Solved Infected Windows 7 infected with win64/patched.b.gen trojan (services.exe)

rkbmonk · Jul 21, 2012

Remaining Part of OTL log

========== Files/Folders - Created Within 30 Days ==========

[2012/07/22 04:19:42 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Ramkishen\Desktop\OTL.exe
[2012/07/22 04:03:54 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/07/22 04:00:41 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/07/22 03:50:05 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/07/22 03:50:05 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/07/22 03:50:05 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/07/22 03:46:48 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/22 03:46:21 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/07/22 03:43:35 | 004,582,474 | R--- | C] (Swearware) -- C:\Users\Ramkishen\Desktop\ComboFix.exe
[2012/07/22 02:01:09 | 000,000,000 | ---D | C] -- C:\FRST
[2012/07/22 01:07:47 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\Trojan
[2012/07/22 00:56:58 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Ramkishen\Desktop\dds.scr
[2012/07/21 23:56:05 | 001,437,781 | ---- | C] (Farbar) -- C:\Users\Ramkishen\Desktop\FRST64.exe
[2012/07/21 23:40:24 | 002,406,064 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ramkishen\Desktop\HousecallLauncher64.exe
[2012/07/21 21:17:00 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2012/07/21 21:13:56 | 000,000,000 | ---D | C] -- C:\ProgramData\225932FD815043E2B091B697F875F002
[2012/07/21 21:10:09 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\recovery-clockwork-2.5.1.2-galaxys
[2012/07/21 19:52:29 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\Phone Backup
[2012/07/21 19:43:37 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\GT_I9000_ZSJW4_ZSJW1_OZSJW4_Sbl
[2012/07/21 18:58:15 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\Odin v1.82_and_512.pit_513.pit_803.pit_files
[2012/07/21 18:35:20 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\Odin3 v1.85
[2012/07/21 18:00:25 | 000,123,520 | ---- | C] (ZTE Incorporated) -- C:\Windows\SysNative\drivers\ZTEusbser6k.sys
[2012/07/21 18:00:25 | 000,123,520 | ---- | C] (ZTE Incorporated) -- C:\Windows\SysNative\drivers\ZTEusbnmea.sys
[2012/07/21 18:00:25 | 000,123,520 | ---- | C] (ZTE Incorporated) -- C:\Windows\SysNative\drivers\ZTEusbmdm6k.sys
[2012/07/21 18:00:25 | 000,011,776 | ---- | C] (MBB Incorporated) -- C:\Windows\SysNative\drivers\massfilter.sys
[2012/07/21 18:00:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reliance 3G
[2012/07/21 17:59:54 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\SupportAppCB
[2012/07/21 17:59:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Reliance 3G
[2012/07/20 02:22:36 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\com.sec.android.app.memo-20120710-220834
[2012/07/19 06:02:39 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\clockworkmod
[2012/07/08 20:38:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Astro-Vision LifeSign Mini
[2012/07/08 20:38:01 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\AppData\Roaming\LifeSignMini
[2012/07/08 20:38:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LifeSignMini
[2012/07/05 05:55:54 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\AppData\Roaming\Malwarebytes
[2012/07/05 05:55:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/05 05:55:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/07/05 05:55:41 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/05 05:55:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/07/05 05:30:42 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Ramkishen\Desktop\mbam-setup-1.61.0.1400.exe
[2012/07/05 02:45:47 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\AppData\Local\{A4BAEAC2-2EC3-49D1-AF12-89E40E42895D}
[2012/07/05 02:45:28 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\AppData\Local\{BBEBDF4A-8FEF-4D6A-B0F2-C3E5CD2153DC}
[2012/07/05 02:45:06 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\AppData\Local\{E9290719-751C-4D8A-8F5C-8EB71508AF85}
[2012/07/02 02:37:13 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\Desktop\586643
[2012/06/29 01:05:54 | 000,000,000 | ---D | C] -- C:\Users\Ramkishen\AppData\Local\Macromedia
