Solved Ya sirefef infection

J

james25182

Posts: 14   +0
Hi,

I also seem to have contracted a nasty infection of both W and Y. MSE keeps rebooting. I'm running Windows 7 Home Premium x64. I've run FRST64 and done a search for services.exe as per previous posts. Here's my output:

Scan result of Farbar Recovery Scan Tool Version: 04-07-2012 01
Ran by SYSTEM at 05-07-2012 09:54:48
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [InputDirector] "C:\Program Files (x86)\Input Director\InputDirector.exe" /hide [475136 2010-02-01] ()
HKLM-x32\...\Run: [Bing Bar] "C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [243544 2010-03-24] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-26] (Apple Inc.)
HKLM-x32\...\Run: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-23] (CANON INC.)
HKU\James\...\Run: [DriverMax_RESTART] [x]
HKU\James\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1242448 2012-04-17] (Valve Corporation)
HKU\James\...\Run: [Memopal] C:\Program Files\Memopal\Memopal.exe [x]
HKU\James\...\Run: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe [x]
Tcpip\..\Interfaces\{37B856E9-8AD9-4525-81E9-53D6A694AFAA}: [NameServer]192.168.2.1
Startup: C:\Users\James\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Sam\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Sam\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe (No File)

==================== Services (Whitelisted) ======

3 IDVistaService; C:\Program Files (x86)\Input Director\IDVistaService.exe [13824 2009-02-07] ()
2 InputDirector; C:\Program Files (x86)\Input Director\IDWinService.exe [36864 2010-02-01] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2010-04-28] (Google Inc)
3 dvdfab; C:\Windows\System32\Drivers\dvdfab.sys [79232 2011-08-15] (Fengtao Software Inc.)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-28] ()
3 NVENETFD; C:\Windows\System32\DRIVERS\nvm62x64.sys [408960 2009-06-10] (NVIDIA Corporation)
3 SaiH0461; C:\Windows\System32\Drivers\SaiH0461.sys [178432 2008-03-26] (Saitek)
3 SaiH0763; C:\Windows\System32\Drivers\SaiH0763.sys [178304 2008-02-15] (Saitek)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-05 09:54 - 2012-07-05 09:54 - 00000000 ____D C:\FRST
2012-07-05 00:37 - 2012-07-05 00:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.07089B0F65EEA6F1
2012-07-05 00:37 - 2012-07-05 00:37 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\elmqitxm.sys
2012-07-05 00:33 - 2012-07-05 00:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A5EBC26060A3C1A
2012-07-05 00:30 - 2012-07-05 00:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FA525A543429CF4D
2012-07-05 00:09 - 2012-07-05 00:09 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-05 00:09 - 2012-07-05 00:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-04 05:58 - 2012-07-04 05:58 - 00000000 ____D C:\Windows\SysWOW64\directx
2012-07-04 05:58 - 2010-06-01 19:55 - 00527192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
2012-07-04 05:58 - 2010-06-01 19:55 - 00518488 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_7.dll
2012-07-04 05:58 - 2010-06-01 19:55 - 00239960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_7.dll
2012-07-04 05:58 - 2010-06-01 19:55 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_7.dll
2012-07-04 05:58 - 2010-06-01 19:55 - 00077656 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll
2012-07-04 05:58 - 2010-06-01 19:55 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
2012-07-04 05:58 - 2010-05-26 02:41 - 02526056 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_43.dll
2012-07-04 05:58 - 2010-05-26 02:41 - 02401112 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_43.dll
2012-07-04 05:58 - 2010-05-26 02:41 - 01907552 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_43.dll
2012-07-04 05:58 - 2010-05-26 02:41 - 01868128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_43.dll
2012-07-04 05:58 - 2010-05-26 02:41 - 00511328 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_43.dll
2012-07-04 05:58 - 2010-05-26 02:41 - 00470880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
2012-07-04 05:58 - 2010-05-26 02:41 - 00276832 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_43.dll
2012-07-04 05:58 - 2010-05-26 02:41 - 00248672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2012-07-04 05:58 - 2010-02-04 01:01 - 00530776 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_6.dll
2012-07-04 05:58 - 2010-02-04 01:01 - 00528216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_6.dll
2012-07-04 05:58 - 2010-02-04 01:01 - 00238936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_6.dll
2012-07-04 05:58 - 2010-02-04 01:01 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_6.dll
2012-07-04 05:58 - 2010-02-04 01:01 - 00078680 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_4.dll
2012-07-04 05:58 - 2010-02-04 01:01 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_4.dll
2012-07-04 05:58 - 2010-02-04 01:01 - 00024920 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_7.dll
2012-07-04 05:58 - 2010-02-04 01:01 - 00022360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
2012-07-04 05:58 - 2009-09-04 08:44 - 00517960 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_5.dll
2012-07-04 05:58 - 2009-09-04 08:44 - 00238936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_5.dll
2012-07-04 05:58 - 2009-09-04 08:44 - 00176968 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_5.dll
2012-07-04 05:58 - 2009-09-04 08:44 - 00073544 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_3.dll
2012-07-04 05:58 - 2009-09-04 08:29 - 05554512 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_42.dll
2012-07-04 05:58 - 2009-09-04 08:29 - 05501792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_42.dll
2012-07-04 05:58 - 2009-09-04 08:29 - 02582888 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_42.dll
2012-07-04 05:58 - 2009-09-04 08:29 - 02475352 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_42.dll
2012-07-04 05:58 - 2009-09-04 08:29 - 01974616 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_42.dll
2012-07-04 05:58 - 2009-09-04 08:29 - 01892184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_42.dll
2012-07-04 05:58 - 2009-09-04 08:29 - 00285024 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_42.dll
2012-07-04 05:58 - 2009-09-04 08:29 - 00235344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_42.dll
2012-07-04 05:58 - 2008-10-27 01:04 - 00518480 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_3.dll
2012-07-04 05:58 - 2008-10-27 01:04 - 00514384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_3.dll
2012-07-04 05:58 - 2008-10-27 01:04 - 00235856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_3.dll
2012-07-04 05:58 - 2008-10-27 01:04 - 00175440 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_3.dll
2012-07-04 05:58 - 2008-10-27 01:04 - 00074576 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_2.dll
2012-07-04 05:58 - 2008-10-27 01:04 - 00070992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_2.dll
2012-07-04 05:58 - 2008-10-27 01:04 - 00025936 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_5.dll
2012-07-04 05:58 - 2008-10-27 01:04 - 00023376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_5.dll
2012-07-04 05:58 - 2008-07-31 01:41 - 00238088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_2.dll
2012-07-04 05:58 - 2008-07-31 01:41 - 00177672 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_2.dll
2012-07-04 05:58 - 2008-07-31 01:41 - 00072200 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_1.dll
2012-07-04 05:58 - 2008-07-31 01:41 - 00068616 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_1.dll
2012-07-04 05:58 - 2008-07-31 01:40 - 00513544 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_2.dll
2012-07-04 05:58 - 2008-07-31 01:40 - 00509448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_2.dll
2012-06-29 06:52 - 2012-06-29 06:52 - 00000000 ___HD C:\Users\All Users\CanonIJScan
2012-06-29 03:25 - 2012-06-29 03:25 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-28 01:18 - 2012-06-29 06:51 - 00000000 ____D C:\Program Files (x86)\Canon
2012-06-28 01:18 - 2009-04-03 06:57 - 00106496 ____A (CANON INC.) C:\Windows\SysWOW64\CNC560U.dll
2012-06-28 01:18 - 2009-03-19 05:38 - 00303104 ____A (CANON INC.) C:\Windows\SysWOW64\CNC560L.dll
2012-06-28 01:18 - 2009-02-16 03:19 - 00012800 ____A C:\Windows\SysWOW64\CNC173ED.TBL
2012-06-28 01:18 - 2008-08-25 09:02 - 00015872 ____A (CANON INC.) C:\Windows\SysWOW64\CNHMCA.dll
2012-06-28 01:17 - 2012-06-28 01:17 - 00000000 ___HD C:\Program Files\CanonBJ
2012-06-28 01:17 - 2012-06-28 01:17 - 00000000 ____D C:\Windows\System32\STRING
2012-06-28 01:17 - 2012-06-28 01:17 - 00000000 ____D C:\Windows\System32\CHM
2012-06-28 01:17 - 2009-04-03 07:51 - 00353792 ____A (CANON INC.) C:\Windows\SysWOW64\CNMNPPM.DLL
2012-06-28 01:17 - 2009-04-03 07:51 - 00336896 ____A (CANON INC.) C:\Windows\System32\CNMN6PPM.DLL
2012-06-28 01:17 - 2009-04-03 07:51 - 00144384 ____A (CANON INC.) C:\Windows\System32\CNMN6UI.DLL
2012-06-21 02:42 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 02:42 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 02:42 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 02:42 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 02:42 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 02:42 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 02:42 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 02:42 - 2012-06-02 06:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 02:42 - 2012-06-02 06:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-15 03:46 - 2012-06-15 03:46 - 00000000 ____D C:\Program Files (x86)\Amazon
2012-06-11 07:27 - 2012-06-11 07:27 - 00000000 ____D C:\Program Files (x86)\MakeMKV
2012-06-11 07:09 - 2012-06-11 07:09 - 00000000 ____D C:\Program Files (x86)\AviSynth 2.5
2012-06-11 07:08 - 2011-01-03 01:07 - 00490496 ____A (www.madshi.net) C:\Windows\SysWOW64\madFlac.ax
2012-06-11 07:08 - 2009-04-28 05:44 - 00417792 ____A (Gabest) C:\Windows\SysWOW64\FLVSplitter.ax
2012-06-11 07:08 - 2009-03-26 12:33 - 00536652 ____A (ArcSoft Inc.) C:\Windows\SysWOW64\ASAudioHD.ax
2012-06-11 07:08 - 2008-11-28 06:36 - 00285184 ____A (ArcSoft Inc.) C:\Windows\SysWOW64\MagUIEngine.dll
2012-06-11 07:08 - 2008-11-28 06:36 - 00092672 ____A (ArcSoft Inc.) C:\Windows\SysWOW64\MagUIInter.dll
2012-06-11 07:08 - 2008-11-28 06:36 - 00055808 ____A (ArcSoft Inc.) C:\Windows\SysWOW64\MagPCMac.dll
2012-06-11 07:08 - 2008-11-28 06:36 - 00035328 ____A (ArcSoft Inc.) C:\Windows\SysWOW64\MagCore.dll
2012-06-11 07:08 - 2008-04-24 23:50 - 00917504 ____A C:\Windows\SysWOW64\dtsdecoderdll.dll
2012-06-11 07:08 - 2008-04-15 08:40 - 00106496 ____A (ArcSoft Inc.) C:\Windows\SysWOW64\checkactivate.dll
2012-06-11 07:08 - 2007-10-07 04:36 - 00258048 ____A C:\Windows\SysWOW64\libFLAC.dll
2012-06-11 07:08 - 2004-01-25 08:18 - 00070656 ____A (www.helixcommunity.org) C:\Windows\SysWOW64\yv12vfw.dll
2012-06-11 01:16 - 2012-06-11 01:16 - 00000000 ____D C:\Program Files (x86)\Foxit Software
2012-06-07 06:53 - 2012-06-07 06:53 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_androidusb_01009.Wdf
2012-06-06 01:04 - 2012-06-06 01:04 - 00000000 ____D C:\Program Files (x86)\DVDFab Passkey
2012-06-06 01:04 - 2011-08-15 05:51 - 00079232 ____A (Fengtao Software Inc.) C:\Windows\System32\Drivers\dvdfab.sys

