27 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-16 05:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-16 05:27 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-16 05:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-16 05:27 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-14 17:32 - 2012-06-16 05:25 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-13 06:16 - 2010-09-23 05:26 - 00000039 ____A C:\Windows\vbaddin.ini
    2012-05-04 03:06 - 2012-06-16 05:24 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 03:00 - 2012-06-16 05:25 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
    2012-05-04 02:03 - 2012-06-16 05:24 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-16 05:24 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-05-04 01:59 - 2012-06-16 05:25 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
    2012-04-30 21:40 - 2012-06-16 05:25 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:55 - 2012-06-16 05:25 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-26 05:35 - 2006-11-02 04:34 - 00000250 ____A C:\Windows\win.ini
    2012-04-26 05:30 - 2012-04-26 05:30 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
    2012-04-26 05:30 - 2012-04-26 05:30 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
    2012-04-26 05:30 - 2012-04-26 05:30 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
    2012-04-26 05:30 - 2010-09-02 16:32 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
    2012-04-25 21:41 - 2012-06-16 05:25 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 21:41 - 2012-06-16 05:25 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 21:34 - 2012-06-16 05:25 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-23 21:37 - 2012-06-16 05:26 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 21:37 - 2012-06-16 05:26 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 21:37 - 2012-06-16 05:26 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 20:36 - 2012-06-16 05:26 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 20:36 - 2012-06-16 05:26 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 20:36 - 2012-06-16 05:26 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-04-18 16:56 - 2012-04-18 16:56 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
    2012-04-18 16:56 - 2012-04-18 16:56 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
    2012-04-17 16:13 - 2010-09-12 17:15 - 00008192 ____A C:\Users\Larry Roman\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ZeroAccess:
    C:\Windows\Installer\{834203f6-26d7-01d4-f438-6811d992075e}
    C:\Windows\Installer\{834203f6-26d7-01d4-f438-6811d992075e}\@
    C:\Windows\Installer\{834203f6-26d7-01d4-f438-6811d992075e}\L
    C:\Windows\Installer\{834203f6-26d7-01d4-f438-6811d992075e}\n
    C:\Windows\Installer\{834203f6-26d7-01d4-f438-6811d992075e}\U
    C:\Windows\Installer\{834203f6-26d7-01d4-f438-6811d992075e}\U\00000001.@
    ZeroAccess:
    C:\Users\Larry Roman\AppData\Local\{834203f6-26d7-01d4-f438-6811d992075e}
    C:\Users\Larry Roman\AppData\Local\{834203f6-26d7-01d4-f438-6811d992075e}\@
    C:\Users\Larry Roman\AppData\Local\{834203f6-26d7-01d4-f438-6811d992075e}\L
    C:\Users\Larry Roman\AppData\Local\{834203f6-26d7-01d4-f438-6811d992075e}\U
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 10%
    Total physical RAM: 9207.09 MB
    Available physical RAM: 8255.1 MB
    Total Pagefile: 9205.24 MB
    Available Pagefile: 8256.96 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB
    ======================= Partitions =========================
    1 Drive c: (HP) (Fixed) (Total:917.61 GB) (Free:122.51 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:13.9 GB) (Free:1.65 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (DVD_ROM) (CDROM) (Total:4.08 GB) (Free:0 GB) UDF
    9 Drive k: (HP v125w) (Removable) (Total:1.89 GB) (Free:0.17 GB) FAT
    10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 Online 1937 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 917 GB 31 KB
    Partition 2 Primary 13 GB 917 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C HP NTFS Partition 917 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D FACTORY_IMA NTFS Partition 13 GB Healthy
    ==================================================================================
    Partitions of Disk 5:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1933 MB 4032 KB
    ==================================================================================
    Disk: 5
    Partition 1
    Type : 0E
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 K HP v125w FAT Removable 1933 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-06-18 11:42
    ======================= End Of Log ==========================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    For some reason the file didn't attach.
    Here you go....
     

    Attached Files:

  6. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 14-07-2012 01
    Ran by SYSTEM at 2012-07-14 17:05:08 Run:1
    Running from K:\
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet003\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
    HKEY_USERS\Larry Roman\Software\Microsoft\Windows\CurrentVersion\Run\\XBV6RD5SZF Value deleted successfully.
    Mcx2Svc service deleted successfully.
    RemoteAccess service deleted successfully.
    bysinawu service deleted successfully.
    haahpiot service deleted successfully.
    ieuhebnq service deleted successfully.
    jrcpiymr service deleted successfully.
    lgruhtzt service deleted successfully.
    pwtkudjg service deleted successfully.
    wunyaytn service deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs Mcx2Svc Deleted successfully.
    C:\Windows\System32\services.exe.377035CAFB5A7583 moved successfully.
    C:\Windows\System32\Drivers\uqdvxptz.sys moved successfully.
    C:\Windows\System32\services.exe.0848031FE75A0492 moved successfully.
    C:\Windows\System32\services.exe.53B28E72D5B45DF4 moved successfully.
    C:\Windows\System32\services.exe.496EF3DE1AAF0C23 moved successfully.
    C:\Windows\System32\services.exe.4A5250CD1CB0699F moved successfully.
    C:\Windows\System32\services.exe.7786A71C960824AC moved successfully.
    C:\Windows\System32\services.exe.183CEB1E67F2153E moved successfully.
    C:\Windows\System32\services.exe.CE85A4AEC406CEAA moved successfully.
    C:\Windows\System32\services.exe.526A857939F96169 moved successfully.
    C:\Windows\System32\services.exe.B36271541BD20A1E moved successfully.
    C:\Windows\System32\services.exe.A9A812C320D929C3 moved successfully.
    C:\Windows\System32\services.exe.D022178F52F0D4C8 moved successfully.
    C:\Windows\System32\services.exe.1414EA0F8632980C moved successfully.
    C:\Windows\System32\services.exe.D18CF80E24B50E0F moved successfully.
    C:\Windows\System32\services.exe.1D524C4F4170096B moved successfully.
    C:\Windows\System32\services.exe.0890D1B814EEFDDB moved successfully.
    C:\Windows\System32\services.exe.39927F835765988D moved successfully.
    C:\Windows\System32\services.exe.BF8F4B5C8434EB2C moved successfully.
    C:\Windows\System32\services.exe.228336AB9C5086AF moved successfully.
    C:\Windows\System32\services.exe.5599C82371A3C0E6 moved successfully.
    C:\Windows\System32\services.exe.A2864EEDE8DCC150 moved successfully.
    C:\Windows\System32\services.exe.083EAAC64EE54378 moved successfully.
    C:\Windows\System32\services.exe.0C1FC0092B6CB2B5 moved successfully.
    C:\Windows\System32\services.exe.6AEE75F813EC4A79 moved successfully.
    C:\Windows\System32\services.exe.035374B07DF193AF moved successfully.
    C:\Windows\System32\services.exe.507D85F9AA7577EC moved successfully.
    C:\Windows\System32\services.exe.B6BFB305EF618654 moved successfully.
    C:\Windows\System32\services.exe.E7FD5ABD30C9C2E2 moved successfully.
    C:\Windows\System32\services.exe.023EF4232929A5CD moved successfully.
    C:\Windows\System32\services.exe.5D067B027C4A1A49 moved successfully.
    C:\Windows\System32\services.exe.6E3E5653B3CB5C0D moved successfully.
    C:\Windows\System32\services.exe.AB889A67DF39A398 moved successfully.
    C:\Windows\System32\services.exe.25549D9BF731797F moved successfully.
    C:\Windows\System32\services.exe.F8AF349206B808F7 moved successfully.
    C:\Windows\System32\services.exe.30A16FFCAF21695C moved successfully.
    C:\Windows\System32\services.exe.CD60AE7ECF78E268 moved successfully.
    C:\Windows\System32\services.exe.437176D18550A386 moved successfully.
    C:\Windows\System32\Drivers\vmsitcvv.sys moved successfully.
    C:\Windows\System32\services.exe.625226F4101B4831 moved successfully.
    C:\Windows\System32\services.exe.C79C776D0D78C347 moved successfully.
    C:\Windows\System32\services.exe.2C7E47309EFFCA79 moved successfully.
    C:\Windows\System32\services.exe.E80A048E1553F0A4 moved successfully.
    C:\Windows\System32\services.exe.C7BD8D6FDB257662 moved successfully.
    C:\Windows\System32\services.exe.DA723E445D2DE846 moved successfully.
    C:\Windows\System32\services.exe.04C7A3EFF4CDB446 moved successfully.
    C:\Windows\System32\services.exe.3D4961CCB00DD006 moved successfully.
    C:\Windows\System32\services.exe.64BB0E06CD07E4CC moved successfully.
    C:\Windows\System32\services.exe.2829CD8C6E8C8A5C moved successfully.
    C:\Windows\System32\services.exe.7B8A576F2820CA7E moved successfully.
    C:\Windows\System32\services.exe.37D6E42BF4FC3EC3 moved successfully.
    C:\Windows\System32\services.exe.2BAD1AD266ECD2BB moved successfully.
    C:\Windows\System32\services.exe.67A94D8ADDD79436 moved successfully.
    C:\Windows\System32\services.exe.4922E88B5C719644 moved successfully.
    C:\Windows\System32\services.exe.24A6B813722EE018 moved successfully.
    C:\Windows\System32\services.exe.D264DF0D602436EF moved successfully.
    C:\Windows\System32\services.exe.34EA3771434502C0 moved successfully.
    C:\Windows\System32\services.exe.07A2DC39F4C8BE96 moved successfully.
    C:\Windows\System32\services.exe.7D7E3111F09CA623 moved successfully.
    C:\Windows\System32\services.exe.3494BB4744177EFF moved successfully.
    C:\Windows\System32\services.exe.C41D47FBA97C4A6C moved successfully.
    C:\Windows\System32\services.exe.A59D751A6ECB0027 moved successfully.
    C:\Windows\System32\services.exe.EC801479E72C36B7 moved successfully.
    C:\Windows\Installer\{834203f6-26d7-01d4-f438-6811d992075e} moved successfully.
    C:\Users\Larry Roman\AppData\Local\{834203f6-26d7-01d4-f438-6811d992075e} moved successfully.
    ==== End of Fixlog ====
     