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/22 05:13:51 | 000,714,580 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/07/22 05:13:51 | 000,620,086 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/07/22 05:13:51 | 000,107,978 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/07/22 05:08:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/22 05:08:33 | 3180,220,416 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/22 04:51:08 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1930665232-349164325-645168838-1000UA.job
[2012/07/22 04:19:42 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Ramkishen\Desktop\OTL.exe
[2012/07/22 04:11:20 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/22 04:11:20 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/22 03:56:37 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/07/22 03:44:24 | 004,582,474 | R--- | M] (Swearware) -- C:\Users\Ramkishen\Desktop\ComboFix.exe
[2012/07/22 03:00:09 | 000,050,924 | ---- | M] () -- C:\Users\Ramkishen\Desktop\Untitled1.png
[2012/07/22 01:57:37 | 001,437,781 | ---- | M] (Farbar) -- C:\Users\Ramkishen\Desktop\FRST64.exe
[2012/07/22 01:12:44 | 000,110,872 | ---- | M] () -- C:\Users\Ramkishen\Desktop\Untitled.png
[2012/07/22 00:56:58 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Ramkishen\Desktop\dds.scr
[2012/07/22 00:56:34 | 000,667,872 | ---- | M] () -- C:\Users\Ramkishen\Desktop\UPDATED 5-step Viruses_Spyware_Malware Preliminary Removal Instructions - TechSpot Forums.mht
[2012/07/22 00:52:52 | 000,302,592 | ---- | M] () -- C:\Users\Ramkishen\Desktop\ufh3ih3c.exe
[2012/07/21 23:42:51 | 000,000,036 | ---- | M] () -- C:\Users\Ramkishen\AppData\Local\housecall.guid.cache
[2012/07/21 23:42:06 | 002,406,064 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ramkishen\Desktop\HousecallLauncher64.exe
[2012/07/21 21:09:58 | 001,804,447 | ---- | M] () -- C:\Users\Ramkishen\Desktop\recovery-clockwork-2.5.1.2-galaxys.zip
[2012/07/21 19:50:01 | 001,596,930 | ---- | M] () -- C:\Users\Ramkishen\Desktop\xda-developers - View Single Post - [Firmwares]Official I9000_I9000M Firmwares collection [Latest_ XWJW8, DDJVB, XWJW7].mht
[2012/07/21 19:42:26 | 161,403,811 | ---- | M] () -- C:\Users\Ramkishen\Desktop\GT_I9000_ZSJW4_ZSJW1_OZSJW4_Sbl.7z
[2012/07/21 18:58:04 | 000,160,881 | ---- | M] () -- C:\Users\Ramkishen\Desktop\Odin v1.82_and_512.pit_513.pit_803.pit_files.7z
[2012/07/21 18:51:05 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1930665232-349164325-645168838-1000Core.job
[2012/07/21 18:34:51 | 005,487,403 | ---- | M] () -- C:\Users\Ramkishen\Desktop\Odin3 v1.85.rar
[2012/07/21 18:05:36 | 000,193,404 | ---- | M] () -- C:\Users\Ramkishen\Desktop\mts.xps
[2012/07/21 18:00:15 | 000,001,940 | ---- | M] () -- C:\Users\Public\Desktop\Reliance 3G.lnk
[2012/07/21 05:43:01 | 000,208,034 | ---- | M] () -- C:\Users\Ramkishen\Desktop\MTS.mht
[2012/07/21 04:07:46 | 517,780,083 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/07/19 04:56:08 | 000,444,684 | ---- | M] () -- C:\Users\Ramkishen\Desktop\cm-9-20120718-EXPERIMENTAL-galaxysmtd-stk.zip
[2012/07/19 03:36:35 | 000,197,521 | ---- | M] () -- C:\Users\Ramkishen\Desktop\DAD july bill.png
[2012/07/18 07:34:42 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/15 00:01:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForRamkishen.job
[2012/07/11 03:38:34 | 000,027,751 | ---- | M] () -- C:\Users\Ramkishen\Desktop\com.sec.android.app.memo-20120710-220834.tar.gz
[2012/07/11 03:33:56 | 000,950,058 | ---- | M] () -- C:\Users\Ramkishen\Desktop\FULL - DarkyROM v11.0 Black Edition [Android 4.0.4 ICS] _ DarkyROM.mht
[2012/07/11 02:21:37 | 000,719,839 | ---- | M] () -- C:\Users\Ramkishen\Desktop\IndianOfficer - [Toppers Interview] Arvind Menon (AIR 201_CSE 2011).mht
[2012/07/11 02:05:45 | 000,280,656 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/07/05 05:33:11 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Ramkishen\Desktop\mbam-setup-1.61.0.1400.exe
[2012/07/04 02:54:10 | 000,060,066 | ---- | M] () -- C:\Users\Ramkishen\Desktop\lol.xps
[2012/07/04 00:13:33 | 000,749,793 | ---- | M] () -- C:\Users\Ramkishen\Desktop\Mrunal.mht
[2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/02 21:02:48 | 000,048,543 | ---- | M] () -- C:\Users\Ramkishen\Desktop\pirate-1341262968465.jpeg