============ 3 Months Modified Files ========================

2012-07-05 00:37 - 2012-07-05 00:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.07089B0F65EEA6F1
2012-07-05 00:37 - 2012-07-05 00:37 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\elmqitxm.sys
2012-07-05 00:35 - 2012-04-18 00:23 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2012-07-05 00:35 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-05 00:35 - 2009-07-13 20:51 - 00031399 ____A C:\Windows\setupact.log
2012-07-05 00:33 - 2012-07-05 00:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A5EBC26060A3C1A
2012-07-05 00:30 - 2012-07-05 00:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FA525A543429CF4D
2012-07-05 00:15 - 2012-04-17 05:05 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1848183946-4224764909-1401710521-1001UA.job
2012-07-05 00:14 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-05 00:14 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-05 00:13 - 2009-07-13 21:13 - 00781348 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-05 00:10 - 2012-04-17 02:27 - 01464648 ____A C:\Windows\WindowsUpdate.log
2012-07-05 00:09 - 2012-04-17 05:16 - 00786470 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-05 00:09 - 2012-04-17 05:16 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-04 23:59 - 2012-04-17 05:05 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1848183946-4224764909-1401710521-1001Core.job
2012-07-04 07:09 - 2012-04-17 07:25 - 00062908 ____A C:\Windows\DirectX.log
2012-06-29 03:22 - 2012-04-17 05:05 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-29 03:22 - 2012-04-17 05:05 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-07 06:53 - 2012-06-07 06:53 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_androidusb_01009.Wdf
2012-06-02 14:19 - 2012-06-21 02:42 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 02:42 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 02:42 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 02:42 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 02:42 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-21 02:42 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 02:42 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 06:19 - 2012-06-21 02:42 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 06:15 - 2012-06-21 02:42 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-22 06:59 - 2012-05-22 06:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-05-02 11:06 - 2009-07-13 20:45 - 00464768 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-02 11:01 - 2012-05-02 11:01 - 00000020 ____A C:\Windows\ìô»
2012-04-25 05:02 - 2012-04-17 05:28 - 00001184 ____A C:\Windows\PFRO.log
2012-04-18 00:40 - 2012-04-18 00:23 - 00008962 ____A C:\Windows\System32\lvcoinst.log
2012-04-18 00:36 - 2012-04-18 00:36 - 17790464 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 12282368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 10887168 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 09705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 03695416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2012-04-18 00:36 - 2012-04-18 00:36 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-04-18 00:36 - 2012-04-18 00:36 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-04-18 00:36 - 2012-04-18 00:36 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-18 00:36 - 2012-04-18 00:36 - 02308096 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 02144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 01798656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 01792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 01493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-04-18 00:36 - 2012-04-18 00:36 - 01427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-04-18 00:36 - 2012-04-18 00:36 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 01345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 01127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 01103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00697344 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00603648 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00580608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00534528 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00452608 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00448512 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-04-18 00:36 - 2012-04-18 00:36 - 00434176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00403248 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00367104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-04-18 00:36 - 2012-04-18 00:36 - 00353792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00353584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00282112 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00267776 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00249344 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00227840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieaksie.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00223232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00222208 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00203776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00165888 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakui.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00162304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00160256 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00160256 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00152064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00145920 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00135168 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00130560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakeng.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00123392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00118784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00114176 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00111616 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00101888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\admparse.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00091648 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00089088 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00089088 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00086528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00082432 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00078848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00076800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-04-18 00:36 - 2012-04-18 00:36 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00074240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00066048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00063488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2012-04-18 00:36 - 2012-04-18 00:36 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00054272 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00049664 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00035840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00031744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-04-18 00:36 - 2012-04-18 00:36 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-04-18 00:36 - 2012-04-18 00:36 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-04-18 00:36 - 2012-04-18 00:34 - 00003733 ____A C:\Windows\IE9_main.log
2012-04-17 11:20 - 2012-04-17 11:20 - 00008192 _RASH C:\BOOTSECT.BAK
2012-04-17 11:20 - 2009-07-13 21:38 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
2012-04-17 11:20 - 2009-07-13 21:32 - 00028672 ____A C:\Windows\System32\config\BCD-Template
2012-04-17 05:19 - 2012-04-17 05:19 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_xusb21_01009.Wdf
2012-04-17 05:06 - 2012-04-17 05:06 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-04-17 05:06 - 2012-04-17 05:06 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-04-17 05:06 - 2012-04-17 05:06 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-04-17 05:06 - 2012-04-17 05:06 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-04-17 02:23 - 2009-07-13 21:01 - 00041962 ____A C:\Windows\SysWOW64\license.rtf
2012-04-17 02:23 - 2009-07-13 21:01 - 00041962 ____A C:\Windows\System32\license.rtf
2012-04-17 02:22 - 2012-04-17 02:22 - 00001313 ____A C:\Windows\TSSysprep.log
2012-04-17 02:22 - 2009-07-13 20:46 - 00001774 ____A C:\Windows\DtcInstall.log
2012-04-17 02:21 - 2012-04-17 02:21 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2012-04-17 01:31 - 2009-10-28 09:33 - 00000600 ____A C:\Users\James\AppData\Local\PUTTY.RND
2012-04-15 03:27 - 2012-04-15 03:27 - 00000959 ____A C:\Users\James\Desktop\join.me.lnk
2012-04-15 02:56 - 2011-01-18 08:24 - 00001012 ____A C:\Users\James\Desktop\Dropbox.lnk
2012-04-11 01:11 - 2012-04-11 01:11 - 00002227 ____A C:\Users\James\Desktop\RT 7 Lite (64-Bit).lnk
2012-04-10 11:31 - 2012-04-10 11:31 - 01075200 ____A C:\Windows\SysWOW64\ac3filter.acm


ZeroAccess:
C:\Windows\Installer\{973b70e0-5b87-2d8c-e45c-db0f685bd887}
C:\Windows\Installer\{973b70e0-5b87-2d8c-e45c-db0f685bd887}\@
C:\Windows\Installer\{973b70e0-5b87-2d8c-e45c-db0f685bd887}\L
C:\Windows\Installer\{973b70e0-5b87-2d8c-e45c-db0f685bd887}\n
C:\Windows\Installer\{973b70e0-5b87-2d8c-e45c-db0f685bd887}\U
C:\Windows\Installer\{973b70e0-5b87-2d8c-e45c-db0f685bd887}\U\00000001.@
C:\Windows\Installer\{973b70e0-5b87-2d8c-e45c-db0f685bd887}\U\800000cb.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4094.55 MB
Available physical RAM: 3517.86 MB
Total Pagefile: 4092.7 MB
Available Pagefile: 3509.4 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

2 Drive c: (Win7HP_SSD) (Fixed) (Total:223.57 GB) (Free:49.78 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: (Win7Ultimate) (Fixed) (Total:298.09 GB) (Free:55.91 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive e: (Data2) (Fixed) (Total:232.88 GB) (Free:139.22 GB) NTFS
7 Drive h: () (Removable) (Total:0.17 GB) (Free:0.17 GB) FAT32
12 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 223 GB 0 B
Disk 1 Online 298 GB 1024 KB
Disk 2 Online 232 GB 1024 KB
Disk 3 Online 491 MB 16 MB
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 No Media 0 B 0 B
Disk 7 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 223 GB 1024 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Win7HP_SSD NTFS Partition 223 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Win7Ultimat NTFS Partition 298 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 31 KB

==================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E Data2 NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 179 MB 1024 KB
Partition 0 Primary 296 MB 180 MB

==================================================================================

Disk: 3
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 179 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-28 03:16

======================= End Of Log ==========================






Farbar Recovery Scan Tool Version: 04-07-2012 01
Ran by SYSTEM at 2012-07-05 10:00:48
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Any help much appreciated!
 
Sorry - should have made clear - YA in post title stands for "Yet Another". It's not a new variant of SIREFEF!
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=================================================

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 

Attachments

  • fixlist.txt
    807 bytes · Views: 5
Many thanks Broni. Everything seems to be working a lot better, thanks! Here's my Fixlog and Combofix:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-07-2012 01
Ran by SYSTEM at 2012-07-06 09:13:22 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
C:\Windows\System32\consrv.dll not found.
C:\Windows\System32\services.exe.07089B0F65EEA6F1 moved successfully.
C:\Windows\System32\Drivers\elmqitxm.sys not found.
C:\Windows\System32\services.exe.4A5EBC26060A3C1A moved successfully.
C:\Windows\System32\services.exe.FA525A543429CF4D moved successfully.
C:\Windows\Installer\{973b70e0-5b87-2d8c-e45c-db0f685bd887} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====