  7. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    ComboFix 12-07-14.01 - Larry Roman 07/14/2012 17:28:01.1.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.9207.7069 [GMT -4:00]
    Running from: c:\users\Larry Roman\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\Search Toolbar
    c:\program files (x86)\Search Toolbar\icon.ico
    c:\program files (x86)\Search Toolbar\SearchToolbar.dll
    c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
    c:\programdata\F901E355FF.sys
    c:\users\Larry Roman\AppData\Roaming\inst.exe
    c:\users\Public\AlexaNSISPlugin.7920.dll
    c:\users\Public\Favorites\Favorites.event
    c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-14 to 2012-07-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-14 21:40 . 2012-07-14 21:40 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F223084E-4637-4BE5-9ABF-39BCE90AEBD8}\offreg.dll
    2012-07-14 17:07 . 2012-07-14 17:07 -------- d-----w- C:\FRST
    2012-07-12 14:50 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8B27554-0A97-4C9C-B978-D74A8C850EFB}\gapaengine.dll
    2012-07-12 14:50 . 2012-06-18 07:12 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F223084E-4637-4BE5-9ABF-39BCE90AEBD8}\mpengine.dll
    2012-07-12 14:49 . 2012-07-12 14:49 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-07-12 14:49 . 2012-07-12 14:49 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-12 11:59 . 2012-07-12 13:02 -------- d-----w- c:\users\Larry Roman\AppData\Roaming\HandBrake
    2012-07-01 16:34 . 2012-07-01 16:34 -------- d-----w- c:\program files\iPod
    2012-07-01 16:34 . 2012-07-01 16:35 -------- d-----w- c:\program files\iTunes
    2012-06-24 17:07 . 2012-06-24 17:07 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-06-21 19:36 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 19:36 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 19:36 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 19:36 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 19:36 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 19:36 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 19:36 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 19:35 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 19:35 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-20 23:24 . 2012-06-20 23:24 1743360 ----a-w- c:\windows\SysWow64\Mcx2Svc.dll
    2012-06-16 13:26 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-16 13:26 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-16 13:26 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-16 13:26 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-16 13:26 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-16 13:26 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-16 13:25 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
    2012-06-16 13:25 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
    2012-06-16 13:25 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-06-16 13:25 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-06-16 13:25 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-06-16 13:25 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
    2012-06-16 13:25 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
    2012-06-16 13:25 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
    2012-06-16 13:25 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-16 13:25 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
    2012-06-16 13:24 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-06-16 13:24 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-06-16 13:24 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-06-14 22:02 . 2012-06-14 22:02 -------- d-----w- c:\programdata\Xilisoft
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 00:19 . 2012-04-08 17:20 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 00:19 . 2011-08-21 17:42 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-05-21 19:52 . 2010-09-13 00:32 11270 --sha-w- c:\programdata\KGyGaAvL.sys
    2012-05-18 00:29 . 2012-05-18 00:29 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
    2012-04-26 13:30 . 2010-09-03 00:32 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\tbVuz1.dll" [2010-09-24 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    2010-09-24 13:20 2735200 ----a-w- c:\program files (x86)\Vuze_Remote\tbVuz1.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-02-04 21:50 1197448 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\tbVuz1.dll" [2010-09-24 2735200]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
    .
    [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2010-06-30 1689144]
    "OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
    "Corel Photo Downloader"="c:\program files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
    "KBD"="c:\program files (x86)\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]
    "HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-05-26 656896]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
    "Standby"="c:\program files (x86)\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "UVS11 Preload"="c:\program files (x86)\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-07-23 341232]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-05-18 296056]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    .
    c:\users\Larry Roman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    BUFFALO NAS Navigator2.lnk - c:\program files (x86)\BUFFALO\NASNAVI\NasNavi.exe [2010-1-26 1897952]
    NAS Scheduler.lnk - c:\program files (x86)\BUFFALO\NASNAVI\nassche.exe [2011-7-24 206128]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    NovaBACKUP Tray Control.lnk - c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe [2010-4-15 203912]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16 136176]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16 136176]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-03 1255736]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/09/03 08:15];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-10-20 18:50 146928]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 FileOpenManagerSvc;FileOpenManagerSvc;c:\programdata\FileOpen\Services\FileOpenManagerSvc64.exe [2011-03-09 331648]
    S2 HPBtnSrv;HP Easy Backup Button Service;c:\program files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe [2008-10-01 192512]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
    S2 NasPmService;NAS PM Service;c:\program files (x86)\BUFFALO\NASNAVI\nassvc.exe [2009-05-15 251184]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-03-25 490280]
    S2 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe [2010-04-15 261256]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [2009-06-13 287960]
    S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2012-01-11 82816]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    *Deregistered* - FileOpenWebPublisherScreenHookDriver
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-14 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 00:19]
    .
    2012-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16 18:51]
    .
    2012-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-16 18:51]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 16327712]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: cleverreach.com\novastor
    Trusted Zone: google-analytics.com
    Trusted Zone: novastor.com
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-Corel File Shell Monitor - c:\program files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
    WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    AddRemove-dBpoweramp DSP Effects - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp m4a Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp Windows Media Audio 10 Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp [Arrange Audio] Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp [Audio Info] Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp [Channel Split] Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp [ID Tag Update] Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp [Length Split] Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp [Multi Encoder] Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp [ReplayGain] Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-dBpoweramp [Tag From Filename] Codec - c:\windows\system32\SpoonUninstall.exe
    AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
    "value"="?\09\06\18\0c\19\07?"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-14 17:53:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-14 21:53
    .
    Pre-Run: 134,097,039,360 bytes free
    Post-Run: 146,042,241,024 bytes free
    .
    - - End Of File - - 9F2091F5BDF38778711591A3AC554F78
     
  8. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Looks good :)

    How is computer doing?