[2012/07/02 02:28:28 | 000,029,568 | ---- | M] () -- C:\Users\Ramkishen\Desktop\586643.zip
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/22 03:50:05 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/07/22 03:50:05 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/07/22 03:50:05 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/07/22 03:50:05 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/07/22 03:50:05 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/07/22 03:00:08 | 000,050,924 | ---- | C] () -- C:\Users\Ramkishen\Desktop\Untitled1.png
[2012/07/22 01:12:44 | 000,110,872 | ---- | C] () -- C:\Users\Ramkishen\Desktop\Untitled.png
[2012/07/22 00:56:32 | 000,667,872 | ---- | C] () -- C:\Users\Ramkishen\Desktop\UPDATED 5-step Viruses_Spyware_Malware Preliminary Removal Instructions - TechSpot Forums.mht
[2012/07/22 00:52:52 | 000,302,592 | ---- | C] () -- C:\Users\Ramkishen\Desktop\ufh3ih3c.exe
[2012/07/21 23:42:51 | 000,000,036 | ---- | C] () -- C:\Users\Ramkishen\AppData\Local\housecall.guid.cache
[2012/07/21 21:09:40 | 001,804,447 | ---- | C] () -- C:\Users\Ramkishen\Desktop\recovery-clockwork-2.5.1.2-galaxys.zip
[2012/07/21 19:50:01 | 001,596,930 | ---- | C] () -- C:\Users\Ramkishen\Desktop\xda-developers - View Single Post - [Firmwares]Official I9000_I9000M Firmwares collection [Latest_ XWJW8, DDJVB, XWJW7].mht
[2012/07/21 19:00:21 | 161,403,811 | ---- | C] () -- C:\Users\Ramkishen\Desktop\GT_I9000_ZSJW4_ZSJW1_OZSJW4_Sbl.7z
[2012/07/21 18:58:04 | 000,160,881 | ---- | C] () -- C:\Users\Ramkishen\Desktop\Odin v1.82_and_512.pit_513.pit_803.pit_files.7z
[2012/07/21 18:33:59 | 005,487,403 | ---- | C] () -- C:\Users\Ramkishen\Desktop\Odin3 v1.85.rar
[2012/07/21 18:05:35 | 000,193,404 | ---- | C] () -- C:\Users\Ramkishen\Desktop\mts.xps
[2012/07/21 18:00:15 | 000,001,940 | ---- | C] () -- C:\Users\Public\Desktop\Reliance 3G.lnk
[2012/07/21 05:43:01 | 000,208,034 | ---- | C] () -- C:\Users\Ramkishen\Desktop\MTS.mht
[2012/07/20 02:22:30 | 000,027,751 | ---- | C] () -- C:\Users\Ramkishen\Desktop\com.sec.android.app.memo-20120710-220834.tar.gz
[2012/07/19 04:55:49 | 000,444,684 | ---- | C] () -- C:\Users\Ramkishen\Desktop\cm-9-20120718-EXPERIMENTAL-galaxysmtd-stk.zip
[2012/07/19 04:11:23 | 000,048,543 | ---- | C] () -- C:\Users\Ramkishen\Desktop\pirate-1341262968465.jpeg
[2012/07/19 03:36:35 | 000,197,521 | ---- | C] () -- C:\Users\Ramkishen\Desktop\DAD july bill.png
[2012/07/11 03:33:55 | 000,950,058 | ---- | C] () -- C:\Users\Ramkishen\Desktop\FULL - DarkyROM v11.0 Black Edition [Android 4.0.4 ICS] _ DarkyROM.mht
[2012/07/11 02:21:37 | 000,719,839 | ---- | C] () -- C:\Users\Ramkishen\Desktop\IndianOfficer - [Toppers Interview] Arvind Menon (AIR 201_CSE 2011).mht
[2012/07/05 05:55:44 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/04 02:54:09 | 000,060,066 | ---- | C] () -- C:\Users\Ramkishen\Desktop\lol.xps
[2012/07/04 00:13:33 | 000,749,793 | ---- | C] () -- C:\Users\Ramkishen\Desktop\Mrunal.mht
[2012/07/02 02:28:28 | 000,029,568 | ---- | C] () -- C:\Users\Ramkishen\Desktop\586643.zip
[2012/05/26 04:03:00 | 000,000,041 | ---- | C] () -- C:\Users\Ramkishen\ziprecovery.ini
[2012/01/14 03:12:46 | 000,722,802 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/09/30 22:42:20 | 000,053,760 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/08/09 08:30:02 | 000,216,000 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
[2011/08/09 08:23:26 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2011/08/09 07:58:38 | 013,903,872 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll
[2011/08/05 11:57:16 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/08/05 11:54:35 | 000,014,051 | ---- | C] () -- C:\Windows\SysWow64\RaCoInst.dat
[2011/08/05 11:50:56 | 000,003,155 | ---- | C] () -- C:\Windows\SysWow64\atipblup.dat
[2011/08/05 11:49:44 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/03/25 22:16:08 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
[2011/03/17 13:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/02/23 05:10:34 | 000,007,736 | ---- | C] () -- C:\Windows\hpDSTRES.DLL
[2010/12/17 07:56:22 | 000,066,856 | ---- | C] () -- C:\Windows\SysWow64\SynTPEnhPS.dll