ComboFix 12-07-06.01 - James 06/07/2012 9:21.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.4095.2852 [GMT 1:00]
Running from: c:\users\James\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\install.exe
E:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
.
.
2012-07-06 08:06 . 2012-07-06 08:06 328704 ----a-w- c:\windows\system32\services.exe.EEDD893ADB7C16EC
2012-07-06 08:02 . 2012-07-06 08:02 328704 ----a-w- c:\windows\system32\services.exe.6BEF091AD0ECD24F
2012-07-06 07:58 . 2012-07-06 07:58 328704 ----a-w- c:\windows\system32\services.exe.1146FE0D1BCF2D40
2012-07-06 07:54 . 2012-07-06 07:54 328704 ----a-w- c:\windows\system32\services.exe.661C039DBE987523
2012-07-06 07:50 . 2012-07-06 07:50 328704 ----a-w- c:\windows\system32\services.exe.23F969068EFAA0E0
2012-07-06 07:47 . 2012-07-06 07:47 328704 ----a-w- c:\windows\system32\services.exe.A4089D21728A9F3A
2012-07-06 07:43 . 2012-07-06 07:43 328704 ----a-w- c:\windows\system32\services.exe.0495916AC1CDF356
2012-07-06 07:39 . 2012-07-06 07:39 328704 ----a-w- c:\windows\system32\services.exe.328F280BB52A2BDB
2012-07-06 07:35 . 2012-07-06 07:35 328704 ----a-w- c:\windows\system32\services.exe.5EA4E2BAD713D441
2012-07-06 07:31 . 2012-07-06 07:31 328704 ----a-w- c:\windows\system32\services.exe.1FAB37EC90022F0B
2012-07-06 07:27 . 2012-07-06 07:27 328704 ----a-w- c:\windows\system32\services.exe.BE25B9D0F438E00E
2012-07-06 07:23 . 2012-07-06 07:23 328704 ----a-w- c:\windows\system32\services.exe.B0A92687F6A55619
2012-07-06 07:19 . 2012-07-06 07:19 328704 ----a-w- c:\windows\system32\services.exe.6380A8BC9A33CFD3
2012-07-06 07:16 . 2012-07-06 07:16 328704 ----a-w- c:\windows\system32\services.exe.424BB3F01DB97C58
2012-07-06 07:12 . 2012-07-06 07:12 328704 ----a-w- c:\windows\system32\services.exe.0B2124E4BB09B477
2012-07-06 07:08 . 2012-07-06 07:08 328704 ----a-w- c:\windows\system32\services.exe.4C4138470B3FDD47
2012-07-06 07:04 . 2012-07-06 07:04 328704 ----a-w- c:\windows\system32\services.exe.03BB8BFDF631EC42
2012-07-06 07:00 . 2012-07-06 07:00 328704 ----a-w- c:\windows\system32\services.exe.97513600FA10A037
2012-07-06 06:56 . 2012-07-06 06:56 328704 ----a-w- c:\windows\system32\services.exe.D295727035653230
2012-07-06 06:52 . 2012-07-06 06:52 328704 ----a-w- c:\windows\system32\services.exe.2D81F81CA5B6A075
2012-07-06 06:48 . 2012-07-06 06:48 328704 ----a-w- c:\windows\system32\services.exe.4BA58709BD3E5513
2012-07-06 06:45 . 2012-07-06 06:45 328704 ----a-w- c:\windows\system32\services.exe.45DED8D4DBD10DFE
2012-07-06 06:41 . 2012-07-06 06:41 328704 ----a-w- c:\windows\system32\services.exe.3FBEE06026C9277B
2012-07-06 06:37 . 2012-07-06 06:37 328704 ----a-w- c:\windows\system32\services.exe.8F9C44252F2F7E17
2012-07-06 06:33 . 2012-07-06 06:33 328704 ----a-w- c:\windows\system32\services.exe.5028279C68718CA7
2012-07-06 06:29 . 2012-07-06 06:29 328704 ----a-w- c:\windows\system32\services.exe.B783A8152557B43E
2012-07-06 06:25 . 2012-07-06 06:25 328704 ----a-w- c:\windows\system32\services.exe.C405FB95B24CDDD6
2012-07-06 06:21 . 2012-07-06 06:21 328704 ----a-w- c:\windows\system32\services.exe.DFF6B6EA37924F91
2012-07-06 06:17 . 2012-07-06 06:17 328704 ----a-w- c:\windows\system32\services.exe.B5638BBBBF0A87E6
2012-07-06 06:14 . 2012-07-06 06:14 328704 ----a-w- c:\windows\system32\services.exe.D778C119AD779950
2012-07-06 06:10 . 2012-07-06 06:10 328704 ----a-w- c:\windows\system32\services.exe.BD01393C5F737ACF
2012-07-06 06:06 . 2012-07-06 06:06 328704 ----a-w- c:\windows\system32\services.exe.6617019668C12EB8
2012-07-06 06:02 . 2012-07-06 06:02 328704 ----a-w- c:\windows\system32\services.exe.007A9B6CC77882D4
2012-07-06 05:58 . 2012-07-06 05:58 328704 ----a-w- c:\windows\system32\services.exe.DFFC53EB18BEF429
2012-07-06 05:54 . 2012-07-06 05:54 328704 ----a-w- c:\windows\system32\services.exe.816B0E2940B0EBA6
2012-07-06 05:50 . 2012-07-06 05:50 328704 ----a-w- c:\windows\system32\services.exe.08A05D2DAC16B2B0
2012-07-06 05:46 . 2012-07-06 05:46 328704 ----a-w- c:\windows\system32\services.exe.92B8D026FEF54911
2012-07-06 05:42 . 2012-07-06 05:42 328704 ----a-w- c:\windows\system32\services.exe.A818E68E7BCB96CE
2012-07-06 05:38 . 2012-07-06 05:38 328704 ----a-w- c:\windows\system32\services.exe.CDB90D08CCEC762F
2012-07-06 05:35 . 2012-07-06 05:35 328704 ----a-w- c:\windows\system32\services.exe.F96CE7F1D30BB3F1
2012-07-06 05:31 . 2012-07-06 05:31 328704 ----a-w- c:\windows\system32\services.exe.C9C13596FFA4D37F
2012-07-06 05:27 . 2012-07-06 05:27 328704 ----a-w- c:\windows\system32\services.exe.8D4CF7537F67D098
2012-07-06 05:23 . 2012-07-06 05:23 328704 ----a-w- c:\windows\system32\services.exe.5E946830481839C4
2012-07-06 05:19 . 2012-07-06 05:19 328704 ----a-w- c:\windows\system32\services.exe.DDCE9360E767E050
2012-07-06 05:13 . 2012-07-06 05:13 328704 ----a-w- c:\windows\system32\services.exe.D30648DBA36AFD39
2012-07-06 05:09 . 2012-07-06 05:09 328704 ----a-w- c:\windows\system32\services.exe.EBE5C28166B15C89
2012-07-06 05:05 . 2012-07-06 05:05 328704 ----a-w- c:\windows\system32\services.exe.EDB7EB89DEAA6AAF
2012-07-06 05:01 . 2012-07-06 05:01 328704 ----a-w- c:\windows\system32\services.exe.9A6102C7EF023512
2012-07-06 04:57 . 2012-07-06 04:57 328704 ----a-w- c:\windows\system32\services.exe.888C2D59149F0114
2012-07-06 04:53 . 2012-07-06 04:53 328704 ----a-w- c:\windows\system32\services.exe.38AF0E324A4EB895
2012-07-06 04:49 . 2012-07-06 04:49 328704 ----a-w- c:\windows\system32\services.exe.F78907F8AE8384C1
2012-07-06 04:45 . 2012-07-06 04:45 328704 ----a-w- c:\windows\system32\services.exe.54361D525E2D5732
2012-07-06 04:41 . 2012-07-06 04:41 328704 ----a-w- c:\windows\system32\services.exe.F7CA5756730C8D5A
2012-07-06 04:37 . 2012-07-06 04:37 328704 ----a-w- c:\windows\system32\services.exe.333DFF38C8382D05
2012-07-06 04:34 . 2012-07-06 04:34 328704 ----a-w- c:\windows\system32\services.exe.2139F760DFECD905
2012-07-06 04:30 . 2012-07-06 04:30 328704 ----a-w- c:\windows\system32\services.exe.67F6E48453B3F633
2012-07-06 04:26 . 2012-07-06 04:26 328704 ----a-w- c:\windows\system32\services.exe.62F7DBEF6663CEAE
2012-07-06 04:22 . 2012-07-06 04:22 328704 ----a-w- c:\windows\system32\services.exe.8D9FFC1E3D144D84
2012-07-06 04:18 . 2012-07-06 04:18 328704 ----a-w- c:\windows\system32\services.exe.047466BD2BDF38A7
2012-07-06 04:14 . 2012-07-06 04:14 328704 ----a-w- c:\windows\system32\services.exe.CB8F18217E11C2C1
2012-07-06 04:10 . 2012-07-06 04:10 328704 ----a-w- c:\windows\system32\services.exe.F007422DA73A7F20
2012-07-06 04:06 . 2012-07-06 04:06 328704 ----a-w- c:\windows\system32\services.exe.AD8190AFA7EFA60B
2012-07-06 04:02 . 2012-07-06 04:02 328704 ----a-w- c:\windows\system32\services.exe.B12F13AD35C8D4CC
2012-07-06 03:58 . 2012-07-06 03:58 328704 ----a-w- c:\windows\system32\services.exe.B05134CA9351635B
2012-07-06 03:55 . 2012-07-06 03:55 328704 ----a-w- c:\windows\system32\services.exe.2CA6F49F9503F54C
2012-07-06 03:51 . 2012-07-06 03:51 328704 ----a-w- c:\windows\system32\services.exe.96FCFE7C2036CDF2
2012-07-06 03:47 . 2012-07-06 03:47 328704 ----a-w- c:\windows\system32\services.exe.D5ACF69D44D76FC6
2012-07-06 03:43 . 2012-07-06 03:43 328704 ----a-w- c:\windows\system32\services.exe.D89FEDB555E84817
2012-07-06 03:38 . 2012-07-06 03:38 328704 ----a-w- c:\windows\system32\services.exe.9135493AC38CD43F
2012-07-06 03:34 . 2012-07-06 03:34 328704 ----a-w- c:\windows\system32\services.exe.6F799B38FE77D6D7
2012-07-06 03:30 . 2012-07-06 03:30 328704 ----a-w- c:\windows\system32\services.exe.94DE8F8AD3CB539C
2012-07-06 03:26 . 2012-07-06 03:26 328704 ----a-w- c:\windows\system32\services.exe.EE5B4D94C60162ED
2012-07-06 03:22 . 2012-07-06 03:22 328704 ----a-w- c:\windows\system32\services.exe.3627AD7B70800AC3
2012-07-06 03:18 . 2012-07-06 03:18 328704 ----a-w- c:\windows\system32\services.exe.766CA529EE45C138
2012-07-06 03:14 . 2012-07-06 03:14 328704 ----a-w- c:\windows\system32\services.exe.D5E1A09A2A14C0BB
2012-07-06 03:10 . 2012-07-06 03:10 328704 ----a-w- c:\windows\system32\services.exe.E27E15CD7E6FAEA4
2012-07-06 03:06 . 2012-07-06 03:06 328704 ----a-w- c:\windows\system32\services.exe.5B24D92E6135ECA2
2012-07-06 03:03 . 2012-07-06 03:03 328704 ----a-w- c:\windows\system32\services.exe.DCE1BB5E78CE5A74
2012-07-06 02:59 . 2012-07-06 02:59 328704 ----a-w- c:\windows\system32\services.exe.1D6CD40C48AA6594
2012-07-06 02:55 . 2012-07-06 02:55 328704 ----a-w- c:\windows\system32\services.exe.7FEF5381B27D26A9
2012-07-06 02:51 . 2012-07-06 02:51 328704 ----a-w- c:\windows\system32\services.exe.188506709427C95A
2012-07-06 02:47 . 2012-07-06 02:47 328704 ----a-w- c:\windows\system32\services.exe.AE0ECEC93C2D7D19
2012-07-05 19:14 . 2012-07-05 19:14 328704 ----a-w- c:\windows\system32\services.exe.8E9B908C27A6A840
2012-07-05 17:54 . 2012-07-05 17:54 -------- d-----w- C:\FRST
2012-07-05 08:36 . 2012-07-06 08:40 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01E5A6E6-9171-4E59-BF6E-41822B0E4768}\offreg.dll
2012-07-05 08:12 . 2012-02-09 13:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-07-05 08:12 . 2012-02-09 13:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{26E80972-518F-4456-BA8A-B030FC963B60}\gapaengine.dll
2012-07-05 08:12 . 2012-06-18 02:12 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01E5A6E6-9171-4E59-BF6E-41822B0E4768}\mpengine.dll
2012-07-05 08:09 . 2012-07-05 08:09 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-05 08:09 . 2012-07-05 08:09 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-05 08:04 . 2012-07-05 08:04 -------- d-----w- c:\users\James\AppData\Local\ElevatedDiagnostics
2012-07-04 15:10 . 2012-07-04 15:10 -------- d-----w- c:\users\James\AppData\Roaming\bizarre creations
2012-07-04 14:31 . 2012-07-04 14:31 -------- d-----w- c:\users\James\AppData\Local\My Games
2012-06-29 14:52 . 2012-06-29 14:52 -------- d--h--w- c:\programdata\CanonIJScan
2012-06-29 14:51 . 2012-06-29 14:52 -------- d-----w- c:\users\James\AppData\Roaming\Canon
2012-06-29 11:25 . 2012-06-29 11:25 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-28 09:18 . 2012-06-29 14:51 -------- d-----w- c:\program files (x86)\Canon
2012-06-28 09:18 . 2009-04-03 14:57 106496 ----a-w- c:\windows\SysWow64\CNC560U.dll
2012-06-28 09:18 . 2009-03-19 13:38 303104 ----a-w- c:\windows\SysWow64\CNC560L.dll
2012-06-28 09:18 . 2008-08-25 17:02 15872 ----a-w- c:\windows\SysWow64\CNHMCA.dll
2012-06-28 09:17 . 2012-06-28 09:17 -------- d-----w- c:\windows\system32\STRING
2012-06-28 09:17 . 2012-06-28 09:17 -------- d-----w- c:\windows\system32\CHM
2012-06-28 09:17 . 2009-04-03 15:51 144384 ----a-w- c:\windows\system32\CNMN6UI.DLL
2012-06-28 09:17 . 2009-04-03 15:51 336896 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2012-06-28 09:17 . 2009-04-03 15:51 353792 ----a-w- c:\windows\SysWow64\CNMNPPM.DLL
2012-06-28 09:17 . 2012-06-28 09:17 -------- d--h--w- c:\program files\CanonBJ
2012-06-21 10:42 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 10:42 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 10:42 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 10:42 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 10:42 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 10:42 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 10:42 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 10:42 . 2012-06-02 14:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 10:42 . 2012-06-02 14:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-19 15:28 . 2012-06-19 15:28 -------- d-----w- c:\users\James\AppData\Local\Macromedia
2012-06-15 11:47 . 2012-06-15 11:47 -------- d-----w- c:\users\James\AppData\Roaming\Amazon