    ==========================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ============================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    Thank you! Thank you! My computer is working much better! No longer reboots every minute. Seems stable and performance is good.

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.14.08
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Larry Roman :: MEDIA-PC [administrator]
    7/14/2012 9:08:55 PM
    mbam-log-2012-07-14 (21-08-55).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 224041
    Time elapsed: 3 minute(s), 56 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 2
    HKCU\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\XBV6RD5SZF (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    No restart requested so I went on to run OTL. Logs to follow.
     
  10. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    OTL logfile created on: 7/14/2012 9:22:06 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Larry Roman\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    8.99 Gb Total Physical Memory | 7.25 Gb Available Physical Memory | 80.64% Memory free
    17.98 Gb Paging File | 16.04 Gb Available in Paging File | 89.23% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 917.61 Gb Total Space | 134.40 Gb Free Space | 14.65% Space Free | Partition Type: NTFS
    Drive D: | 13.90 Gb Total Space | 1.96 Gb Free Space | 14.09% Space Free | Partition Type: NTFS

    Computer Name: MEDIA-PC | User Name: Larry Roman | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/14 21:17:26 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Larry Roman\Desktop\OTL.exe
    PRC - [2012/05/17 20:29:41 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\real\realplayer\Update\realsched.exe
    PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2010/04/15 11:57:44 | 000,203,912 | ---- | M] (NovaStor) -- C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe
    PRC - [2010/04/15 11:51:02 | 000,261,256 | ---- | M] (NovaStor) -- C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe
    PRC - [2010/03/25 15:39:22 | 000,490,280 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Update\NASvc.exe
    PRC - [2010/03/03 20:16:06 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    PRC - [2010/03/03 20:16:04 | 000,284,696 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    PRC - [2010/01/26 09:22:38 | 001,897,952 | R--- | M] (BUFFALO INC.) -- C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe
    PRC - [2010/01/07 13:09:38 | 000,105,632 | ---- | M] (Corel) -- C:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe
    PRC - [2009/10/20 14:50:34 | 000,128,296 | ---- | M] (CyberLink Corp.) -- c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    PRC - [2009/08/06 03:08:34 | 000,206,120 | ---- | M] (CyberLink) -- c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    PRC - [2009/05/26 04:36:13 | 000,656,896 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
    PRC - [2009/05/15 15:36:50 | 000,251,184 | R--- | M] (BUFFALO INC.) -- C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe
    PRC - [2009/05/15 15:36:50 | 000,206,128 | R--- | M] (BUFFALO INC.) -- C:\Program Files (x86)\BUFFALO\NASNAVI\nassche.exe
    PRC - [2008/11/20 13:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
    PRC - [2008/09/30 20:59:26 | 000,192,512 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe
    PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    PRC - [2007/03/06 11:35:02 | 000,198,168 | ---- | M] (InterVideo Inc.) -- C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/06/16 20:37:10 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll
    MOD - [2012/06/16 20:36:48 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
    MOD - [2012/06/16 20:36:42 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
    MOD - [2012/05/13 10:45:02 | 000,452,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\635b3aec298ad5e8c903b2323d79cc5a\IAStorUtil.ni.dll
    MOD - [2012/05/13 10:28:56 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll
    MOD - [2012/05/13 10:28:02 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll
    MOD - [2012/05/13 10:27:54 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
    MOD - [2012/05/13 10:27:51 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
    MOD - [2012/05/13 10:27:50 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
    MOD - [2012/05/13 10:27:39 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
    MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
    MOD - [2010/04/15 11:55:12 | 002,452,616 | ---- | M] () -- C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsAppRes409.dll
    MOD - [2010/04/15 11:49:24 | 000,183,432 | ---- | M] () -- C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsEngineRes409.dll
    MOD - [2009/08/06 03:08:32 | 000,931,112 | ---- | M] () -- c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMediaLibrary.dll
    MOD - [2009/05/26 04:36:13 | 000,656,896 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2012/07/11 20:19:10 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/03/09 18:02:56 | 000,331,648 | ---- | M] (FileOpen Systems Inc.) [Auto | Running] -- C:\ProgramData\FileOpen\Services\FileOpenManagerSvc64.exe -- (FileOpenManagerSvc)
    SRV - [2010/04/15 11:51:02 | 000,261,256 | ---- | M] (NovaStor) [Auto | Running] -- C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe -- (nsService)
    SRV - [2010/03/25 15:39:22 | 000,490,280 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files (x86)\Nero\Update\NASvc.exe -- (NAUpdate) @C:\Program Files (x86)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/03/03 20:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
    SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2009/05/15 15:36:50 | 000,251,184 | R--- | M] (BUFFALO INC.) [Auto | Running] -- C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe -- (NasPmService)
    SRV - [2008/12/08 22:51:08 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService)
    SRV - [2008/09/30 20:59:26 | 000,192,512 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Easy Backup\HPBtnSrv.exe -- (HPBtnSrv)
    SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
    SRV - [2007/03/06 11:35:02 | 000,198,168 | ---- | M] (InterVideo Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2012/02/15 11:01:50 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
    DRV:64bit: - [2012/01/11 19:19:21 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pcouffin.sys -- (pcouffin)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/29 07:31:18 | 001,579,520 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
    DRV:64bit: - [2010/11/25 04:27:42 | 000,120,408 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
    DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/09/23 00:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
    DRV:64bit: - [2010/03/03 19:51:40 | 000,540,696 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
    DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/13 01:19:58 | 000,287,960 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1y62x64.sys -- (e1yexpress) Intel(R)
    DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
    DRV - [2009/10/20 14:50:12 | 000,146,928 | ---- | M] (CyberLink Corp.) [2010/09/03 08:15:18] [Kernel | Auto | Running] -- c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl -- ({55662437-DA8C-40c0-AADA-2C816A897A49})
    DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9051F6CA-9463-4FAD-9F6A-B3F45452352F}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE:64bit: - HKLM\..\SearchScopes\{9051F6CA-9463-4FAD-9F6A-B3F45452352F}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
    IE:64bit: - HKLM\..\SearchScopes\{D855FE0F-D853-42DA-BE80-5BA25204102A}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll (Conduit Ltd.)
    IE - HKLM\..\SearchScopes,DefaultScope = {9051F6CA-9463-4FAD-9F6A-B3F45452352F}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\..\SearchScopes\{9051F6CA-9463-4FAD-9F6A-B3F45452352F}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
    IE - HKLM\..\SearchScopes\{D855FE0F-D853-42DA-BE80-5BA25204102A}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll (Conduit Ltd.)
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\SearchScopes\{9051F6CA-9463-4FAD-9F6A-B3F45452352F}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\SearchScopes\{D855FE0F-D853-42DA-BE80-5BA25204102A}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-i3752
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-399888373-849092070-281110943-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