========== LOP Check ==========

[2012/03/06 23:44:37 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\ZTEEVDO
[2012/03/06 23:44:37 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\ZTEEVDO
[2012/02/20 23:17:05 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\AnvSoft
[2012/06/02 22:47:04 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\Big Fish Games
[2012/03/01 09:11:41 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\DiskAid
[2012/03/01 21:13:48 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\ESET
[2012/01/01 23:40:37 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\Flood Light Games
[2012/02/07 03:31:38 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\funkitron
[2011/12/30 14:11:44 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\IDT
[2012/07/08 21:05:33 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\LifeSignMini
[2012/03/25 20:48:31 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\ooVoo Details
[2012/01/03 00:54:21 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\Opera
[2012/04/09 01:37:55 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\PlayFirst
[2012/07/09 01:56:16 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\SoftGrid Client
[2011/12/30 07:30:18 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\Synaptics
[2012/01/14 03:13:12 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\TP
[2012/07/16 00:13:16 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\uTorrent
[2012/01/22 01:50:32 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\VitySoft
[2012/01/07 20:19:33 | 000,000,000 | ---D | M] -- C:\Users\Ramkishen\AppData\Roaming\ZTEEVDO
[2012/06/30 21:05:12 | 000,032,608 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\ProgramData\Temp:70B9C530
@Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:661DFA1C

< End of report >

rkbmonk · Jul 21, 2012

This is OTL Extras logfile
created on: 7/22/2012 5:09:45 AM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Ramkishen\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: India | Language: ENN | Date Format: dd-MM-yyyy

3.95 Gb Total Physical Memory | 2.58 Gb Available Physical Memory | 65.29% Memory free
7.90 Gb Paging File | 6.37 Gb Available in Paging File | 80.70% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 582.17 Gb Total Space | 173.07 Gb Free Space | 29.73% Space Free | Partition Type: NTFS
Drive D: | 13.70 Gb Total Space | 1.53 Gb Free Space | 11.18% Space Free | Partition Type: NTFS

Computer Name: RAMKISHEN-HP | User Name: Ramkishen | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = Opera.HTML] -- C:\Program Files (x86)\Opera\Opera.exe (Opera Software)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Program Files (x86)\Opera\Opera.exe (Opera Software)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1" (Opera Software)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
"{BE6959BF-62D7-47E4-929B-776AA84FAE4F}" = lport=2987 | protocol=6 | dir=in | app=c:\program files (x86)\connectify\connectify.exe |
"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EF39053C-09D5-4891-8244-ADE79297FF54}" = protocol=17 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{FDE5C216-8823-4301-85BC-AFB3037FF67F}" = protocol=6 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0128D231-B23B-409C-A531-39D8D8774BA1}" = HP 3D DriveGuard
"{054EF02F-95D8-48F4-9EEB-2F9CE3072ED8}" = AuthenTec TrueAPI
"{1876545F-47B1-80A7-2F98-D175DA98A392}" = ccc-utility64
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{26A24AE4-039D-4CA4-87B4-2F86416024FF}" = Java(TM) 6 Update 24 (64-bit)
"{2856A1C2-70C5-4EC3-AFF7-E5B51E5530A2}" = HP Client Services
"{3BF3599D-7F28-C60B-1C5D-82BFD4E5EF33}" = AMD Catalyst Install Manager
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5586CBEA-C071-4616-B809-6E11815D2190}" = ESET Smart Security
"{5E11C972-1E76-45FE-8F92-14E0D1140B1B}" = iTunes
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{75104836-CAC7-444E-A39E-3F54151942F5}" = Apple Mobile Device Support
"{7C54D017-21BB-43AE-9746-33E78AF4A425}" = Validity WBF DDK
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{CC4D56B7-6F18-470B-8734-ABCD75BCF4F1}" = HP Auto
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"1DF1F719-D43A-46E8-950F-65A8D96C678A.MBT_is1" = Ralink Motorola BC8 Bluetooth 3.0+HS Adapter
"Connectify" = Connectify
"IPMSG for Win32" = IP Messenger for Win
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinRAR archiver" = WinRAR 4.10 (64-bit)
"ZTEWireless-101_is1" = MBlaze UI