2012-06-15 11:46 . 2012-06-15 11:46 -------- d-----w- c:\program files (x86)\Amazon
2012-06-11 15:27 . 2012-06-11 15:27 -------- d-----w- c:\users\James\.MakeMKV
2012-06-11 15:27 . 2012-06-11 15:27 -------- d-----w- c:\program files (x86)\MakeMKV
2012-06-11 15:13 . 2012-06-11 15:14 -------- d-----w- c:\users\James\AppData\Roaming\Media Player Classic
2012-06-11 15:09 . 2012-06-11 15:09 -------- d-----w- c:\program files (x86)\AviSynth 2.5
2012-06-11 15:08 . 2012-06-11 15:25 -------- d-----w- C:\Temp
2012-06-11 15:08 . 2009-03-26 20:33 536652 ----a-w- c:\windows\SysWow64\ASAudioHD.ax
2012-06-11 15:08 . 2008-11-28 14:36 55808 ----a-w- c:\windows\SysWow64\MagPCMac.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 11:22 . 2012-04-17 13:05 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-29 11:22 . 2012-04-17 13:05 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-02 19:00 . 2011-03-28 17:36 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-04-18 08:36 . 2012-04-18 08:36 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-04-18 08:36 . 2012-04-18 08:36 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-04-18 08:36 . 2012-04-18 08:36 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2012-04-18 08:36 . 2012-04-18 08:36 1798656 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-04-18 08:36 . 2012-04-18 08:36 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-04-18 08:36 . 2012-04-18 08:36 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-04-18 08:36 . 2012-04-18 08:36 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-04-18 08:36 . 2012-04-18 08:36 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-04-18 08:36 . 2012-04-18 08:36 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-04-18 08:36 . 2012-04-18 08:36 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-04-18 08:36 . 2012-04-18 08:36 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-04-18 08:36 . 2012-04-18 08:36 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-04-18 08:36 . 2012-04-18 08:36 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-04-18 08:36 . 2012-04-18 08:36 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-04-18 08:36 . 2012-04-18 08:36 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-04-18 08:36 . 2012-04-18 08:36 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-04-18 08:36 . 2012-04-18 08:36 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-04-18 08:36 . 2012-04-18 08:36 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-04-18 08:36 . 2012-04-18 08:36 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-04-18 08:36 . 2012-04-18 08:36 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-04-18 08:36 . 2012-04-18 08:36 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-04-18 08:36 . 2012-04-18 08:36 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-04-18 08:36 . 2012-04-18 08:36 222208 ----a-w- c:\windows\system32\msls31.dll
2012-04-18 08:36 . 2012-04-18 08:36 1390080 ----a-w- c:\windows\system32\wininet.dll
2012-04-18 08:36 . 2012-04-18 08:36 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-04-18 08:36 . 2012-04-18 08:36 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-04-18 08:36 . 2012-04-18 08:36 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-04-18 08:36 . 2012-04-18 08:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-18 08:36 . 2012-04-18 08:36 2308096 ----a-w- c:\windows\system32\jscript9.dll
2012-04-18 08:36 . 2012-04-18 08:36 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-04-18 08:36 . 2012-04-18 08:36 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-04-18 08:36 . 2012-04-18 08:36 12288 ----a-w- c:\windows\system32\mshta.exe
2012-04-18 08:36 . 2012-04-18 08:36 114176 ----a-w- c:\windows\system32\admparse.dll
2012-04-18 08:36 . 2012-04-18 08:36 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-04-18 08:36 . 2012-04-18 08:36 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-04-18 08:36 . 2012-04-18 08:36 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-04-18 08:36 . 2012-04-18 08:36 448512 ----a-w- c:\windows\system32\html.iec
2012-04-18 08:36 . 2012-04-18 08:36 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-04-18 08:36 . 2012-04-18 08:36 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2012-04-18 08:36 . 2012-04-18 08:36 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-04-18 08:36 . 2012-04-18 08:36 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-04-18 08:36 . 2012-04-18 08:36 160256 ----a-w- c:\windows\system32\wextract.exe
2012-04-17 13:06 . 2012-04-17 13:06 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-04-10 19:31 . 2012-04-10 19:31 1075200 ----a-w- c:\windows\SysWow64\ac3filter.acm
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-04-17 1242448]
"DVDFab Passkey"="c:\program files (x86)\DVDFab Passkey\DVDFabPasskey.exe" [2012-05-22 1392672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"InputDirector"="c:\program files (x86)\Input Director\InputDirector.exe" [2010-02-01 475136]
"Bing Bar"="c:\program files (x86)\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 243544]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
.
c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\James\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-4-17 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]
R3 IDVistaService;Input Director Vista Service;c:\program files (x86)\Input Director\IDVistaService.exe [2009-02-08 13824]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-19 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-18 1255736]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]
S2 InputDirector;Input Director Service;c:\program files (x86)\Input Director\IDWinService.exe [2010-02-01 36864]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [2011-08-15 79232]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]
S3 LVUVC64;Logitech Webcam 500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2012-01-18 4865568]
S3 SaiH0461;SaiH0461;c:\windows\system32\DRIVERS\SaiH0461.sys [2008-03-26 178432]
S3 SaiH0763;SaiH0763;c:\windows\system32\DRIVERS\SaiH0763.sys [2008-02-15 178304]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1848183946-4224764909-1401710521-1001Core.job
- c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-17 06:15]
.
2012-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1848183946-4224764909-1401710521-1001UA.job
- c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-17 06:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: Interfaces\{37B856E9-8AD9-4525-81E9-53D6A694AFAA}: NameServer = 192.168.2.1
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\78vu8i1c.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*k*v*gxyM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*k*v*zyM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*k*v*azyM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*k*v*¤zyM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Input Director\InputDirectorSessionHelper.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
.
**************************************************************************
.
Completion time: 2012-07-06 09:42:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-06 08:42
.
Pre-Run: 46,534,889,472 bytes free
Post-Run: 46,467,600,384 bytes free
.
- - End Of File - - DCD5BB2D12B5E2A518DD11D60E2ED354
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\services.exe.97513600FA10A037
c:\windows\system32\services.exe.03BB8BFDF631EC42
c:\windows\system32\services.exe.4C4138470B3FDD47
c:\windows\system32\services.exe.0B2124E4BB09B477
 c:\windows\system32\services.exe.424BB3F01DB97C58
c:\windows\system32\services.exe.6380A8BC9A33CFD3
c:\windows\system32\services.exe.B0A92687F6A55619
c:\windows\system32\services.exe.BE25B9D0F438E00E
c:\windows\system32\services.exe.1FAB37EC90022F0B
c:\windows\system32\services.exe.5EA4E2BAD713D441
c:\windows\system32\services.exe.328F280BB52A2BDB
 c:\windows\system32\services.exe.0495916AC1CDF356
c:\windows\system32\services.exe.A4089D21728A9F3A
c:\windows\system32\services.exe.23F969068EFAA0E0
c:\windows\system32\services.exe.661C039DBE987523
c:\windows\system32\services.exe.1146FE0D1BCF2D40
c:\windows\system32\services.exe.6BEF091AD0ECD24F
c:\windows\system32\services.exe.EEDD893ADB7C16EC
c:\windows\system32\services.exe.B783A8152557B43E
c:\windows\system32\services.exe.5028279C68718CA7
c:\windows\system32\services.exe.8F9C44252F2F7E17
c:\windows\system32\services.exe.3FBEE06026C9277B
c:\windows\system32\services.exe.45DED8D4DBD10DFE
c:\windows\system32\services.exe.4BA58709BD3E5513
c:\windows\system32\services.exe.2D81F81CA5B6A075
c:\windows\system32\services.exe.D295727035653230
c:\windows\system32\services.exe.F96CE7F1D30BB3F1
c:\windows\system32\services.exe.CDB90D08CCEC762F
c:\windows\system32\services.exe.A818E68E7BCB96CE
c:\windows\system32\services.exe.92B8D026FEF54911
c:\windows\system32\services.exe.08A05D2DAC16B2B0
c:\windows\system32\services.exe.816B0E2940B0EBA6
c:\windows\system32\services.exe.DFFC53EB18BEF429
c:\windows\system32\services.exe.007A9B6CC77882D4
c:\windows\system32\services.exe.6617019668C12EB8
c:\windows\system32\services.exe.BD01393C5F737ACF
c:\windows\system32\services.exe.D778C119AD779950
c:\windows\system32\services.exe.B5638BBBBF0A87E6
c:\windows\system32\services.exe.DFF6B6EA37924F91
c:\windows\system32\services.exe.C405FB95B24CDDD6
c:\windows\system32\services.exe.2139F760DFECD905
c:\windows\system32\services.exe.333DFF38C8382D05
c:\windows\system32\services.exe.F7CA5756730C8D5A
c:\windows\system32\services.exe.54361D525E2D5732
c:\windows\system32\services.exe.F78907F8AE8384C1
c:\windows\system32\services.exe.38AF0E324A4EB895
c:\windows\system32\services.exe.888C2D59149F0114
c:\windows\system32\services.exe.9A6102C7EF023512
c:\windows\system32\services.exe.EDB7EB89DEAA6AAF
c:\windows\system32\services.exe.EBE5C28166B15C89
c:\windows\system32\services.exe.D30648DBA36AFD39
c:\windows\system32\services.exe.DDCE9360E767E050
c:\windows\system32\services.exe.5E946830481839C4
c:\windows\system32\services.exe.8D4CF7537F67D098
c:\windows\system32\services.exe.C9C13596FFA4D37F
c:\windows\system32\services.exe.6F799B38FE77D6D7
c:\windows\system32\services.exe.9135493AC38CD43F
c:\windows\system32\services.exe.D89FEDB555E84817
 c:\windows\system32\services.exe.D5ACF69D44D76FC6
c:\windows\system32\services.exe.96FCFE7C2036CDF2
c:\windows\system32\services.exe.2CA6F49F9503F54C
c:\windows\system32\services.exe.B05134CA9351635B
c:\windows\system32\services.exe.B12F13AD35C8D4CC
c:\windows\system32\services.exe.AD8190AFA7EFA60B
c:\windows\system32\services.exe.F007422DA73A7F20
c:\windows\system32\services.exe.CB8F18217E11C2C1
c:\windows\system32\services.exe.047466BD2BDF38A7
c:\windows\system32\services.exe.8D9FFC1E3D144D84
c:\windows\system32\services.exe.62F7DBEF6663CEAE
c:\windows\system32\services.exe.67F6E48453B3F633
c:\windows\system32\services.exe.8E9B908C27A6A840
c:\windows\system32\services.exe.AE0ECEC93C2D7D19
c:\windows\system32\services.exe.188506709427C95A
 c:\windows\system32\services.exe.7FEF5381B27D26A9
c:\windows\system32\services.exe.1D6CD40C48AA6594
c:\windows\system32\services.exe.DCE1BB5E78CE5A74
c:\windows\system32\services.exe.5B24D92E6135ECA2
c:\windows\system32\services.exe.E27E15CD7E6FAEA4
 c:\windows\system32\services.exe.D5E1A09A2A14C0BB
c:\windows\system32\services.exe.766CA529EE45C138
c:\windows\system32\services.exe.3627AD7B70800AC3
c:\windows\system32\services.exe.EE5B4D94C60162ED
c:\windows\system32\services.exe.94DE8F8AD3CB539C