    ========== FireFox ==========

    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/05/17 20:29:58 | 000,000,000 | ---D | M]


    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\google\chrome\application\19.0.1084.56\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\google\chrome\application\19.0.1084.56\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\google\chrome\application\19.0.1084.56\gcswf32.dll
    CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
    CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
    CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
    CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
    CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
    CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll
    CHR - plugin: RealPlayer Version Plugin (Enabled) = c:\program files (x86)\real\realplayer\Netscape6\nprpjplug.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll
    CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\Larry Roman\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

    O1 HOSTS File: ([2012/07/14 17:46:09 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll (Conduit Ltd.)
    O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll (Microsoft Corp.)
    O2 - BHO: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
    O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll (Microsoft Corp.)
    O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3:64bit: - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O3 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll (Conduit Ltd.)
    O3 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\Toolbar\WebBrowser: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
    O4:64bit: - HKLM..\Run: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe ()
    O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.dll (NVIDIA Corporation)
    O4:64bit: - HKLM..\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [HP Remote Solution] C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe ()
    O4 - HKLM..\Run: [hpsysdrv] c:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
    O4 - HKLM..\Run: [KBD] C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.exe (Microsoft)
    O4 - HKLM..\Run: [Standby] c:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe (Corel)
    O4 - HKLM..\Run: [TkBellExe] c:\program files (x86)\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [UpdateLBPShortCut] c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdateP2GoShortCut] c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdatePDIRShortCut] c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdatePSTShortCut] c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - Startup: C:\Users\Larry Roman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BUFFALO NAS Navigator2.lnk = C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe (BUFFALO INC.)
    O4 - Startup: C:\Users\Larry Roman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAS Scheduler.lnk = C:\Program Files (x86)\BUFFALO\NASNAVI\nassche.exe (BUFFALO INC.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-399888373-849092070-281110943-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-399888373-849092070-281110943-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..Trusted Domains: cleverreach.com ([novastor] http in Trusted sites)
    O15 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..Trusted Domains: google-analytics.com ([]http in Trusted sites)
    O15 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..Trusted Domains: novastor.com ([]http in Trusted sites)
    O15 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..Trusted Domains: novastor.com ([]https in Trusted sites)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab (NVIDIA Smart Scan)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://refworks.webex.com/client/T27LC/nbr/ieatgpc1.cab (GpcContainer Class)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=724 (Performance Viewer Activex Control)
    O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6E77EA30-D182-48E0-A58E-E4FEFE2E9EC0}: DhcpNameServer = 75.75.75.75 75.75.76.76
    O18:64bit: - Protocol\Handler\ipp - No CLSID value found
    O18:64bit: - Protocol\Handler\ipp\0x00000001 - No CLSID value found
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
    O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O24 - Desktop WallPaper:
    O24 - Desktop BackupWallPaper:
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/14 21:17:26 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Larry Roman\Desktop\OTL.exe
    [2012/07/14 21:08:11 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Roaming\Malwarebytes
    [2012/07/14 21:07:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/14 21:07:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/07/14 21:07:36 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/07/14 21:07:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/07/14 21:06:26 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Larry Roman\Desktop\mbam-setup-1.62.0.1300.exe
    [2012/07/14 18:04:22 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/07/14 17:53:40 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/07/14 17:25:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/07/14 17:25:21 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/07/14 17:25:21 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/07/14 17:25:12 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/14 17:21:03 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/07/14 17:15:46 | 004,579,346 | R--- | C] (Swearware) -- C:\Users\Larry Roman\Desktop\ComboFix.exe
    [2012/07/14 17:09:15 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Local\{75359818-3CA3-4317-A4CD-669F048F740B}
    [2012/07/14 17:09:01 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Local\{127BFB81-BD9B-436E-8350-5A56B3222CFF}
    [2012/07/14 13:07:07 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/07/12 15:17:15 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Local\{FDFCF7F3-F2F1-4DA9-A0DF-8960617045BA}
    [2012/07/12 15:16:55 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Local\{BF0B7291-1125-4AA7-9FCB-31FB0137145C}
    [2012/07/12 12:31:26 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Local\{D33DB78D-A1E6-4621-B68A-42214208CBC5}
    [2012/07/12 10:49:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
    [2012/07/12 10:49:07 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/07/12 07:59:40 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Roaming\HandBrake
    [2012/07/12 07:58:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Handbrake
    [2012/07/01 12:35:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
    [2012/07/01 12:34:56 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
    [2012/07/01 12:34:55 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
    [2012/07/01 12:31:41 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2012/06/24 13:07:32 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
    [2012/06/24 10:47:04 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Local\{3155872E-04B6-4B1E-AC33-68CFD0FD7293}
    [2012/06/24 10:46:49 | 000,000,000 | ---D | C] -- C:\Users\Larry Roman\AppData\Local\{BE75931C-C6B8-4C24-BFCD-E07E70A1725E}
    [2012/01/11 19:19:21 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\Larry Roman\AppData\Roaming\pcouffin.sys
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/07/14 21:19:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/07/14 21:17:26 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Larry Roman\Desktop\OTL.exe
    [2012/07/14 21:08:11 | 000,011,104 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/14 21:08:11 | 000,011,104 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/14 21:07:41 | 000,001,107 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/14 21:06:27 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Larry Roman\Desktop\mbam-setup-1.62.0.1300.exe
    [2012/07/14 21:04:54 | 000,729,516 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/07/14 21:04:54 | 000,626,290 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/07/14 21:04:54 | 000,107,566 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/07/14 21:00:26 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/07/14 20:59:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/14 20:59:50 | 2945,785,855 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/14 19:43:02 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/07/14 17:46:09 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/07/14 17:15:46 | 004,579,346 | R--- | M] (Swearware) -- C:\Users\Larry Roman\Desktop\ComboFix.exe
    [2012/07/12 10:49:36 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/07/12 10:49:11 | 000,743,364 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2012/07/12 07:43:49 | 000,002,338 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
    [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/07/01 12:35:44 | 000,001,785 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
    [2012/06/20 19:24:50 | 000,000,390 | ---- | M] () -- C:\Windows\SysWow64\Mcx2Svc.ocx
    [2012/06/20 19:24:46 | 001,743,360 | ---- | M] () -- C:\Windows\SysWow64\Mcx2Svc.dll
    [2012/06/16 20:35:38 | 000,467,392 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/14 21:07:41 | 000,001,107 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/14 17:25:21 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/07/14 17:25:21 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/07/14 17:25:21 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/07/14 17:25:21 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/07/14 17:25:21 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/07/12 10:49:13 | 000,001,917 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/07/01 12:35:44 | 000,001,785 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
    [2012/06/24 10:47:14 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/06/20 19:24:50 | 000,000,390 | ---- | C] () -- C:\Windows\SysWow64\Mcx2Svc.ocx
    [2012/06/20 19:24:44 | 001,743,360 | ---- | C] () -- C:\Windows\SysWow64\Mcx2Svc.dll
    [2012/02/08 19:31:21 | 000,007,605 | ---- | C] () -- C:\Users\Larry Roman\AppData\Local\Resmon.ResmonCfg
    [2012/01/11 19:19:21 | 000,007,859 | ---- | C] () -- C:\Users\Larry Roman\AppData\Roaming\pcouffin.cat
    [2012/01/11 19:19:21 | 000,001,167 | ---- | C] () -- C:\Users\Larry Roman\AppData\Roaming\pcouffin.inf
    [2012/01/06 19:09:38 | 000,003,232 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp m4a Codec.dat
    [2011/08/23 17:49:22 | 000,000,154 | ---- | C] () -- C:\Windows\QUICKEN.INI
    [2011/01/27 20:13:10 | 000,743,364 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2011/01/11 18:05:18 | 000,008,592 | ---- | C] () -- C:\Windows\SysWow64\ractrlkeyhook.dll
    [2010/12/22 09:46:01 | 000,003,190 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
    [2010/10/01 12:39:43 | 000,002,869 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp [Tag From Filename] Codec.dat
    [2010/10/01 12:39:33 | 000,002,900 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp [ReplayGain] Codec.dat
    [2010/10/01 12:39:20 | 000,003,002 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp [Multi Encoder] Codec.dat
    [2010/10/01 12:39:09 | 000,002,862 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp [Length Split] Codec.dat
    [2010/10/01 12:38:48 | 000,002,901 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp [ID Tag Update] Codec.dat
    [2010/10/01 12:38:30 | 000,002,999 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp [Channel Split] Codec.dat
    [2010/10/01 12:38:14 | 000,002,871 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp [Audio Info] Codec.dat
    [2010/10/01 12:38:00 | 000,002,879 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp [Arrange Audio] Codec.dat
    [2010/10/01 12:35:29 | 000,013,082 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp DSP Effects.dat
    [2010/10/01 12:35:25 | 004,022,504 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall.exe
    [2010/10/01 12:35:25 | 000,017,950 | ---- | C] () -- C:\Windows\SysWow64\SpoonUninstall-dBpoweramp Music Converter.dat
    [2010/09/23 09:18:43 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
    [2010/09/13 10:37:07 | 000,209,040 | ---- | C] () -- C:\Windows\SysWow64\IVIresizeW7.dll
    [2010/09/13 10:37:07 | 000,204,944 | ---- | C] () -- C:\Windows\SysWow64\IVIresizeA6.dll
    [2010/09/13 10:37:07 | 000,196,752 | ---- | C] () -- C:\Windows\SysWow64\IVIresizeP6.dll
    [2010/09/13 10:37:07 | 000,196,752 | ---- | C] () -- C:\Windows\SysWow64\IVIresizeM6.dll
    [2010/09/13 10:37:07 | 000,192,656 | ---- | C] () -- C:\Windows\SysWow64\IVIresizePX.dll
    [2010/09/13 10:37:07 | 000,024,720 | ---- | C] () -- C:\Windows\SysWow64\IVIresize.dll
    [2010/09/12 21:15:15 | 000,008,192 | ---- | C] () -- C:\Users\Larry Roman\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/09/12 20:32:13 | 000,011,270 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
    [2010/09/02 17:36:31 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll