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{07AF6797-0CF6-FFBB-FDE3-CC51D3B5F342}" = Catalyst Control Center Graphics Previews Common
"{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
"{08523528-BA2F-43BB-87E3-252C081872B9}" = Catalyst Control Center - Branding
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{120F4744-38ED-FB1E-F313-A7A7E419A71E}" = CCC Help Chinese Traditional
"{135AAD7D-FB4A-800C-E7F2-58D02B936C38}" = Catalyst Control Center Localization All
"{178EA4CE-9622-76B4-308F-73FEC150DBB4}" = CCC Help Norwegian
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1AE85A98-397D-B62B-0D21-3F7DC93F4F3A}" = CCC Help Swedish
"{1C34B2AF-0D61-1784-8BC8-219F969BEFD6}" = PX Profile Update
"{1E03DB52-D5CB-4338-A338-E526DD4D4DB1}" = Bing Bar
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{210A03F5-B2ED-4947-B27E-516F50CBB292}" = HP Setup
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java(TM) 6 Update 30
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App" = Update Installer for WildTangent Games App
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{339F5A1B-8DB7-E4F8-0A07-EF35B60EBE53}" = CCC Help Portuguese
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Windows 7
"{3C5AB11A-2DDB-49E6-9FC0-CFD88A7DDFE4}" = HP Documentation
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3F15E203-BC3E-3597-84CD-EDF99546C917}" = Google Talk Plugin
"{412308A1-73B4-A26B-57A8-BE827ADA9BF9}" = Catalyst Control Center Profiles Mobile
"{434D0FA0-1558-4D8E-AC3D-BD1000008200}" = DiRT 3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A6937DA-DABE-31C9-C433-D67C640B7BED}" = CCC Help Italian
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{52594AFD-2797-356A-CC6F-57047524F1E1}" = CCC Help Japanese
"{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5C7F3D35-9018-A839-3B9C-E50B517B9458}" = CCC Help Hungarian
"{5CA75999-3DDE-7B58-3394-38A4E82D8466}" = Catalyst Control Center InstallProxy
"{60CD8628-DDD9-B498-A368-D01A4793CCFA}" = CCC Help Dutch
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6866ADAD-71F1-D306-B979-6371D8C4411A}" = CCC Help German
"{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.2.0
"{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}" = HP Support Assistant
"{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-hp" = WildTangent Games App (HP Games)
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76D0E682-0183-E295-FA4C-DA6763669CCA}" = CCC Help English
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{795AADBF-58C2-42D0-B779-E730702A247E}" = HP Connection Manager
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{872B1C80-38EC-4A31-A25C-980820593900}" = HP Power Manager
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DB85CDE-EC37-A333-05B1-23846D03F08D}" = CCC Help Russian
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8F6285DB-2536-7EDE-23D2-CA10E2D6399C}" = CCC Help French
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}" = Ralink RT5390 802.11b/g/n WiFi Adapter
"{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B9B8EE4-2EDB-41C2-AF2E-63E75D37CDDF}" = HP On Screen Display
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{A9E5EDA7-2E6C-49E7-924B-A32B89C24A04}" = Reliance 3G
"{AA16FAFC-CCD3-899B-2860-A709BDE31CDC}" = CCC Help Korean
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.1) MUI
"{AE856388-AFAD-4753-81DF-D96B19D0A17C}" = HP Setup Manager
"{B357B619-36C5-7C1E-063B-92677609CB14}" = CCC Help Danish
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BCFAA37D-A6DB-43BF-A351-43F183E52D07}" = HP SimplePass 2011
"{BD1A34C9-4764-4F79-AE1F-112F8C89D3D4}" = Energy Star Digital Logo
"{BDEB2CF5-C1C5-BCC8-DF29-1EE4CF389F9D}" = CCC Help Turkish
"{C1594429-8296-4652-BF54-9DBE4932A44C}" = Realtek PCIE Card Reader
"{C5D8263A-4D81-8979-91DE-B10120642FC5}" = Catalyst Control Center
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CDAC27E7-CCAB-44E2-BDEA-18A51ABEC743}_is1" = Astro-Vision LifeSign Mini version 1.0.5.0
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CEEE5B98-96F1-2F1E-0627-853C5F98DE41}" = CCC Help Finnish
"{CF48FF43-B417-637C-C804-0F285FD7ED05}" = CCC Help Spanish
"{CF6A05D4-E715-BCF4-9ED2-A3307E386D28}" = CCC Help Czech
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D2FCA41E-AC01-4DCD-B3A7-DC9E32363065}}_is1" = Rapture3D 2.4.8 Game
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DB2C5E6A-CFDD-D6FD-480E-692EBEC17BFC}" = CCC Help Greek
"{DBCD5E64-7379-4648-9444-8A6558DCB614}" = Recovery Manager
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E59E0B3D-F840-5910-DF8C-73CFA82613C2}" = CCC Help Polish
"{E635F3DC-E92B-6E68-A2E7-BF77298E8584}" = PX Profile Update
"{E77268D6-5E7F-6DE1-34AC-A1A276710C21}" = CCC Help Chinese Standard
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EB58480C-0721-483C-B354-9D35A147999F}" = HP Quick Launch
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.9
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Display Audio Driver
"{F2508213-9989-4E85-A078-72BE483917EF}" = Microsoft Games for Windows - LIVE Redistributable
"{F5C7356C-463C-75BC-E4E0-324E4516EB73}" = CCC Help Thai
"{F761359C-9CED-45AE-9A51-9D6605CD55C4}" = Evernote v. 4.2.2
"{F8070C51-4B1D-430C-8BCF-19696368366F}" = HP Software Framework
"{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}" = ooVoo
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"4F6D5E84-5826-4394-9F40-3A9A19165651_is1" = Pandora Service
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Any Video Converter Professional_is1" = Any Video Converter Professional 3.3.2
"Batman. Arkham City_is1" = Batman. Arkham City version 1.0
"DiskAid_is1" = DiskAid 5.09
"Fraps" = Fraps
"GFWL_{434D0FA0-1558-4D8E-AC3D-BD1000008200}" = DiRT 3
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"kmpmediatoolbar" = KMP Media Toolbar
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"OpenAL" = OpenAL
"Opera 12.00.1467" = Opera 12.00
"PowerISO" = PowerISO
"SpeedFan" = SpeedFan (remove only)
"The KMPlayer" = The KMPlayer (remove only)
"uTorrent" = µTorrent
"VLC media player" = VLC media player 2.0.1
"WildTangent hp Master Uninstall" = HP Games
"WinLiveSuite" = Windows Live Essentials
"WT087328" = Blackhawk Striker 2
"WT087330" = Bounce Symphony
"WT087335" = Build-a-lot 2
"WT087343" = Dora's World Adventure
"WT087393" = Mah Jong Medley
"WT087394" = Penguins!
"WT087395" = Poker Superstars III
"WT087396" = Polar Bowler
"WT087397" = Polar Golfer
"WT087536" = Diner Dash 2 Restaurant Rescue
"WT089307" = Virtual Villagers 4 - The Tree of Life
"WT089308" = Blasterball 3
"WT089328" = Farm Frenzy
"WT089359" = Cake Mania
"WT089362" = Agatha Christie - Peril at End House
"WT089453" = Bejeweled 2 Deluxe
"WT089454" = Chuzzle Deluxe
"WT089455" = Zuma Deluxe
"WT089457" = Slingo Supreme
"WT089458" = Plants vs. Zombies - Game of the Year
"WT089470" = FATE - The Traitor Soul
"WT089484" = Namco All-Stars PAC-MAN
"WT089496" = Mystery P.I. - Stolen in San Francisco
"WT089498" = Bejeweled 3
"WT089504" = Final Drive Nitro