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix updated to latest version as part of this process. Log output:

ComboFix 12-07-08.01 - James 09/07/2012 11:10:06.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.4095.2989 [GMT 1:00]
Running from: c:\users\James\Desktop\ComboFix.exe
Command switches used :: c:\users\James\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\services.exe.007A9B6CC77882D4"
"c:\windows\system32\services.exe.03BB8BFDF631EC42"
"c:\windows\system32\services.exe.047466BD2BDF38A7"
"c:\windows\system32\services.exe.0495916AC1CDF356"
"c:\windows\system32\services.exe.08A05D2DAC16B2B0"
"c:\windows\system32\services.exe.0B2124E4BB09B477"
"c:\windows\system32\services.exe.1146FE0D1BCF2D40"
"c:\windows\system32\services.exe.188506709427C95A"
"c:\windows\system32\services.exe.1D6CD40C48AA6594"
"c:\windows\system32\services.exe.1FAB37EC90022F0B"
"c:\windows\system32\services.exe.2139F760DFECD905"
"c:\windows\system32\services.exe.23F969068EFAA0E0"
"c:\windows\system32\services.exe.2CA6F49F9503F54C"
"c:\windows\system32\services.exe.2D81F81CA5B6A075"
"c:\windows\system32\services.exe.328F280BB52A2BDB"
"c:\windows\system32\services.exe.333DFF38C8382D05"
"c:\windows\system32\services.exe.3627AD7B70800AC3"
"c:\windows\system32\services.exe.38AF0E324A4EB895"
"c:\windows\system32\services.exe.3FBEE06026C9277B"
"c:\windows\system32\services.exe.424BB3F01DB97C58"
"c:\windows\system32\services.exe.45DED8D4DBD10DFE"
"c:\windows\system32\services.exe.4BA58709BD3E5513"
"c:\windows\system32\services.exe.4C4138470B3FDD47"
"c:\windows\system32\services.exe.5028279C68718CA7"
"c:\windows\system32\services.exe.54361D525E2D5732"
"c:\windows\system32\services.exe.5B24D92E6135ECA2"
"c:\windows\system32\services.exe.5E946830481839C4"
"c:\windows\system32\services.exe.5EA4E2BAD713D441"
"c:\windows\system32\services.exe.62F7DBEF6663CEAE"
"c:\windows\system32\services.exe.6380A8BC9A33CFD3"
"c:\windows\system32\services.exe.6617019668C12EB8"
"c:\windows\system32\services.exe.661C039DBE987523"
"c:\windows\system32\services.exe.67F6E48453B3F633"
"c:\windows\system32\services.exe.6BEF091AD0ECD24F"
"c:\windows\system32\services.exe.6F799B38FE77D6D7"
"c:\windows\system32\services.exe.766CA529EE45C138"
"c:\windows\system32\services.exe.7FEF5381B27D26A9"
"c:\windows\system32\services.exe.816B0E2940B0EBA6"
"c:\windows\system32\services.exe.888C2D59149F0114"
"c:\windows\system32\services.exe.8D4CF7537F67D098"
"c:\windows\system32\services.exe.8D9FFC1E3D144D84"
"c:\windows\system32\services.exe.8E9B908C27A6A840"
"c:\windows\system32\services.exe.8F9C44252F2F7E17"
"c:\windows\system32\services.exe.9135493AC38CD43F"
"c:\windows\system32\services.exe.92B8D026FEF54911"
"c:\windows\system32\services.exe.94DE8F8AD3CB539C"
"c:\windows\system32\services.exe.96FCFE7C2036CDF2"
"c:\windows\system32\services.exe.97513600FA10A037"
"c:\windows\system32\services.exe.9A6102C7EF023512"
"c:\windows\system32\services.exe.A4089D21728A9F3A"
"c:\windows\system32\services.exe.A818E68E7BCB96CE"
"c:\windows\system32\services.exe.AD8190AFA7EFA60B"
"c:\windows\system32\services.exe.AE0ECEC93C2D7D19"
"c:\windows\system32\services.exe.B05134CA9351635B"
"c:\windows\system32\services.exe.B0A92687F6A55619"
"c:\windows\system32\services.exe.B12F13AD35C8D4CC"
"c:\windows\system32\services.exe.B5638BBBBF0A87E6"
"c:\windows\system32\services.exe.B783A8152557B43E"
"c:\windows\system32\services.exe.BD01393C5F737ACF"
"c:\windows\system32\services.exe.BE25B9D0F438E00E"
"c:\windows\system32\services.exe.C405FB95B24CDDD6"
"c:\windows\system32\services.exe.C9C13596FFA4D37F"
"c:\windows\system32\services.exe.CB8F18217E11C2C1"
"c:\windows\system32\services.exe.CDB90D08CCEC762F"
"c:\windows\system32\services.exe.D295727035653230"
"c:\windows\system32\services.exe.D30648DBA36AFD39"
"c:\windows\system32\services.exe.D5ACF69D44D76FC6"
"c:\windows\system32\services.exe.D5E1A09A2A14C0BB"
"c:\windows\system32\services.exe.D778C119AD779950"
"c:\windows\system32\services.exe.D89FEDB555E84817"
"c:\windows\system32\services.exe.DCE1BB5E78CE5A74"
"c:\windows\system32\services.exe.DDCE9360E767E050"
"c:\windows\system32\services.exe.DFF6B6EA37924F91"
"c:\windows\system32\services.exe.DFFC53EB18BEF429"
"c:\windows\system32\services.exe.E27E15CD7E6FAEA4"
"c:\windows\system32\services.exe.EBE5C28166B15C89"
"c:\windows\system32\services.exe.EDB7EB89DEAA6AAF"
"c:\windows\system32\services.exe.EE5B4D94C60162ED"
"c:\windows\system32\services.exe.EEDD893ADB7C16EC"
"c:\windows\system32\services.exe.F007422DA73A7F20"
"c:\windows\system32\services.exe.F78907F8AE8384C1"
"c:\windows\system32\services.exe.F7CA5756730C8D5A"
"c:\windows\system32\services.exe.F96CE7F1D30BB3F1"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\services.exe.007A9B6CC77882D4
c:\windows\system32\services.exe.03BB8BFDF631EC42
c:\windows\system32\services.exe.047466BD2BDF38A7
c:\windows\system32\services.exe.0495916AC1CDF356
c:\windows\system32\services.exe.08A05D2DAC16B2B0
c:\windows\system32\services.exe.0B2124E4BB09B477
c:\windows\system32\services.exe.1146FE0D1BCF2D40
c:\windows\system32\services.exe.188506709427C95A
c:\windows\system32\services.exe.1D6CD40C48AA6594
c:\windows\system32\services.exe.1FAB37EC90022F0B
c:\windows\system32\services.exe.2139F760DFECD905
c:\windows\system32\services.exe.23F969068EFAA0E0
c:\windows\system32\services.exe.2CA6F49F9503F54C
c:\windows\system32\services.exe.2D81F81CA5B6A075
c:\windows\system32\services.exe.328F280BB52A2BDB
c:\windows\system32\services.exe.333DFF38C8382D05
c:\windows\system32\services.exe.3627AD7B70800AC3
c:\windows\system32\services.exe.38AF0E324A4EB895
c:\windows\system32\services.exe.3FBEE06026C9277B
c:\windows\system32\services.exe.424BB3F01DB97C58
c:\windows\system32\services.exe.45DED8D4DBD10DFE
c:\windows\system32\services.exe.4BA58709BD3E5513
c:\windows\system32\services.exe.4C4138470B3FDD47
c:\windows\system32\services.exe.5028279C68718CA7
c:\windows\system32\services.exe.54361D525E2D5732
c:\windows\system32\services.exe.5B24D92E6135ECA2
c:\windows\system32\services.exe.5E946830481839C4
c:\windows\system32\services.exe.5EA4E2BAD713D441
c:\windows\system32\services.exe.62F7DBEF6663CEAE
c:\windows\system32\services.exe.6380A8BC9A33CFD3
c:\windows\system32\services.exe.6617019668C12EB8
c:\windows\system32\services.exe.661C039DBE987523
c:\windows\system32\services.exe.67F6E48453B3F633
c:\windows\system32\services.exe.6BEF091AD0ECD24F
c:\windows\system32\services.exe.6F799B38FE77D6D7
c:\windows\system32\services.exe.766CA529EE45C138
c:\windows\system32\services.exe.7FEF5381B27D26A9
c:\windows\system32\services.exe.816B0E2940B0EBA6
c:\windows\system32\services.exe.888C2D59149F0114
c:\windows\system32\services.exe.8D4CF7537F67D098
c:\windows\system32\services.exe.8D9FFC1E3D144D84
c:\windows\system32\services.exe.8E9B908C27A6A840
c:\windows\system32\services.exe.8F9C44252F2F7E17
c:\windows\system32\services.exe.9135493AC38CD43F
c:\windows\system32\services.exe.92B8D026FEF54911
c:\windows\system32\services.exe.94DE8F8AD3CB539C
c:\windows\system32\services.exe.96FCFE7C2036CDF2
c:\windows\system32\services.exe.97513600FA10A037
c:\windows\system32\services.exe.9A6102C7EF023512
c:\windows\system32\services.exe.A4089D21728A9F3A
c:\windows\system32\services.exe.A818E68E7BCB96CE
c:\windows\system32\services.exe.AD8190AFA7EFA60B
c:\windows\system32\services.exe.AE0ECEC93C2D7D19
c:\windows\system32\services.exe.B05134CA9351635B
c:\windows\system32\services.exe.B0A92687F6A55619
c:\windows\system32\services.exe.B12F13AD35C8D4CC
c:\windows\system32\services.exe.B5638BBBBF0A87E6
c:\windows\system32\services.exe.B783A8152557B43E
c:\windows\system32\services.exe.BD01393C5F737ACF
c:\windows\system32\services.exe.BE25B9D0F438E00E
c:\windows\system32\services.exe.C405FB95B24CDDD6
c:\windows\system32\services.exe.C9C13596FFA4D37F
c:\windows\system32\services.exe.CB8F18217E11C2C1
c:\windows\system32\services.exe.CDB90D08CCEC762F
c:\windows\system32\services.exe.D295727035653230
c:\windows\system32\services.exe.D30648DBA36AFD39
c:\windows\system32\services.exe.D5ACF69D44D76FC6
c:\windows\system32\services.exe.D5E1A09A2A14C0BB
c:\windows\system32\services.exe.D778C119AD779950
c:\windows\system32\services.exe.D89FEDB555E84817
c:\windows\system32\services.exe.DCE1BB5E78CE5A74
c:\windows\system32\services.exe.DDCE9360E767E050
c:\windows\system32\services.exe.DFF6B6EA37924F91
c:\windows\system32\services.exe.DFFC53EB18BEF429
c:\windows\system32\services.exe.E27E15CD7E6FAEA4
c:\windows\system32\services.exe.EBE5C28166B15C89
c:\windows\system32\services.exe.EDB7EB89DEAA6AAF
c:\windows\system32\services.exe.EE5B4D94C60162ED
c:\windows\system32\services.exe.EEDD893ADB7C16EC
c:\windows\system32\services.exe.F007422DA73A7F20
c:\windows\system32\services.exe.F78907F8AE8384C1
c:\windows\system32\services.exe.F7CA5756730C8D5A
c:\windows\system32\services.exe.F96CE7F1D30BB3F1
.
.
((((((((((((((((((((((((( Files Created from 2012-06-09 to 2012-07-09 )))))))))))))))))))))))))))))))
.
.
2012-07-09 10:29 . 2012-07-09 10:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-06 13:44 . 2012-06-18 02:12 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F0034A8F-F26C-454A-8488-0AAD82DE8EE4}\mpengine.dll
2012-07-05 17:54 . 2012-07-05 17:54 -------- d-----w- C:\FRST
2012-07-05 08:12 . 2012-02-09 13:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-07-05 08:12 . 2012-02-09 13:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{26E80972-518F-4456-BA8A-B030FC963B60}\gapaengine.dll
2012-07-05 08:09 . 2012-07-05 08:09 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-05 08:09 . 2012-07-05 08:09 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-05 08:04 . 2012-07-05 08:04 -------- d-----w- c:\users\James\AppData\Local\ElevatedDiagnostics
2012-07-04 15:10 . 2012-07-04 15:10 -------- d-----w- c:\users\James\AppData\Roaming\bizarre creations
2012-07-04 14:31 . 2012-07-04 14:31 -------- d-----w- c:\users\James\AppData\Local\My Games
2012-06-29 14:52 . 2012-06-29 14:52 -------- d--h--w- c:\programdata\CanonIJScan
2012-06-29 14:51 . 2012-06-29 14:52 -------- d-----w- c:\users\James\AppData\Roaming\Canon
2012-06-29 11:25 . 2012-06-29 11:25 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-28 09:18 . 2012-06-29 14:51 -------- d-----w- c:\program files (x86)\Canon
2012-06-28 09:18 . 2009-04-03 14:57 106496 ----a-w- c:\windows\SysWow64\CNC560U.dll
2012-06-28 09:18 . 2009-03-19 13:38 303104 ----a-w- c:\windows\SysWow64\CNC560L.dll
2012-06-28 09:18 . 2008-08-25 17:02 15872 ----a-w- c:\windows\SysWow64\CNHMCA.dll
2012-06-28 09:17 . 2012-06-28 09:17 -------- d-----w- c:\windows\system32\STRING
2012-06-28 09:17 . 2012-06-28 09:17 -------- d-----w- c:\windows\system32\CHM
2012-06-28 09:17 . 2009-04-03 15:51 144384 ----a-w- c:\windows\system32\CNMN6UI.DLL
2012-06-28 09:17 . 2009-04-03 15:51 336896 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2012-06-28 09:17 . 2009-04-03 15:51 353792 ----a-w- c:\windows\SysWow64\CNMNPPM.DLL
2012-06-28 09:17 . 2012-06-28 09:17 -------- d--h--w- c:\program files\CanonBJ
