Solved Sirefef infection on laptop

IanMcK · Jun 16, 2012

Part 2 of OTL.txt:

========== Files/Folders - Created Within 30 Days ==========

[2012/06/17 00:39:51 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\R830-10C\Desktop\OTL.exe
[2012/06/17 00:37:57 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/06/16 18:52:40 | 000,000,000 | ---D | C] -- C:\windows\temp
[2012/06/16 18:35:17 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Local\VirtualStore
[2012/06/14 10:07:27 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\R830-10C\Desktop\dds.scr
[2012/06/13 13:07:24 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2012/06/13 13:07:24 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2012/06/13 13:07:24 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2012/06/13 13:07:18 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2012/06/13 13:05:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/13 13:02:27 | 004,559,503 | R--- | C] (Swearware) -- C:\Users\R830-10C\Desktop\ComboFix.exe
[2012/06/13 10:35:47 | 000,000,000 | R--D | C] -- C:\Users\R830-10C\Documents\Scanned Documents
[2012/06/13 10:35:46 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\Documents\Fax
[2012/06/12 22:34:41 | 000,000,000 | ---D | C] -- C:\FRST
[2012/06/12 17:07:04 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Roaming\Malwarebytes
[2012/06/12 17:05:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/12 17:05:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/06/12 17:05:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/06/12 12:22:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/06/12 00:18:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/06/12 00:18:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/06/07 20:04:56 | 000,000,000 | -HSD | C] -- C:\windows\SysNative\%APPDATA%
[2012/06/03 12:09:53 | 000,000,000 | R--D | C] -- C:\Users\R830-10C\Dropbox
[2012/06/03 12:07:58 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2012/06/03 12:06:36 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Roaming\Dropbox
[2012/05/30 13:06:49 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Local\Apple Computer
[2012/05/30 09:44:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WMP Tag Plus
[2012/05/30 05:29:23 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Roaming\Apple Computer
[2012/05/29 23:00:18 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\Documents\order_receipt_cd_final.php_files
[2012/05/29 16:50:48 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\Documents\Downloaded Radio
[2012/05/29 16:49:22 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Local\www.nerdoftheherd.com
[2012/05/29 16:49:19 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Roaming\www.nerdoftheherd.com
[2012/05/29 16:23:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FLV_Extract_v1.6.2
[2012/05/29 15:21:59 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Roaming\FLV Extract
[2012/05/29 14:59:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/05/29 14:59:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2012/05/29 14:59:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2012/05/29 14:58:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Apple
[2012/05/29 14:58:34 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Local\Apple
[2012/05/29 14:58:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Apple Software Update
[2012/05/29 14:58:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2012/05/29 14:36:57 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\Documents\Topsevenreviews
[2012/05/29 14:36:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Topsevenreviews
[2012/05/29 14:36:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Topsevenreviews
[2012/05/29 14:00:33 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Local\Applian
[2012/05/29 13:36:17 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\Documents\My Streaming Media
[2012/05/29 13:36:14 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Local\Jaksta_Technologies_Pty_L
[2012/05/29 13:35:08 | 000,033,888 | ---- | C] (Applian Technologies Inc.) -- C:\windows\SysNative\drivers\appliand.sys
[2012/05/29 13:35:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Applian Technologies
[2012/05/29 13:34:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Applian Technologies
[2012/05/29 13:34:44 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Roaming\Replay Media Catcher 4
[2012/05/29 13:34:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Applian
[2012/05/24 15:21:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\uTorrent
[2012/05/24 15:19:49 | 000,000,000 | ---D | C] -- C:\Users\R830-10C\AppData\Roaming\uTorrent
[2012/05/21 06:11:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012/05/21 06:10:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012/05/21 06:10:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/17 00:45:19 | 000,025,120 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/17 00:45:19 | 000,025,120 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/17 00:39:55 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\R830-10C\Desktop\OTL.exe