    ========== LOP Check ==========

    [2012/07/12 10:59:57 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\Azureus
    [2011/09/26 20:38:43 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\Catalina Marketing Corp
    [2010/09/13 09:09:13 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\CopyTrans
    [2011/01/17 13:50:03 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\dBpoweramp
    [2011/04/23 08:33:33 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\FileOpen
    [2011/01/06 18:14:55 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\GARMIN
    [2012/07/12 09:02:19 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\HandBrake
    [2011/11/23 12:19:30 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\ImgBurn
    [2010/10/02 09:52:05 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\JimbobSoft
    [2011/07/24 14:54:00 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\NASNaviator2
    [2011/02/22 10:24:11 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\Raptr
    [2012/01/12 11:36:19 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\Ulead Systems
    [2012/01/11 19:20:12 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\Vso
    [2010/09/03 08:10:31 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\WinBatch
    [2011/04/08 12:00:26 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\WindSolutions
    [2012/01/08 21:41:33 | 000,000,000 | ---D | M] -- C:\Users\Larry Roman\AppData\Roaming\Xilisoft
    [2012/07/12 11:59:13 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
     
  11. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    OTL Extras logfile created on: 7/14/2012 9:22:06 PM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Larry Roman\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    8.99 Gb Total Physical Memory | 7.25 Gb Available Physical Memory | 80.64% Memory free
    17.98 Gb Paging File | 16.04 Gb Available in Paging File | 89.23% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 917.61 Gb Total Space | 134.40 Gb Free Space | 14.65% Space Free | Partition Type: NTFS
    Drive D: | 13.90 Gb Total Space | 1.96 Gb Free Space | 14.09% Space Free | Partition Type: NTFS