2012-06-21 10:42 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 10:42 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 10:42 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 10:42 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 10:42 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 10:42 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 10:42 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 10:42 . 2012-06-02 14:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 10:42 . 2012-06-02 14:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-19 15:28 . 2012-06-19 15:28 -------- d-----w- c:\users\James\AppData\Local\Macromedia
2012-06-15 11:47 . 2012-06-15 11:47 -------- d-----w- c:\users\James\AppData\Roaming\Amazon
2012-06-15 11:46 . 2012-06-15 11:46 -------- d-----w- c:\program files (x86)\Amazon
2012-06-11 15:27 . 2012-06-11 15:27 -------- d-----w- c:\users\James\.MakeMKV
2012-06-11 15:27 . 2012-06-11 15:27 -------- d-----w- c:\program files (x86)\MakeMKV
2012-06-11 15:13 . 2012-06-11 15:14 -------- d-----w- c:\users\James\AppData\Roaming\Media Player Classic
2012-06-11 15:09 . 2012-06-11 15:09 -------- d-----w- c:\program files (x86)\AviSynth 2.5
2012-06-11 15:08 . 2012-06-11 15:25 -------- d-----w- C:\Temp
2012-06-11 15:08 . 2009-03-26 20:33 536652 ----a-w- c:\windows\SysWow64\ASAudioHD.ax
2012-06-11 15:08 . 2008-11-28 14:36 55808 ----a-w- c:\windows\SysWow64\MagPCMac.dll
2012-06-11 15:08 . 2008-11-28 14:36 92672 ----a-w- c:\windows\SysWow64\MagUIInter.dll
2012-06-11 15:08 . 2008-11-28 14:36 35328 ----a-w- c:\windows\SysWow64\MagCore.dll
2012-06-11 15:08 . 2008-11-28 14:36 285184 ----a-w- c:\windows\SysWow64\MagUIEngine.dll
2012-06-11 15:08 . 2008-04-25 07:50 917504 ----a-w- c:\windows\SysWow64\dtsdecoderdll.dll
2012-06-11 15:08 . 2008-04-15 16:40 106496 ----a-w- c:\windows\SysWow64\checkactivate.dll
2012-06-11 15:08 . 2011-01-03 09:07 490496 ----a-w- c:\windows\SysWow64\madFlac.ax
2012-06-11 15:08 . 2009-04-28 13:44 417792 ----a-w- c:\windows\SysWow64\FLVSplitter.ax
2012-06-11 15:08 . 2007-10-07 12:36 258048 ----a-w- c:\windows\SysWow64\libFLAC.dll
2012-06-11 15:08 . 2004-01-25 16:18 70656 ----a-w- c:\windows\SysWow64\yv12vfw.dll
2012-06-11 13:57 . 2012-06-11 13:57 -------- d-----w- c:\users\James\AppData\Roaming\dvdcss
2012-06-11 13:49 . 2012-06-11 13:49 -------- d-----w- c:\users\James\AppData\Roaming\Digiarty
2012-06-11 09:17 . 2012-06-11 09:17 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-11 09:17 . 2012-06-11 09:17 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-11 09:16 . 2012-06-11 09:16 -------- d-----w- c:\program files (x86)\Foxit Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 11:22 . 2012-04-17 13:05 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-29 11:22 . 2012-04-17 13:05 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-02 19:00 . 2011-03-28 17:36 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-04-18 08:36 . 2012-04-18 08:36 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-04-18 08:36 . 2012-04-18 08:36 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-04-18 08:36 . 2012-04-18 08:36 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2012-04-18 08:36 . 2012-04-18 08:36 1798656 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-04-18 08:36 . 2012-04-18 08:36 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-04-18 08:36 . 2012-04-18 08:36 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-04-18 08:36 . 2012-04-18 08:36 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-04-18 08:36 . 2012-04-18 08:36 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-04-18 08:36 . 2012-04-18 08:36 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-04-18 08:36 . 2012-04-18 08:36 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-04-18 08:36 . 2012-04-18 08:36 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-04-18 08:36 . 2012-04-18 08:36 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-04-18 08:36 . 2012-04-18 08:36 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-04-18 08:36 . 2012-04-18 08:36 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-04-18 08:36 . 2012-04-18 08:36 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-04-18 08:36 . 2012-04-18 08:36 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-04-18 08:36 . 2012-04-18 08:36 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-04-18 08:36 . 2012-04-18 08:36 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-04-18 08:36 . 2012-04-18 08:36 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-04-18 08:36 . 2012-04-18 08:36 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-04-18 08:36 . 2012-04-18 08:36 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-04-18 08:36 . 2012-04-18 08:36 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-04-18 08:36 . 2012-04-18 08:36 222208 ----a-w- c:\windows\system32\msls31.dll
2012-04-18 08:36 . 2012-04-18 08:36 1390080 ----a-w- c:\windows\system32\wininet.dll
2012-04-18 08:36 . 2012-04-18 08:36 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-04-18 08:36 . 2012-04-18 08:36 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-04-18 08:36 . 2012-04-18 08:36 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-04-18 08:36 . 2012-04-18 08:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-18 08:36 . 2012-04-18 08:36 2308096 ----a-w- c:\windows\system32\jscript9.dll
2012-04-18 08:36 . 2012-04-18 08:36 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-04-18 08:36 . 2012-04-18 08:36 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-04-18 08:36 . 2012-04-18 08:36 12288 ----a-w- c:\windows\system32\mshta.exe
2012-04-18 08:36 . 2012-04-18 08:36 114176 ----a-w- c:\windows\system32\admparse.dll
2012-04-18 08:36 . 2012-04-18 08:36 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-04-18 08:36 . 2012-04-18 08:36 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-04-18 08:36 . 2012-04-18 08:36 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-04-18 08:36 . 2012-04-18 08:36 448512 ----a-w- c:\windows\system32\html.iec
2012-04-18 08:36 . 2012-04-18 08:36 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-04-18 08:36 . 2012-04-18 08:36 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2012-04-18 08:36 . 2012-04-18 08:36 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-04-18 08:36 . 2012-04-18 08:36 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-04-18 08:36 . 2012-04-18 08:36 160256 ----a-w- c:\windows\system32\wextract.exe
2012-04-17 13:06 . 2012-04-17 13:06 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-04-10 19:31 . 2012-04-10 19:31 1075200 ----a-w- c:\windows\SysWow64\ac3filter.acm
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-06_08.40.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-17 11:52 . 2012-07-06 14:26 28640 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-06 14:26 39316 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:46 . 2012-07-06 08:43 78960 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-04-17 10:33 . 2012-07-06 14:26 5902 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1848183946-4224764909-1401710521-1001_UserData.bin
- 2012-07-06 08:39 . 2012-07-06 08:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-06 14:25 . 2012-07-06 14:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-06 08:39 . 2012-07-06 08:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-06 14:25 . 2012-07-06 14:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-17 16:25 . 2012-07-09 07:56 334782 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 02:36 . 2012-07-06 14:31 665764 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-07-06 08:21 665764 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-07-06 14:31 125400 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-07-06 08:21 125400 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-07-06 08:39 455624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-07-06 14:24 455624 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 02:34 . 2012-07-05 08:18 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-07-09 08:16 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2012-04-17 13:27 . 2012-07-06 14:24 27058540 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1848183946-4224764909-1401710521-1001-8192.dat
- 2012-04-17 13:27 . 2012-07-06 08:39 27058540 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1848183946-4224764909-1401710521-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-04-17 1242448]
"DVDFab Passkey"="c:\program files (x86)\DVDFab Passkey\DVDFabPasskey.exe" [2012-05-22 1392672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"InputDirector"="c:\program files (x86)\Input Director\InputDirector.exe" [2010-02-01 475136]
"Bing Bar"="c:\program files (x86)\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 243544]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
.
c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\James\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-4-17 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 InputDirector;Input Director Service;c:\program files (x86)\Input Director\IDWinService.exe [2010-02-01 36864]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]
R3 IDVistaService;Input Director Vista Service;c:\program files (x86)\Input Director\IDVistaService.exe [2009-02-08 13824]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-19 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-18 1255736]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [2011-08-15 79232]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]
S3 LVUVC64;Logitech Webcam 500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2012-01-18 4865568]
S3 SaiH0461;SaiH0461;c:\windows\system32\DRIVERS\SaiH0461.sys [2008-03-26 178432]
S3 SaiH0763;SaiH0763;c:\windows\system32\DRIVERS\SaiH0763.sys [2008-02-15 178304]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1848183946-4224764909-1401710521-1001Core.job
- c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-17 06:15]
.
2012-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1848183946-4224764909-1401710521-1001UA.job
- c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-17 06:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\James\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: Interfaces\{37B856E9-8AD9-4525-81E9-53D6A694AFAA}: NameServer = 192.168.2.1
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\78vu8i1c.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*k*v*gxyM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*k*v*zyM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*k*v*azyM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*k*v*¤zyM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-09 11:31:42
ComboFix-quarantined-files.txt 2012-07-09 10:31
ComboFix2.txt 2012-07-06 08:42
.
Pre-Run: 50,806,136,832 bytes free
Post-Run: 50,753,241,088 bytes free
.
- - End Of File - - F1E22C0AA74ECF8B3218650221DC2CCA
 