[2012/06/17 00:37:45 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/06/17 00:37:40 | 2071,531,519 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/17 00:35:00 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/06/17 00:17:48 | 000,730,554 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2012/06/17 00:17:48 | 000,631,004 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2012/06/17 00:17:48 | 000,111,798 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2012/06/16 18:47:52 | 000,000,027 | ---- | M] () -- C:\windows\SysNative\drivers\etc\hosts
[2012/06/16 18:37:38 | 004,559,503 | R--- | M] (Swearware) -- C:\Users\R830-10C\Desktop\ComboFix.exe
[2012/06/13 06:43:40 | 000,002,050 | ---- | M] () -- C:\Users\R830-10C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
[2012/06/12 17:01:44 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\R830-10C\Desktop\dds.scr
[2012/06/12 00:19:06 | 000,001,945 | ---- | M] () -- C:\windows\epplauncher.mif
[2012/06/12 00:18:45 | 000,736,096 | ---- | M] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2012/06/12 00:14:38 | 000,067,584 | --S- | M] () -- C:\windows\bootstat(23).dat
[2012/06/11 16:38:05 | 000,000,134 | ---- | M] () -- C:\Users\R830-10C\Desktop\Microsoft Fix it.url
[2012/06/07 20:14:02 | 000,001,316 | ---- | M] () -- C:\Users\Public\Desktop\Replay Media Catcher 4.lnk
[2012/06/03 12:09:53 | 000,001,059 | ---- | M] () -- C:\Users\R830-10C\Desktop\Dropbox.lnk
[2012/05/29 23:00:19 | 000,007,145 | ---- | M] () -- C:\Users\R830-10C\Documents\order_receipt_cd_final.php.htm
[2012/05/29 16:24:01 | 000,001,487 | ---- | M] () -- C:\Users\R830-10C\Desktop\FLVExtract.lnk
[2012/05/29 14:59:27 | 000,001,856 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/05/29 14:36:55 | 000,001,430 | ---- | M] () -- C:\Users\R830-10C\Desktop\Free FLV to Audio Converter.lnk
[2012/05/24 15:21:07 | 000,000,982 | ---- | M] () -- C:\Users\R830-10C\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/05/24 15:21:07 | 000,000,958 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/13 13:07:24 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe
[2012/06/13 13:07:24 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
[2012/06/13 13:07:24 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2012/06/13 13:07:24 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2012/06/13 13:07:24 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2012/06/12 00:18:47 | 000,001,926 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/06/11 16:38:05 | 000,000,134 | ---- | C] () -- C:\Users\R830-10C\Desktop\Microsoft Fix it.url
[2012/06/03 12:09:53 | 000,001,059 | ---- | C] () -- C:\Users\R830-10C\Desktop\Dropbox.lnk
[2012/05/29 23:00:18 | 000,007,145 | ---- | C] () -- C:\Users\R830-10C\Documents\order_receipt_cd_final.php.htm
[2012/05/29 16:24:01 | 000,001,487 | ---- | C] () -- C:\Users\R830-10C\Desktop\FLVExtract.lnk
[2012/05/29 14:59:27 | 000,001,856 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/05/29 14:58:33 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2012/05/29 14:36:55 | 000,001,430 | ---- | C] () -- C:\Users\R830-10C\Desktop\Free FLV to Audio Converter.lnk
[2012/05/29 13:35:06 | 000,001,316 | ---- | C] () -- C:\Users\Public\Desktop\Replay Media Catcher 4.lnk
[2012/05/24 15:21:07 | 000,000,982 | ---- | C] () -- C:\Users\R830-10C\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/05/24 15:21:07 | 000,000,958 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2012/03/12 13:19:05 | 000,010,240 | ---- | C] () -- C:\windows\SysWow64\drivers\mdvrmng.sys
[2012/03/10 01:40:54 | 000,819,200 | ---- | C] () -- C:\windows\SysWow64\xvidcore.dll
[2012/03/10 01:40:54 | 000,180,224 | ---- | C] () -- C:\windows\SysWow64\xvidvfw.dll
[2012/03/10 01:09:42 | 000,003,417 | ---- | C] () -- C:\windows\SysWow64\SpoonUninstall-dBpoweramp Shorten Codec.dat
[2012/03/10 01:09:08 | 000,003,297 | ---- | C] () -- C:\windows\SysWow64\SpoonUninstall-dBpoweramp m4a Codec.dat
[2012/03/10 01:08:30 | 000,003,018 | ---- | C] () -- C:\windows\SysWow64\SpoonUninstall-dBpoweramp WavPack Codec.dat
[2012/03/10 01:07:55 | 000,003,149 | ---- | C] () -- C:\windows\SysWow64\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
[2012/03/10 01:07:22 | 000,017,755 | ---- | C] () -- C:\windows\SysWow64\SpoonUninstall-dBpoweramp Music Converter.dat
[2012/03/10 01:07:21 | 000,653,176 | ---- | C] () -- C:\windows\SysWow64\SpoonUninstall.exe
[2012/03/10 00:35:59 | 000,736,096 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/07/15 21:01:00 | 000,000,000 | ---- | C] () -- C:\windows\NDSTray.INI
[2011/04/05 04:07:00 | 000,145,804 | ---- | C] () -- C:\windows\SysWow64\igcompkrng600.bin
[2011/04/05 04:06:58 | 000,963,116 | ---- | C] () -- C:\windows\SysWow64\igkrng600.bin
[2011/04/05 04:06:58 | 000,216,876 | ---- | C] () -- C:\windows\SysWow64\igfcg600m.bin
[2011/02/04 03:56:58 | 000,066,856 | ---- | C] () -- C:\windows\SysWow64\SynTPEnhPS.dll