    Computer Name: MEDIA-PC | User Name: Larry Roman | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-399888373-849092070-281110943-1000\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [Browse with Corel PaintShop Photo Pro X3] -- "c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\Corel Paint Shop Pro Photo.exe" "%L" (Corel, Inc.)
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [Browse with Corel PaintShop Photo Pro X3] -- "c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\Corel Paint Shop Pro Photo.exe" "%L" (Corel, Inc.)
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{989AFEA6-23D6-4FE4-8C9A-7A598498E8A5}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{B7721B85-1FA6-4718-A743-CF952697BA6C}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{8C7B4295-752F-4AD3-8C2F-89AC6CCFFC50}C:\program files (x86)\buffalo\nasnavi\nasnavi.exe" = protocol=6 | dir=in | app=c:\program files (x86)\buffalo\nasnavi\nasnavi.exe |
    "TCP Query User{A8C16A4E-8CA1-437F-95AF-D330BCEAF9BA}C:\program files (x86)\buffalo\nasnavi\nasnavi.exe" = protocol=6 | dir=in | app=c:\program files (x86)\buffalo\nasnavi\nasnavi.exe |
    "UDP Query User{281B2B58-DB7F-4B0F-B69B-BEE4C1143F80}C:\program files (x86)\buffalo\nasnavi\nasnavi.exe" = protocol=17 | dir=in | app=c:\program files (x86)\buffalo\nasnavi\nasnavi.exe |
    "UDP Query User{B5507DF7-66EA-4CAD-B174-458DDC1A6B8E}C:\program files (x86)\buffalo\nasnavi\nasnavi.exe" = protocol=17 | dir=in | app=c:\program files (x86)\buffalo\nasnavi\nasnavi.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{6A76BEAF-6D1F-4273-A79B-DA8410A2E56B}" = Apple Mobile Device Support
    "{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
    "{840A3BAA-4C68-4581-9C7A-6F8D6CF531B9}" = iTunes
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
    "{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "_{D1AEB5DB-04FA-489D-94EF-8600898B93EE}" = Corel PaintShop Photo Pro X3
    "_{F072CA07-A781-45E4-9975-C033A73019CF}" = Corel VideoStudio Pro X3
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{0295F89F-F698-4101-9A7D-49F407EC2D82}" = HP Active Support Library
    "{03BF5CB1-B72E-4CA6-A278-F65680F05420}" = HP Picasso Media Center Add-In
    "{08C8666B-C502-4AB3-B4CB-D74AC42D14FE}" = Nero BackItUp 10 Help (CHM)
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0D2E80C8-0875-43EB-9623-47118E2DFBCA}" = Quicken 2007
    "{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
    "{0F547B3D-8347-4262-AB2C-2F49BB716DA8}" = NovaBACKUP
    "{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{16987E99-C95C-4513-9239-7B44A0A71DB5}" = Nero SoundTrax 10 Help (CHM)
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1CC069FA-1A86-402E-9787-3F04E652C67A}" = HP Support Information
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}" = Nero MediaHub 10
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{237CCB62-8454-43E3-B158-3ACD0134852E}" = High-Definition Video Playback 10
    "{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10
    "{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
    "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
    "{277C1559-4CF7-44FF-8D07-98AA9C13AABD}" = Nero Multimedia Suite 10
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{290CA856-3737-4874-864B-BA142F4823C8}_is1" = HP MediaSmart Demo
    "{2DFE1608-BDCA-11D1-B7AE-00C04FB92F3D}" = Microsoft Project 2000
    "{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
    "{2F8BA3FD-1FA9-4279-B696-712ABB12F09F}" = SmartSound Quicktracks 5
    "{329411A0-19F3-4740-874F-17400B126F27}" = Nero Vision 10 Help (CHM)
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{33643918-7957-4839-92C7-EA96CB621A98}" = Nero Express 10 Help (CHM)
    "{34490F4E-48D0-492E-8249-B48BECF0537C}" = Nero DiscSpeed 10
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}" = HP Advisor
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
    "{50F68032-B5B7-4513-9116-C978DBD8F27A}" = Corel DVD MovieFactory
    "{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}" = InterVideo DeviceService
    "{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)
    "{549622DF-3674-459C-81F3-38124A45FA0E}" = MusicBridge
    "{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM)
    "{63AA3EAB-23BB-48B2-9AD0-44F878075604}" = Nero 10 Menu TemplatePack Basic
    "{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
    "{66049135-9659-4AAD-9169-9CCA269EBB3E}" = Nero InfoTool 10 Help (CHM)
    "{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
    "{67431FA8-4B89-42DD-A68E-30D77F6C8D99}_is1" = HP Easy Backup
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{68AB6930-5BFF-4FF6-923B-516A91984FE6}" = Nero BackItUp 10
    "{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
    "{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10
    "{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{784BEA84-FA66-4B19-BB80-7B545F248AC6}" = HP Total Care Setup
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7A295D8F-484B-4FFB-89AB-C1FD497591FE}" = Nero WaveEditor 10 Help (CHM)
    "{7A5D731D-B4B3-490E-B339-75685712BAAB}" = Nero Burning ROM 10
    "{7E4CB404-F1E4-4E81-A1CB-2CBB310481D1}" = MLE
    "{7F10292C-A190-4176-A665-A1ED3478DF86}" = LightScribe System Software
    "{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
    "{8A809006-C25A-4A3A-9DAB-94659BCDB107}" = NVIDIA PhysX
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}" = Nero Recode 10
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
    "{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{92AF565C-6F66-4065-8D51-04A41E85D2C3}" =
    "{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
    "{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
    "{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
    "{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
    "{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
    "{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
    "{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
    "{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
    "{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
    "{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUS_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002A-0409-1000-0000000FF1CE}_Office14.PROPLUS_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
    "{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
    "{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
    "{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
    "{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
    "{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
    "{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0116-0409-1000-0000000FF1CE}_Office14.PROPLUS_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
    "{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
    "{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
    "{92E25238-61A3-4ACD-A407-3C480EEF47A7}" = Nero RescueAgent 10 Help (CHM)
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}" = Nero Vision 10
    "{9B6B24BE-80E7-46C4-9FA5-B167D5E0F345}" = Nero BurningROM 10 Help (CHM)
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
    "{9CC89170-000B-457D-91F1-53691F85B223}" = Python 2.6.1
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{A0640EC2-B97E-4FC1-AD14-227C9E386BB4}" = HP Recovery Manager RSS
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
    "{AE469025-08BA-4B2A-915D-CC7765132419}" = Default Manager
    "{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
    "{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
    "{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
    "{B84739A3-F943-47E4-95D8-96381EF5AC48}" = HP Customer Experience Enhancements
    "{B8A2869E-30CA-40C5-9CF8-BD7354E57EF8}" = SmartSound Common Data
    "{B8AC1A89-FFD1-4F97-8051-E505A160F562}" = HP Odometer
    "{C18A0418-442A-4186-AF98-D08F5054A2FC}" = Nero DiscSpeed 10 Help (CHM)
    "{C3273C55-E1E4-41FF-8D69-0158090DB8D8}" = Nero CoverDesigner 10 Help (CHM)
    "{C3580AC4-C827-4332-B935-9A282ED5BB97}" = Nero Dolby Files 10
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "{C611CF88-969D-43E6-A877-D6D6439DD081}" = HP Remote Solution
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{C79BF5BB-5671-41C0-A028-E9A2097D1AAD}" = Microsoft Live Search Toolbar
    "{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
    "{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "{CD95F661-A5C4-44F5-A6AA-ECDD91C240C0}" = WinZip 15.0
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
    "{D1612A3D-0DCC-4055-BB6A-0036F31158A0}" = Setup
    "{D1AEB5DB-04FA-489D-94EF-8600898B93EE}" = ICA
    "{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
    "{D3BCC13A-E4F2-45EE-846F-D143CEDDDBCB}" = DeviceIO
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{D7D99A66-493F-468B-BCE1-6F88612B89D5}" = Contents
    "{D875FFEE-2FCE-4774-902A-749198C00A68}" = PureHD
    "{D94ABC2B-5CA9-48B2-9266-15AB78384D3C}" = Share
    "{D9C4FA35-7C6B-4C9E-863B-58C4D7472F41}" = VIO
    "{DA4A2F61-1E26-4D51-94BB-36D77678BDAD}" = PSPH10Pro
    "{DA4BF4BE-3CDC-43B5-BBDA-DDDA73103111}" = Corel PaintShop Photo Pro X3
    "{DB7C1D4A-08BA-4C7E-A8AA-B7F9BB372DCF}" = Nero Recode 10 Help (CHM)
    "{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
    "{DCD941B6-F2E7-4FAF-B102-F7D4DE5FF99A}" = IPM_PSP_Pro
    "{DCF1928A-FC01-48E7-A7E6-4651D42EF6A1}" = PSPPRO_DCRAW
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DF802C05-4660-418c-970C-B988ADB1D316}" = Microsoft Live Search Toolbar
    "{DF8B9311-ADE7-4EDE-B121-326CAA3D225D}" = PSPPContent
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}" = Nero SoundTrax 10
    "{E337E787-CF61-4B7B-B84F-509202A54023}" = Nero RescueAgent 10
    "{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
    "{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)
    "{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
    "{EDCDFAD5-DF80-4600-A493-E9DAD6810230}" = Nero WaveEditor 10
    "{F069C491-69E6-4D9B-9A0C-B7894A1FA97C}" = Setup
    "{F072CA07-A781-45E4-9975-C033A73019CF}" = ICA
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F206FEC3-F5DD-43FD-A8CF-9C46B8A6A92C}" = VSPro
    "{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
    "{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10
    "{F467862A-D9CA-47ED-8D81-B4B3C9399272}" = Nero MediaHub 10 Help (CHM)
    "{F4E9851F-765E-40B7-9859-237C2724E62C}" = DeviceIO
    "{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic
    "{F6117F9C-ADB5-4590-9BE4-12C7BEC28702}" = Nero StartSmart 10 Help (CHM)
    "{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}" = Nero StartSmart 10
    "{F6A76E9C-C299-4CFA-AD2A-57FE9DD68B70}" = Contents
    "{F8423392-2296-4748-9B66-344432459632}" = PureHD
    "{F909BD3C-8684-4ACF-B7C3-33F4F9F901B7}" = Share
    "{F95C8C1F-25BB-44EC-A7E6-5C17ABC6BC71}" = VIO
    "{F99F9E24-EE2F-47FD-AEB0-FDB82859B5C9}" = VideoStudio
    "{FB0B6DDD-DF3E-4CD6-927C-724AB854E322}" = VSClassic
    "{FCF00A6E-FB58-477A-ABE9-232907105521}" = Nero CoverDesigner 10
    "{FD67D9F3-FED6-4A2E-9D6C-8C8C44DEF8FF}" = IPM_VS_Pro
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "8461-7759-5462-8226" = Vuze
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "AVS Audio Converter_is1" = AVS Audio Converter 7
    "AVS Update Manager_is1" = AVS Update Manager 1.0
    "AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4
    "Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
    "dBpoweramp [Arrange Audio] Codec" = dBpoweramp [Arrange Audio] Codec
    "dBpoweramp [Audio Info] Codec" = dBpoweramp [Audio Info] Codec
    "dBpoweramp [Channel Split] Codec" = dBpoweramp [Channel Split] Codec
    "dBpoweramp [ID Tag Update] Codec" = dBpoweramp [ID Tag Update] Codec
    "dBpoweramp [Length Split] Codec" = dBpoweramp [Length Split] Codec
    "dBpoweramp [Multi Encoder] Codec" = dBpoweramp [Multi Encoder] Codec
    "dBpoweramp [ReplayGain] Codec" = dBpoweramp [ReplayGain] Codec
    "dBpoweramp [Tag From Filename] Codec" = dBpoweramp [Tag From Filename] Codec
    "dBpoweramp DSP Effects" = dBpoweramp DSP Effects
    "dBpoweramp m4a Codec" = dBpoweramp m4a Codec
    "dBpoweramp Music Converter" = dBpoweramp Music Converter
    "dBpoweramp Windows Media Audio 10 Codec" = dBpoweramp Windows Media Audio 10 Codec
    "DVDFab 8_is1" = DVDFab 8.0.2.2 (01/10/2010)
    "Google Chrome" = Google Chrome
    "HP Remote Solution" = HP Remote Solution
    "ImgBurn" = ImgBurn
    "InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
    "InstallShield_{2F8BA3FD-1FA9-4279-B696-712ABB12F09F}" = SmartSound Quicktracks 5
    "InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "InstallShield_{50F68032-B5B7-4513-9116-C978DBD8F27A}" = Corel DVD MovieFactory 7 SE
    "InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
    "InstallShield_{B8A2869E-30CA-40C5-9CF8-BD7354E57EF8}" = SmartSound Common Data
    "InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
    "InstallShield_{F99F9E24-EE2F-47FD-AEB0-FDB82859B5C9}" = Ulead VideoStudio 11
    "jZip" = jZip
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Media Player - Codec Pack" = Media Player Codec Pack 3.9.6
    "NovaBACKUP" = NovaBACKUP
    "Office14.PROPLUS" = Microsoft Office Professional Plus 2010
    "pywin32-py2.6" = Python 2.6 pywin32-212
    "RealPlayer 15.0" = RealPlayer
    "Search Toolbar" = Search Toolbar
    "SystemRequirementsLab" = System Requirements Lab
    "UN060501" = BUFFALO NAS Navigator2
    "UN090928" = BUFFALO LinkStation(LX-WXL) Setup Guide
    "VueScan" = VueScan
    "Vuze_Remote Toolbar" = Vuze Remote Toolbar
    "WildTangent hp Master Uninstall" = HP Games
    "Windows Media Encoder 9" = Windows Media Encoder 9 Series
    "WinLiveSuite" = Windows Live Essentials
    "Write-N-Cite" = Write-N-Cite
    "Xilisoft Audio Converter Pro" = Xilisoft Audio Converter Pro
    "Xvid_is1" = Xvid 1.2.2 final uninstall
    "Yahoo! Companion" = Yahoo! Toolbar