Please do NOT wrap any log in "code".

Any current issues?

=====================================

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

===============================================

Download OTL to your Desktop.
Alternate download: http://www.smartestcomputing.us.com/files/file/5-otl/

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
No other issues - computer seems to be running normally.

MBAM results:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.09.08

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
James :: 3XS [administrator]

09/07/2012 16:45:07
mbam-log-2012-07-09 (16-45-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209460
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
OTL.txt:

OTL logfile created on: 09/07/2012 16:55:52 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\James\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 65.00% Memory free
8.00 Gb Paging File | 7.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 223.57 Gb Total Space | 47.32 Gb Free Space | 21.16% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 161.66 Gb Free Space | 69.41% Space Free | Partition Type: NTFS
Drive E: | 298.09 Gb Total Space | 55.10 Gb Free Space | 18.48% Space Free | Partition Type: NTFS
Drive G: | 178.29 Mb Total Space | 176.88 Mb Free Space | 99.21% Space Free | Partition Type: FAT32

Computer Name: 3XS | User Name: James | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/19 16:26:57 | 000,529,232 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe
PRC - [2012/05/24 19:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- C:\Users\James\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012/05/22 08:56:34 | 001,392,672 | ---- | M] (Fengtao Software Inc.) -- C:\Program Files (x86)\DVDFab Passkey\DVDFabPasskey.exe
PRC - [2012/04/17 14:23:15 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
PRC - [2012/02/29 13:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2012/02/27 00:15:42 | 000,055,144 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2012/01/18 06:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
PRC - [2010/11/18 05:53:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
PRC - [2010/08/23 09:11:28 | 000,206,240 | ---- | M] (CANON INC.) -- C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PRC - [2010/03/24 16:26:02 | 000,243,544 | ---- | M] (Microsoft Corp.) -- C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
PRC - [2010/02/01 10:38:24 | 000,139,264 | ---- | M] () -- C:\Program Files (x86)\Input Director\InputDirectorSessionHelper.exe
PRC - [2010/02/01 10:38:04 | 000,475,136 | ---- | M] () -- C:\Program Files (x86)\Input Director\InputDirector.exe
PRC - [2010/02/01 10:37:54 | 000,036,864 | ---- | M] () -- C:\Program Files (x86)\Input Director\IDWinService.exe
PRC - [2009/02/23 19:43:12 | 000,576,000 | ---- | M] (MagicISO, Inc.) -- C:\Program Files (x86)\MagicDisc\MagicDisc.exe
PRC - [2009/02/08 04:15:36 | 000,013,824 | ---- | M] () -- C:\Program Files (x86)\Input Director\IDVistaService.exe


========== Modules (SafeList) ==========

MOD - [2010/11/18 05:53:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\James\Desktop\OTL.exe
MOD - [2010/08/21 06:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/06/19 16:27:46 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/19 16:26:57 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/02/29 13:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2012/02/27 00:15:42 | 000,055,144 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2012/01/18 06:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/01 10:37:54 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Input Director\IDWinService.exe -- (InputDirector)
SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/02/08 04:15:36 | 000,013,824 | ---- | M] () [On_Demand | Running] -- C:\Program Files (x86)\Input Director\IDVistaService.exe -- (IDVistaService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/02/15 11:01:50 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/01/18 06:44:36 | 004,865,568 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lvuvc64.sys -- (LVUVC64) Logitech Webcam 500(UVC)
DRV:64bit: - [2012/01/18 06:44:28 | 000,351,136 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lvrs64.sys -- (LVRS64)
DRV:64bit: - [2011/08/15 14:51:40 | 000,079,232 | ---- | M] (Fengtao Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dvdfab.sys -- (dvdfab)
DRV:64bit: - [2010/04/29 06:55:42 | 000,032,768 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\androidusb.sys -- (androidusb)
DRV:64bit: - [2009/08/13 22:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/07/14 02:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 02:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 02:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 01:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/07/14 01:35:37 | 000,025,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WSDScan.sys -- (WSDScan)
DRV:64bit: - [2009/06/10 21:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 21:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/02/24 18:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mcdbus.sys -- (mcdbus)
DRV:64bit: - [2008/03/26 10:45:52 | 000,178,432 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SaiH0461.sys -- (SaiH0461)
DRV:64bit: - [2008/02/15 17:50:02 | 000,178,304 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SaiH0763.sys -- (SaiH0763)
DRV:64bit: - [2005/03/29 01:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2009/02/24 18:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\mcdbus.sys -- (mcdbus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1848183946-4224764909-1401710521-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\S-1-5-21-1848183946-4224764909-1401710521-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 00 AB 6D B7 78 3D CD 01 [binary data]
IE - HKU\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://news.bbc.co.uk/"

FF - HKLM\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\Firefox [2012/04/25 14:16:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2012/04/25 14:16:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/06/19 16:27:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/05/03 09:23:01 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Mozilla\Extensions
[2012/07/05 09:02:22 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\78vu8i1c.default\extensions
[2012/05/11 09:58:16 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\78vu8i1c.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2012/05/03 20:10:52 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\78vu8i1c.default\extensions\support@lastpass.com
[2012/06/06 10:06:16 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/06/19 16:27:46 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
[2012/05/14 10:16:20 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml
[2012/05/14 10:16:20 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/09 11:29:54 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (@C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\npwinext.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Bing Bar] C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe (Microsoft Corp.)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [InputDirector] C:\Program Files (x86)\Input Director\InputDirector.exe ()
O4 - HKU\S-1-5-21-1848183946-4224764909-1401710521-1001..\Run: [DVDFab Passkey] C:\Program Files (x86)\DVDFab Passkey\DVDFabPasskey.exe (Fengtao Software Inc.)
O4 - HKU\S-1-5-21-1848183946-4224764909-1401710521-1001..\Run: [Steam] C:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\James\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1848183946-4224764909-1401710521-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1848183946-4224764909-1401710521-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} https://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab (first direct internet banking plus digital safe)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/07/09 16:52:05 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/07/09 16:44:20 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\Malwarebytes
[2012/07/09 16:44:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/07/09 16:44:06 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/09 16:44:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/07/09 11:31:43 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/07/06 09:20:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/07/06 09:20:23 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/07/06 09:20:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/07/06 09:20:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/06 09:20:12 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/07/06 09:17:04 | 004,573,972 | R--- | C] (Swearware) -- C:\Users\James\Desktop\ComboFix.exe
[2012/07/05 18:54:36 | 000,000,000 | ---D | C] -- C:\FRST
[2012/07/05 09:09:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/07/05 09:09:03 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/07/05 09:04:40 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\ElevatedDiagnostics
[2012/07/04 16:10:34 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\bizarre creations
[2012/07/04 15:31:20 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\My Games
[2012/07/04 14:58:06 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\directx
[2012/06/29 15:52:27 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJScan
[2012/06/29 15:51:43 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\Canon
[2012/06/29 12:25:28 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2012/06/28 10:18:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Canon
[2012/06/28 10:17:43 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\STRING
[2012/06/28 10:17:43 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\CHM
[2012/06/28 10:17:23 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2012/06/19 16:28:18 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\Macromedia
[2012/06/15 14:10:04 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\{FEC3D0E2-AAA4-4820-9B75-ADBD2A4C0090}
[2012/06/15 14:10:04 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\{EC3539C7-6714-46BE-8EFB-4A1371C2285A}
[2012/06/15 12:47:11 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\Amazon
[2012/06/15 12:46:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Amazon
[2012/06/11 16:27:43 | 000,000,000 | ---D | C] -- C:\Users\James\.MakeMKV
[2012/06/11 16:27:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MakeMKV
[2012/06/11 16:13:59 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\Media Player Classic
[2012/06/11 16:09:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AviSynth 2.5
[2012/06/11 16:08:05 | 000,536,652 | ---- | C] (ArcSoft Inc.) -- C:\Windows\SysWow64\ASAudioHD.ax
[2012/06/11 16:08:05 | 000,285,184 | ---- | C] (ArcSoft Inc.) -- C:\Windows\SysWow64\MagUIEngine.dll
[2012/06/11 16:08:05 | 000,106,496 | ---- | C] (ArcSoft Inc.) -- C:\Windows\SysWow64\checkactivate.dll
[2012/06/11 16:08:05 | 000,092,672 | ---- | C] (ArcSoft Inc.) -- C:\Windows\SysWow64\MagUIInter.dll
[2012/06/11 16:08:05 | 000,055,808 | ---- | C] (ArcSoft Inc.) -- C:\Windows\SysWow64\MagPCMac.dll
[2012/06/11 16:08:05 | 000,035,328 | ---- | C] (ArcSoft Inc.) -- C:\Windows\SysWow64\MagCore.dll
[2012/06/11 16:08:05 | 000,000,000 | ---D | C] -- C:\Temp
[2012/06/11 16:08:04 | 000,490,496 | ---- | C] (www.madshi.net) -- C:\Windows\SysWow64\madFlac.ax
[2012/06/11 16:08:04 | 000,417,792 | ---- | C] (Gabest) -- C:\Windows\SysWow64\FLVSplitter.ax
[2012/06/11 16:08:04 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\Windows\SysWow64\yv12vfw.dll
[2012/06/11 14:57:51 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\dvdcss
[2012/06/11 14:49:46 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Roaming\Digiarty
[2012/06/11 10:16:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Foxit Software
[2011/12/07 23:32:24 | 000,216,064 | ---- | C] ( ) -- C:\Windows\SysWow64\lagarith.dll

========== Files - Modified Within 30 Days ==========

[2012/07/09 16:51:59 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\drivers\lvuvc.hs
[2012/07/09 16:51:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/09 16:51:47 | 3220,086,784 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/09 16:15:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1848183946-4224764909-1401710521-1001UA.job
[2012/07/09 11:29:54 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/07/09 11:08:30 | 004,573,972 | R--- | M] (Swearware) -- C:\Users\James\Desktop\ComboFix.exe
[2012/07/09 11:08:00 | 000,000,600 | ---- | M] () -- C:\Users\James\AppData\Local\PUTTY.RND
[2012/07/09 09:08:18 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1848183946-4224764909-1401710521-1001Core.job
[2012/07/06 15:32:26 | 000,013,632 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/06 15:32:26 | 000,013,632 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/06 15:31:21 | 000,781,348 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/07/06 15:31:21 | 000,665,764 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/07/06 15:31:21 | 000,125,400 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/07/05 09:34:51 | 000,001,056 | ---- | M] () -- C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2012/07/05 09:34:32 | 000,001,024 | ---- | M] () -- C:\Users\James\Desktop\Dropbox.lnk
[2012/07/05 09:09:39 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/07/05 09:09:07 | 000,786,470 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/07/02 14:16:42 | 000,002,408 | ---- | M] () -- C:\Users\James\Desktop\Google Chrome.lnk
[2012/06/28 10:18:08 | 000,002,023 | ---- | M] () -- C:\Users\Public\Desktop\Canon IJ Network Tool.lnk
[2012/06/11 16:27:36 | 000,001,005 | ---- | M] () -- C:\Users\James\Desktop\MakeMKV.lnk
[2012/06/11 10:16:50 | 000,001,064 | ---- | M] () -- C:\Users\Public\Desktop\Foxit Reader.lnk

========== Files Created - No Company Name ==========

[2012/07/06 09:20:23 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/07/06 09:20:23 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/07/06 09:20:23 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/07/06 09:20:23 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/07/06 09:20:23 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/06/28 10:18:08 | 000,002,023 | ---- | C] () -- C:\Users\Public\Desktop\Canon IJ Network Tool.lnk
[2012/06/28 10:18:05 | 000,012,800 | ---- | C] () -- C:\Windows\SysWow64\CNC173ED.TBL
[2012/06/11 16:27:36 | 000,001,005 | ---- | C] () -- C:\Users\James\Desktop\MakeMKV.lnk
[2012/06/11 16:08:05 | 000,917,504 | ---- | C] () -- C:\Windows\SysWow64\dtsdecoderdll.dll
[2012/06/11 16:08:04 | 000,258,048 | ---- | C] () -- C:\Windows\SysWow64\libFLAC.dll
[2012/04/23 16:09:40 | 000,000,600 | ---- | C] () -- C:\Users\James\AppData\Local\PUTTY.RND
[2012/04/17 14:16:56 | 000,786,470 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/03/22 22:01:32 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2012/03/15 10:40:28 | 004,826,112 | ---- | C] () -- C:\Windows\SysWow64\x264vfw.dll
[2012/01/18 06:44:00 | 010,920,984 | ---- | C] () -- C:\Windows\SysWow64\LogiDPP.dll
[2012/01/18 06:44:00 | 000,336,408 | ---- | C] () -- C:\Windows\SysWow64\DevManagerCore.dll
[2012/01/09 23:45:18 | 000,178,688 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 22:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2007/02/05 20:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2007/01/26 01:04:12 | 000,138,752 | ---- | C] () -- C:\Windows\SysWow64\mase32.dll
[2007/01/26 01:04:12 | 000,027,648 | ---- | C] () -- C:\Windows\SysWow64\ma32.dll