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/15/2012 8:15:36 PM | Computer Name = Ramkishen-HP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1164017

Error - 7/16/2012 6:20:22 PM | Computer Name = Ramkishen-HP | Source = WinMgmt | ID = 10
Description =

Error - 7/16/2012 6:30:29 PM | Computer Name = Ramkishen-HP | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error - 7/17/2012 2:54:18 PM | Computer Name = Ramkishen-HP | Source = WinMgmt | ID = 10
Description =

Error - 7/17/2012 3:04:23 PM | Computer Name = Ramkishen-HP | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error - 7/18/2012 5:24:07 PM | Computer Name = Ramkishen-HP | Source = WinMgmt | ID = 10
Description =

Error - 7/18/2012 5:26:27 PM | Computer Name = Ramkishen-HP | Source = PandoraService.exe | ID = 0
Description =

Error - 7/18/2012 5:27:34 PM | Computer Name = Ramkishen-HP | Source = Application Hang | ID = 1002
Description = The program mbam.exe version 1.62.0.87 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 150c Start Time:
01cd652bc1d9e692 Termination Time: 7 Application Path: C:\Program Files (x86)\Malwarebytes'
Anti-Malware\mbam.exe Report Id: 62469365-d11f-11e1-a885-b6949572f597

Error - 7/18/2012 6:20:13 PM | Computer Name = Ramkishen-HP | Source = Application Hang | ID = 1002
Description = The program mbam.exe version 1.62.0.87 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 4dc Start Time:
01cd6533514a6c65 Termination Time: 8 Application Path: C:\Program Files (x86)\Malwarebytes'
Anti-Malware\mbam.exe Report Id: a8dae89c-d126-11e1-a885-b6949572f597

Error - 7/18/2012 6:32:13 PM | Computer Name = Ramkishen-HP | Source = CVHSVC | ID = 100
Description = Information only. Error: There are currently no active network connections.
Background Intelligent Transfer Service (BITS) will try again when an adapter is
connected. ErrorCode: 14007(0x36b7).