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-399888373-849092070-281110943-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "CopyTrans Suite" = CopyTrans Suite Remove Only

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 5/28/2011 6:20:00 AM | Computer Name = Media-PC | Source = VSS | ID = 8194
    Description =

    Error - 5/28/2011 2:40:15 PM | Computer Name = Media-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 5/29/2011 12:32:30 AM | Computer Name = Media-PC | Source = SideBySide | ID = 16842811
    Description = Activation context generation failed for "c:\program files (x86)\microsoft\search
    enhancement pack\search helper\searchhelper.dll".Error in manifest or policy file
    "c:\program files (x86)\microsoft\search enhancement pack\search helper\searchhelper.dll"
    on line 2. Invalid Xml syntax.

    Error - 5/29/2011 3:00:01 AM | Computer Name = Media-PC | Source = Windows Backup | ID = 4103
    Description =

    Error - 5/30/2011 12:30:58 AM | Computer Name = Media-PC | Source = SideBySide | ID = 16842811
    Description = Activation context generation failed for "c:\program files (x86)\microsoft\search
    enhancement pack\search helper\searchhelper.dll".Error in manifest or policy file
    "c:\program files (x86)\microsoft\search enhancement pack\search helper\searchhelper.dll"
    on line 2. Invalid Xml syntax.

    Error - 5/30/2011 3:00:08 AM | Computer Name = Media-PC | Source = Windows Backup | ID = 4103
    Description =

    Error - 5/30/2011 6:44:42 PM | Computer Name = Media-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 5/31/2011 12:34:08 AM | Computer Name = Media-PC | Source = SideBySide | ID = 16842811
    Description = Activation context generation failed for "c:\program files (x86)\microsoft\search
    enhancement pack\search helper\searchhelper.dll".Error in manifest or policy file
    "c:\program files (x86)\microsoft\search enhancement pack\search helper\searchhelper.dll"
    on line 2. Invalid Xml syntax.

    Error - 5/31/2011 12:40:17 AM | Computer Name = Media-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 5/31/2011 3:00:04 AM | Computer Name = Media-PC | Source = Windows Backup | ID = 4103
    Description =

    [ System Events ]
    Error - 7/14/2012 5:38:04 PM | Computer Name = Media-PC | Source = Application Popup | ID = 1060
    Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility
    with this system. Please contact your software vendor for a compatible version
    of the driver.

    Error - 7/14/2012 5:38:42 PM | Computer Name = Media-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 7/14/2012 5:39:46 PM | Computer Name = Media-PC | Source = Service Control Manager | ID = 7023
    Description = The Windows Defender service terminated with the following error:
    %%126

    Error - 7/14/2012 5:50:14 PM | Computer Name = Media-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.129.1535.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 7/14/2012 5:50:14 PM | Computer Name = Media-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.129.1535.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 7/14/2012 6:14:13 PM | Computer Name = Media-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.129.1535.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 7/14/2012 6:14:13 PM | Computer Name = Media-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.129.1535.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 7/14/2012 8:59:55 PM | Computer Name = Media-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 7:57:49 PM on ?7/?14/?2012 was unexpected.

    Error - 7/14/2012 9:13:06 PM | Computer Name = Media-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.129.1535.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 7/14/2012 9:13:06 PM | Computer Name = Media-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.129.1535.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.