========== LOP Check ==========

[2012/06/15 12:47:11 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Amazon
[2012/04/25 13:06:31 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\avidemux
[2012/07/04 16:10:34 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\bizarre creations
[2012/06/29 15:52:27 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Canon
[2012/06/11 14:49:53 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Digiarty
[2012/07/09 16:52:23 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Dropbox
[2012/06/11 10:16:57 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Foxit Software
[2012/07/02 10:41:27 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\HandBrake
[2012/05/11 11:17:23 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Kalypso Media
[2012/04/17 19:09:57 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\LibreOffice
[2012/06/22 15:18:01 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\MediaMonkey
[2012/05/28 11:00:00 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\mkvtoolnix
[2012/04/17 14:19:26 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\TeraCopy
[2012/06/28 15:28:21 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Tropico 4
[2012/04/25 14:17:33 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\Win7codecs
[2012/07/06 17:02:20 | 000,000,000 | ---D | M] -- C:\Users\James\AppData\Roaming\XBMC
[2009/07/14 06:08:49 | 000,026,902 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
 
Extras.txt


OTL Extras logfile created on: 09/07/2012 16:55:52 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\James\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 65.00% Memory free
8.00 Gb Paging File | 7.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 223.57 Gb Total Space | 47.32 Gb Free Space | 21.16% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 161.66 Gb Free Space | 69.41% Space Free | Partition Type: NTFS
Drive E: | 298.09 Gb Total Space | 55.10 Gb Free Space | 18.48% Space Free | Partition Type: NTFS
Drive G: | 178.29 Mb Total Space | 176.88 Mb Free Space | 99.21% Space Free | Partition Type: FAT32

Computer Name: 3XS | User Name: James | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\PROGRA~2\MEDIAM~1\MEDIAM~2.EXE" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\PROGRA~2\MEDIAM~1\MEDIAM~2.EXE" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\PROGRA~2\MEDIAM~1\MEDIAM~2.EXE" /ADD "%1" (Ventis Media Inc.)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\PROGRA~2\MEDIAM~1\MEDIAM~2.EXE" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\PROGRA~2\MEDIAM~1\MEDIAM~2.EXE" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\PROGRA~2\MEDIAM~1\MEDIAM~2.EXE" /ADD "%1" (Ventis Media Inc.)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{027E5FAB-1476-4C59-AAB4-32EF28520399}" = Windows Live Language Selector
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP560_series" = Canon MP560 series MP Drivers
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)
"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 296.10
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 296.10
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 296.10
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 296.10
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.0213
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B8AD779A-82DA-4365-A7D0-AD3DCFC55CFF}" = Apple Mobile Device Support
"{CF8FFD12-602B-422D-AF1D-511B411E7632}" = iTunes
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"TeraCopy_is1" = TeraCopy 2.27

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{09D72100-CAC9-42BF-AD52-47F784C92DB6}" = LibreOffice 3.5
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{27E3028E-06C8-4C09-8C3E-07F7F508304E}" = Foxit Reader
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{47FA2C44-D148-4DBC-AF60-B91934AA4842}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5E4B86E5-CD0E-4D3D-BE21-45A30326850A}" = Microsoft Search Enhancement Pack
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C0CAA7A-3272-4991-A808-2C7559DE3409}" = Win7codecs
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{91140000-0019-0000-0000-0000000FF1CE}" = Microsoft Office Publisher 2010
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{B95B1BA9-F887-4B3C-8D3A-CCD4C4675120}" = Microsoft Default Manager
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E21DA178-9FB0-4F91-B79C-5A6DDEEBFB8D}" = Bing Bar Platform
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FEB15887-0932-4D2D-BB85-6AC03FBF1AA8}" = Pinnacle VideoSpin
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"AviSynth" = AviSynth 2.5
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"DVDFab Passkey 8_is1" = DVDFab Passkey 8.0.6.4 (22/05/2012)
"Everything" = Everything 1.2.1.371
"HandBrake" = HandBrake 0.9.6
"ImgBurn" = ImgBurn
"Input Director" = Input Director v1.2.2
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"MakeMKV" = MakeMKV v1.7.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"MediaMonkey_is1" = MediaMonkey 4.0
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Office14.PUBLISHERR" = Microsoft Publisher 2010
"Picasa 3" = Picasa 3
"PuTTY_is1" = PuTTY version 0.62
"Revo Uninstaller" = Revo Uninstaller 1.93
"SolveigMM AVI Trimmer 2.0.1203.13" = SolveigMM AVI Trimmer
"Steam App 2100" = Dark Messiah Might and Magic Single Player
"Steam App 57690" = Tropico 4
"VLC media player" = VLC media player 2.0.1
"WinLiveSuite" = Windows Live Essentials
"x264vfw" = x264vfw - H.264/MPEG-4 AVC codec (remove only)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1848183946-4224764909-1401710521-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"XBMC" = XBMC

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 04/07/2012 12:25:06 | Computer Name = 3XS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 10218

Error - 04/07/2012 12:25:06 | Computer Name = 3XS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 10218

Error - 04/07/2012 12:25:07 | Computer Name = 3XS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 04/07/2012 12:25:07 | Computer Name = 3XS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 11232

Error - 04/07/2012 12:25:07 | Computer Name = 3XS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 11232

Error - 05/07/2012 04:05:15 | Computer Name = 3XS | Source = Application Error | ID = 1000
Description = Faulting application name: Setup.exe_Microsoft Security Client, version:
2.1.1116.0, time stamp: 0x4df92492 Faulting module name: Setup.exe, version: 2.1.1116.0,
time stamp: 0x4df92492 Exception code: 0xc000041d Fault offset: 0x0000000000086337
Faulting
process id: 0x1318 Faulting application start time: 0x01cd5a84e7474150 Faulting application
path: C:\Users\James\AppData\Local\Temp\{0EF8F2E1-0AD2-41FE-A19A-55511C048FC4}\Setup.exe
Faulting
module path: C:\Users\James\AppData\Local\Temp\{0EF8F2E1-0AD2-41FE-A19A-55511C048FC4}\Setup.exe
Report
Id: 26730990-c678-11e1-9f7d-001a924eabca

Error - 05/07/2012 04:05:30 | Computer Name = 3XS | Source = Application Error | ID = 1000
Description = Faulting application name: msseces.exe, version: 2.1.1116.0, time
stamp: 0x4df9245c Faulting module name: msseces.exe, version: 2.1.1116.0, time stamp:
0x4df9245c Exception code: 0xc0000005 Fault offset: 0x0000000000069e8c Faulting process
id: 0x858 Faulting application start time: 0x01cd5a8455ea74c0 Faulting application
path: C:\Program Files\Microsoft Security Client\msseces.exe Faulting module path:
C:\Program Files\Microsoft Security Client\msseces.exe Report Id: 2fb63130-c678-11e1-9f7d-001a924eabca

Error - 06/07/2012 04:18:21 | Computer Name = 3XS | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 13.0.1.4548 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: ecc Start
Time: 01cd5b4f92d2b980 Termination Time: 50 Application Path: C:\Program Files (x86)\Mozilla
Firefox\firefox.exe Report Id: 1fb9d451-c743-11e1-b3d9-001a924eabca

Error - 06/07/2012 05:03:24 | Computer Name = 3XS | Source = SideBySide | ID = 16842811
Description = Activation context generation failed for "c:\program files (x86)\microsoft\search
enhancement pack\search helper\sepsearchhelperie.dll".Error in manifest or policy
file "c:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll"
on line 2. Invalid Xml syntax.

Error - 09/07/2012 11:44:41 | Computer Name = 3XS | Source = Application Error | ID = 1000
Description = Faulting application name: firefox.exe, version: 13.0.1.4548, time
stamp: 0x4fda6075 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0x2a1cfbf8 Faulting process id: 0x6a8 Faulting application
start time: 0x01cd5dccec6e6208 Faulting application path: C:\Program Files (x86)\Mozilla
Firefox\firefox.exe Faulting module path: unknown Report Id: febb7a28-c9dc-11e1-9c40-001a924eabca

[ System Events ]
Error - 09/07/2012 04:06:54 | Computer Name = 3XS | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.129.1034.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 09/07/2012 06:09:41 | Computer Name = 3XS | Source = Service Control Manager | ID = 7034
Description = The Input Director Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 09/07/2012 06:09:41 | Computer Name = 3XS | Source = Service Control Manager | ID = 7034
Description = The Input Director Vista Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 09/07/2012 06:24:30 | Computer Name = 3XS | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 09/07/2012 06:29:22 | Computer Name = 3XS | Source = Application Popup | ID = 1060
Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility
with this system. Please contact your software vendor for a compatible version
of the driver.

Error - 09/07/2012 06:29:22 | Computer Name = 3XS | Source = Application Popup | ID = 1060
Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility
with this system. Please contact your software vendor for a compatible version
of the driver.

Error - 09/07/2012 06:29:56 | Computer Name = 3XS | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 09/07/2012 06:32:58 | Computer Name = 3XS | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.129.1034.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 09/07/2012 06:32:58 | Computer Name = 3XS | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.129.1034.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 09/07/2012 11:53:05 | Computer Name = 3XS | Source = DCOM | ID = 10016
Description =


< End of report >
 
OTL logs are clean :)

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 31
Adobe Flash Player 11.3.300.262
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
``````````End of Log````````````


Farbar Service Scanner Version: 08-07-2012
Ran by James (administrator) on 09-07-2012 at 17:07:54
Running from "C:\Users\James\Desktop"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-04-18 09:16] - [2011-12-28 04:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-14 01:09] - [2009-07-14 02:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-14 00:36] - [2009-07-14 02:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan deleted - quarantined
C:\Users\James\Documents\Downloads\SuperOneClickv2.3.3-ShortFuse.zip multiple threats deleted - quarantined
C:\Users\James\Documents\play\Superoneclick\Exploits\psneuter Android/Exploit.Lotoor.AK trojan cleaned by deleting - quarantined
C:\Users\James\Documents\play\Superoneclick\Exploits\zergRush Android/Exploit.Lotoor.AN trojan cleaned by deleting - quarantined
 
1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

============================================

We have corrupted registry key affecting Windows updates.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on bits.reg file and confirm the prompt.
Restart computer.
Post new FSS log.
 
I ran FSS again at the end of the instructions above and posted the resultant log here. I hope this is correct.

Farbar Service Scanner Version: 08-07-2012
Ran by James (administrator) on 11-07-2012 at 09:10:39
Running from "C:\Users\James\Desktop"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-04-18 09:16] - [2011-12-28 04:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-14 01:09] - [2009-07-14 02:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-14 00:36] - [2009-07-14 02:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
 
52 installed correctly and three failed to install - a security update for C++ (KB2538243), and XML update (KB973688) and a security update for XML (KB954430). Error code was 643.
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: James
->Temp folder emptied: 75033077 bytes
->Temporary Internet Files folder emptied: 10993169 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 790614608 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 63250 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1269188 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 493817 bytes

Total Files Cleaned = 838.00 mb


[EMPTYFLASH]

User: Default
->Flash cache emptied: 0 bytes

User: James
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Error: Unable to interpret <[emptyjava]> in the current context!
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.17.3 log created on 07132012_112835

Files\Folders moved on Reboot...
C:\Users\James\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
 
Many thanks Broni. Really appreciate the effort you put into this - saved me doing a full reinstall and all the pain associated with that.

James
 
You must log in or register to reply here.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
5K
Broni
Broni

Latest posts

Back