[ Hewlett-Packard Events ]
Error - 6/27/2012 3:30:49 PM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 6/27/2012 3:31:39 PM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 6/27/2012 3:32:29 PM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 6/27/2012 3:34:59 PM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 6/30/2012 11:45:53 AM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 7/3/2012 11:01:46 AM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 7/7/2012 10:57:54 AM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 7/10/2012 4:46:26 PM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 7/18/2012 5:34:45 PM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 7/19/2012 4:43:20 PM | Computer Name = Ramkishen-HP | Source = HPSF.exe | ID = 4000
Description =

[ HP Connection Manager Events ]
Error - 4/15/2012 10:07:42 AM | Computer Name = Ramkishen-HP | Source = hpCMSrv | ID = 5
Description = 2012/04/15 19:37:42.368|00001104|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 4/19/2012 8:23:30 PM | Computer Name = Ramkishen-HP | Source = hpMobile | ID = 5
Description = 2012-04-20 05:53:30.669|00001B88|Error |[HP.Mobile]NamedPipe::SendStringToServer{bool(string)}|Timeout
sending to server

Error - 4/21/2012 5:58:57 AM | Computer Name = Ramkishen-HP | Source = hpCMSrv | ID = 5
Description = 2012/04/21 15:28:57.338|00001200|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 4/21/2012 5:59:06 AM | Computer Name = Ramkishen-HP | Source = hpCMSrv | ID = 5
Description = 2012/04/21 15:29:06.495|00001200|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 4/21/2012 10:14:23 AM | Computer Name = Ramkishen-HP | Source = hpCMSrv | ID = 5
Description = 2012/04/21 19:44:23.784|00001B10|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 4/22/2012 8:49:11 AM | Computer Name = Ramkishen-HP | Source = hpMobile | ID = 5
Description = 2012-04-22 18:19:11.608|00001AE8|Error |[HP.Mobile]Wlan::a{void()}|The
data is invalid. (Exception from HRESULT: 0x8007000D)

Error - 4/22/2012 10:28:15 AM | Computer Name = Ramkishen-HP | Source = hpCMSrv | ID = 5
Description = 2012/04/22 19:58:15.236|000012E0|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 4/27/2012 6:18:24 AM | Computer Name = Ramkishen-HP | Source = hpCMSrv | ID = 5
Description = 2012/04/27 15:48:24.980|000003B8|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 4/27/2012 6:16:48 PM | Computer Name = Ramkishen-HP | Source = hpCMSrv | ID = 5
Description = 2012/04/28 03:46:48.264|00001528|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

Error - 4/27/2012 6:16:49 PM | Computer Name = Ramkishen-HP | Source = hpCMSrv | ID = 5
Description = 2012/04/28 03:46:49.451|00001528|Error |CWLAN::SignalStrengthChanged|Fire_SignalStrengthChanged
failed [hr:0x800706BA]

[ System Events ]
Error - 3/12/2012 8:28:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7031
Description = The System Event Notification Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
120000 milliseconds: Restart the service.

Error - 3/12/2012 8:28:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7031
Description = The Shell Hardware Detection service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 3/12/2012 8:28:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7031
Description = The Themes service terminated unexpectedly. It has done this 1 time(s).
The following corrective action will be taken in 60000 milliseconds: Restart the
service.

Error - 3/12/2012 8:28:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7031
Description = The Windows Management Instrumentation service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
120000 milliseconds: Restart the service.

Error - 3/12/2012 8:29:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Server service, but this action
failed with the following error: %%1056

Error - 3/12/2012 8:30:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Multimedia Class Scheduler
service, but this action failed with the following error: %%1056

Error - 3/12/2012 8:30:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the IKE and AuthIP IPsec Keying
Modules service, but this action failed with the following error: %%1056

Error - 3/12/2012 8:30:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the User Profile Service service,
but this action failed with the following error: %%1056

Error - 3/12/2012 8:30:29 AM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 3/17/2012 4:52:13 PM | Computer Name = Ramkishen-HP | Source = Service Control Manager | ID = 7034
Description = The PandoraService service terminated unexpectedly. It has done this
1 time(s).

< End of report >

rkbmonk · Jul 21, 2012

Once Again Thanks a Lot Broni for your time and patience ... The problems have disappeared

Broni · Jul 21, 2012

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O3 - HKU\S-1-5-21-1930665232-349164325-645168838-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2012/07/22 02:01:09 | 000,000,000 | ---D | C] -- C:\FRST
@Alternate Data Stream - 150 bytes -> C:\ProgramData\Temp:70B9C530
@Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:661DFA1C

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

======================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please, run F-Secure Online Scanner

Disable your Antivirus program.
Checkmark I have read and accepted the license terms.
Click on Run Check button.
Quick scan (recommended) option will come pre-checked. Don't change it.
Click on Start button.
When scan is done, in Step 3: Clean the files, leave all settings as they're.
Click Next button.
Click Full report... button.
Copy report's content and paste it into your next reply.