    < End of report >
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
      O3 - HKLM\..\Toolbar: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
      O3 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
      O3 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..\Toolbar\WebBrowser: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask.com)
      O15 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..Trusted Domains: cleverreach.com ([novastor] http in Trusted sites)
      O15 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..Trusted Domains: google-analytics.com ([]http in Trusted sites)
      O15 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..Trusted Domains: novastor.com ([]http in Trusted sites)
      O15 - HKU\S-1-5-21-399888373-849092070-281110943-1000\..Trusted Domains: novastor.com ([]https in Trusted sites)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
      
      
      :Services
      
      :Reg
      
      :Files
      C:\Program Files (x86)\Ask.com
      C:\FRST
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  13. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll moved successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
    Registry value HKEY_USERS\S-1-5-21-399888373-849092070-281110943-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
    Registry value HKEY_USERS\S-1-5-21-399888373-849092070-281110943-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
    Registry key HKEY_USERS\S-1-5-21-399888373-849092070-281110943-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cleverreach.com\novastor\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-399888373-849092070-281110943-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google-analytics.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-399888373-849092070-281110943-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\novastor.com\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-399888373-849092070-281110943-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\novastor.com\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Starting removal of ActiveX control Garmin Communicator Plug-In
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Program Files (x86)\Ask.com folder moved successfully.
    C:\FRST\Quarantine\{834203f6-26d7-01d4-f438-6811d992075e}\{834203f6-26d7-01d4-f438-6811d992075e}\U folder moved successfully.
    C:\FRST\Quarantine\{834203f6-26d7-01d4-f438-6811d992075e}\{834203f6-26d7-01d4-f438-6811d992075e}\L folder moved successfully.
    C:\FRST\Quarantine\{834203f6-26d7-01d4-f438-6811d992075e}\{834203f6-26d7-01d4-f438-6811d992075e} folder moved successfully.
    C:\FRST\Quarantine\{834203f6-26d7-01d4-f438-6811d992075e}\U folder moved successfully.
    C:\FRST\Quarantine\{834203f6-26d7-01d4-f438-6811d992075e}\L folder moved successfully.
    C:\FRST\Quarantine\{834203f6-26d7-01d4-f438-6811d992075e} folder moved successfully.
    C:\FRST\Quarantine folder moved successfully.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56504 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Larry Roman
    ->Temp folder emptied: 4148238 bytes
    ->Temporary Internet Files folder emptied: 2877144302 bytes
    ->Java cache emptied: 14111124 bytes
    ->Google Chrome cache emptied: 6536636 bytes
    ->Flash cache emptied: 27628 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1059286 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 404097865 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 3,154.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Default

    User: Default User

    User: Larry Roman
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Larry Roman
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.53.1 log created on 07142012_225414
    Files\Folders moved on Reboot...
    C:\Users\Larry Roman\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF09B2DB8C36C4E09C.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF32392B58AD3FD18F.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF352529C150B4543A.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF60A6A0D36CF90637.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF6389F10429EF1971.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF6926C40A54645B91.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF92EF538AE96424FC.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DFBDF479EF24170583.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DFC89FCCF66D52321D.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YVGEGWR2\win64-sirefef-victim[1].htm not found!
    PendingFileRenameOperations files...
    File C:\Users\Larry Roman\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF09B2DB8C36C4E09C.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF32392B58AD3FD18F.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF352529C150B4543A.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF60A6A0D36CF90637.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF6389F10429EF1971.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF6926C40A54645B91.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF92EF538AE96424FC.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DFBDF479EF24170583.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DFC89FCCF66D52321D.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YVGEGWR2\win64-sirefef-victim[1].htm not found!
    Registry entries deleted on Reboot...
     
  14. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    Results of screen317's Security Check version 0.99.24
    Windows 7 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 31
    Adobe Reader X (10.1.0) Adobe Reader Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    ``````````End of Log````````````
     
  15. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    ESET Scan results:

    C:\Program Files (x86)\HP Games\Farm Mania\Farm-WT.exe a variant of Win32/Kryptik.SH trojan cleaned by deleting - quarantined
    C:\ProgramData\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe a variant of Win32/Kryptik.SH trojan cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
    C:\_OTL\MovedFiles\07142012_225414\C_FRST\Quarantine\{834203f6-26d7-01d4-f438-6811d992075e}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
     
  16. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    I still need FSS log.
     
  17. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    My apologies. I some how overlooked that step. FSS log posted below:

    Farbar Service Scanner Version: 08-07-2012
    Ran by Larry Roman (administrator) on 15-07-2012 at 13:45:12
    Running from "C:\Users\Larry Roman\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.

    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
     
  18. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    =======================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    =======================================

    We have one corrupted registry key affecting Windows updates.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on bits.reg file and confirm the prompt.
    Restart computer.
    Post new FSS log.

    Then let me know if you can access Windows updates.
     
  19. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    I am able to access windows update.

    Farbar Service Scanner Version: 08-07-2012
    Ran by Larry Roman (administrator) on 16-07-2012 at 19:48:21
    Running from "C:\Users\Larry Roman\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
     
  20. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Good :)

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  21. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    My computer appears to be running normal and is stable. I will continue with the additional steps for clean up and future prevention.

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Larry Roman
    ->Temp folder emptied: 3838198 bytes
    ->Temporary Internet Files folder emptied: 206938670 bytes
    ->Java cache emptied: 2027 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 2947 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 563270 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 202.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Larry Roman
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Default

    User: Default User

    User: Larry Roman
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.53.1 log created on 07172012_065052
    Files\Folders moved on Reboot...
    C:\Users\Larry Roman\AppData\Local\Temp\Low\REG9388.tmp moved successfully.
    C:\Users\Larry Roman\AppData\Local\Temp\Low\REGAFD1.tmp moved successfully.
    C:\Users\Larry Roman\AppData\Local\Temp\Low\REGE80F.tmp moved successfully.
    C:\Users\Larry Roman\AppData\Local\Temp\Low\REGF9.tmp moved successfully.
    C:\Users\Larry Roman\AppData\Local\Temp\Low\REGFCE4.tmp moved successfully.
    C:\Users\Larry Roman\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF05BEFC9F5088310A.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF591F76CCE4A776EE.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF5A485D02CD21D517.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF72F12E139324372A.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DF93CA5E51B4D8836B.TMP not found!
    File\Folder C:\Users\Larry Roman\AppData\Local\Temp\~DFA73997EAFADFAF7A.TMP not found!
    C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YIEKHA37\billboard[1].htm moved successfully.
    C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YIEKHA37\billboard[2].htm moved successfully.
    File\Folder C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PFPVO8UY\gopro[1].htm not found!
    C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PFPVO8UY\win64-sirefef-victim[1].htm moved successfully.
    C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
    C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
    C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.
    File\Folder C:\Windows\temp\TMP000000019958B19212A0549A not found!
    PendingFileRenameOperations files...
    File C:\Users\Larry Roman\AppData\Local\Temp\Low\REG9388.tmp not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\Low\REGAFD1.tmp not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\Low\REGE80F.tmp not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\Low\REGF9.tmp not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\Low\REGFCE4.tmp not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF05BEFC9F5088310A.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF591F76CCE4A776EE.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF5A485D02CD21D517.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF72F12E139324372A.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DF93CA5E51B4D8836B.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Temp\~DFA73997EAFADFAF7A.TMP not found!
    File C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YIEKHA37\billboard[1].htm not found!
    File C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YIEKHA37\billboard[2].htm not found!
    File C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PFPVO8UY\gopro[1].htm not found!
    File C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PFPVO8UY\win64-sirefef-victim[1].htm not found!
    File C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat not found!
    File C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT not found!
    File C:\Users\Larry Roman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat not found!
    File C:\Windows\temp\TMP000000019958B19212A0549A not found!
    Registry entries deleted on Reboot...
     
  22. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
  23. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    Computer is still running great! Thank you so much for your help. I ran OTL as requested above. I thought I posted the log here but, apparently not as I don't see it today. Can I re-run OTL and post the log?
     
  24. lroman3

    lroman3 TS Enthusiast Topic Starter Posts: 143

    Nevermind, I see it now along with your reply. Funny, they were not present when previously checked. Either way, thanks again for the help.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,594   +267

    You're very welcome [​IMG]
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.