rkbmonk · Jul 22, 2012

As you guided , OTL
Under the Custom Scans/Fixes log
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1930665232-349164325-645168838-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
C:\FRST\Quarantine\{15ed997a-015b-a3dd-c9ad-79cff7e943cd}\{15ed997a-015b-a3dd-c9ad-79cff7e943cd}\U folder moved successfully.
C:\FRST\Quarantine\{15ed997a-015b-a3dd-c9ad-79cff7e943cd}\{15ed997a-015b-a3dd-c9ad-79cff7e943cd}\L folder moved successfully.
C:\FRST\Quarantine\{15ed997a-015b-a3dd-c9ad-79cff7e943cd}\{15ed997a-015b-a3dd-c9ad-79cff7e943cd} folder moved successfully.
C:\FRST\Quarantine\{15ed997a-015b-a3dd-c9ad-79cff7e943cd}\U folder moved successfully.
C:\FRST\Quarantine\{15ed997a-015b-a3dd-c9ad-79cff7e943cd}\L folder moved successfully.
C:\FRST\Quarantine\{15ed997a-015b-a3dd-c9ad-79cff7e943cd} folder moved successfully.
C:\FRST\Quarantine folder moved successfully.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
ADS C:\ProgramData\Temp:70B9C530 deleted successfully.
ADS C:\ProgramData\Temp:661DFA1C deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Ramkishen
->Temp folder emptied: 26581288 bytes
->Temporary Internet Files folder emptied: 52300313 bytes
->Java cache emptied: 416131 bytes
->FireFox cache emptied: 64469488 bytes
->Opera cache emptied: 64504416 bytes
->Flash cache emptied: 60388 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7025 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 45684226 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 242.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: Ramkishen
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Ramkishen
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.53.1 log created on 07222012_193126

Files\Folders moved on Reboot...
C:\Users\Ramkishen\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Ramkishen\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

The Security Check log
Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
Java(TM) 6 Update 30
Out of date Java installed!
Adobe Flash Player 11.3.300.265
Adobe Reader X (10.1.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

Farbar Service Scanner (FSS) log

Farbar Service Scanner Version: 19-07-2012
Ran by Ramkishen (administrator) on 22-07-2012 at 19:39:26
Running from "C:\Users\Ramkishen\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

F-Secure Online Scanner Report

Scanning Report

Sunday, July 22, 2012 20:32:19 - 20:34:59

Computer name: RAMKISHEN-HP
Scanning type: Quick scan
Target: System

No malware found

Statistics
Scanned:

Files: 6457

System: 6457

Not scanned: 0
Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Options
Scanning engines:

Copyright © 1998-2009 Product support | Send virus sample to F-Secure

F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the material
you make available may be published in the F-Secure World Wide Pages or hard-copy
publications. You will reach F-Secure public web site by clicking on underlined
links. While doing this, your access will be logged to our private access
statistics with your domain name. This information will not be given to any
third party. You agree not to take action against us in relation to material
that you submit. Unless you have clearly stated otherwise, by submitting
material you warrant that F-Secure may incorporate any concepts described in it
in the F-Secure products/publications without liability.

rkbmonk · Jul 22, 2012

Thx Broni for you guidance and time

Broni · Jul 22, 2012

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Do NOT post JavaRa log.

===========================================

We have one corrupted registry key affecting Windows updates.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on bits.reg file and confirm the prompt.
Restart computer.
Post new FSS log.

rkbmonk · Jul 22, 2012

Here is the FSS log after installing latest java and using bits. reg

Farbar Service Scanner Version: 19-07-2012
Ran by Ramkishen (administrator) on 22-07-2012 at 22:25:50
Running from "C:\Users\Ramkishen\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Broni · Jul 22, 2012

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

rkbmonk · Jul 22, 2012

Hey sry broni , I deleted the final otl log by mistake while manually deleting the remaining softwares that were left over after otl cleanup and reboot

....
but thx a million Broni

for solving the problem and my computer is doing perfect with your help.... THX Again

Broni · Jul 22, 2012

Way to go!!
Good luck and stay safe

Solved Infected Windows 7 infected with win64/patched.b.gen trojan (services.exe)

rkbmonk

Posts: 21 +0

rkbmonk

Posts: 21 +0

rkbmonk

Posts: 21 +0

Broni

Posts: 56,041 +516

rkbmonk

Posts: 21 +0

rkbmonk

Posts: 21 +0

Broni

Posts: 56,041 +516

rkbmonk

Posts: 21 +0

Broni

Posts: 56,041 +516

rkbmonk

Posts: 21 +0

Broni

Posts: 56,041 +516

Similar threads

Latest posts