========== LOP Check ==========

[2012/03/12 13:19:38 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\Birdstep Technology
[2012/03/13 14:23:27 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\dBpoweramp
[2012/06/14 06:26:37 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\Dropbox
[2012/05/29 15:22:05 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\FLV Extract
[2012/06/13 13:12:10 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\Free Download Manager
[2012/05/16 16:36:52 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\Leadertech
[2012/06/09 14:53:14 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\Mp3tag
[2012/05/29 13:36:17 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\Replay Media Catcher 4
[2012/06/16 08:34:47 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\SoftGrid Client
[2012/04/05 12:28:31 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\Toshiba
[2012/03/11 20:07:27 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\TOSHIBA Online Product Information
[2012/03/10 11:41:12 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\TP
[2012/06/11 15:28:59 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\uTorrent
[2011/10/06 17:07:10 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\WinBatch
[2012/05/29 16:49:19 | 000,000,000 | ---D | M] -- C:\Users\R830-10C\AppData\Roaming\www.nerdoftheherd.com
[2012/05/30 09:59:41 | 000,024,018 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/11/21 04:23:51 | 000,383,786 | RHS- | M] () -- C:\bootmgr
[2011/05/09 09:19:03 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2012/06/16 18:52:39 | 000,030,169 | ---- | M] () -- C:\ComboFix.txt
[2012/03/12 13:19:23 | 000,005,054 | ---- | M] () -- C:\debug.txt
[2012/06/17 00:37:40 | 2071,531,519 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/17 00:37:44 | 4193,701,887 | -HS- | M] () -- C:\pagefile.sys
[2008/07/08 23:52:19 | 000,022,528 | ---- | M] () -- C:\Wedding Order Of Service.doc

< %systemroot%\Fonts\*.com >
[2009/07/14 06:32:31 | 000,026,040 | ---- | M] () -- C:\windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/14 06:32:31 | 000,026,489 | ---- | M] () -- C:\windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/14 06:32:31 | 000,029,779 | ---- | M] () -- C:\windows\Fonts\GlobalSerif.CompositeFont
[2009/07/14 06:32:31 | 000,043,318 | ---- | M] () -- C:\windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 21:49:50 | 000,000,065 | ---- | M] () -- C:\windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2010/11/10 01:28:46 | 000,301,936 | ---- | M] (Microsoft Corporation) -- C:\windows\WLXPGSS.SCR
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2009/07/14 05:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2012/03/09 17:57:57 | 000,000,221 | -HS- | M] () -- C:\Users\R830-10C\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2012/06/16 18:37:38 | 004,559,503 | R--- | M] (Swearware) -- C:\Users\R830-10C\Desktop\ComboFix.exe
[2012/06/17 00:39:55 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\R830-10C\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\tasks\*.* >
[2012/06/17 00:35:00 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/06/17 00:37:51 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2012/05/30 09:59:41 | 000,024,018 | ---- | M] () -- C:\windows\tasks\SCHEDLGU.TXT

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >
[2011/12/11 20:16:30 | 000,000,922 | ---- | M] () -- C:\windows\AppPatch\Custom\{00a8ce68-cb2e-4652-aecd-c05c0d9d53a7}.sdb
[2008/12/12 10:40:24 | 000,001,036 | R--- | M] () -- C:\windows\AppPatch\Custom\{22950922-8438-4c84-80d5-a17e6c2a5717}.sdb

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2009/06/10 22:20:04 | 000,000,802 | ---- | M] () -- C:\windows\ADDINS\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2011/07/15 20:38:59 | 000,008,192 | ---- | M] () -- C:\windows\SECURITY\Database\edb.chk
[2011/07/15 20:38:59 | 001,048,576 | ---- | M] () -- C:\windows\SECURITY\Database\edb.log
[2011/07/15 20:24:28 | 001,048,576 | ---- | M] () -- C:\windows\SECURITY\Database\edbres00001.jrs
[2011/07/15 20:24:28 | 001,048,576 | ---- | M] () -- C:\windows\SECURITY\Database\edbres00002.jrs
[2011/07/15 20:38:59 | 001,056,768 | ---- | M] () -- C:\windows\SECURITY\Database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2012/03/10 04:59:41 | 000,000,402 | -HS- | M] () -- C:\Users\R830-10C\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /I " " /c >

< dir /b "%systemroot%\*.exe" | find /I " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs >

========== Alternate Data Streams ==========

@Alternate Data Stream - 181 bytes -> C:\ProgramData\TEMP:3B71D0B4

< End of report >

IanMcK · Jun 16, 2012

Extras.txt:

OTL Extras logfile created on: 6/17/2012 12:43:21 AM - Run 1
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\R830-10C\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

7.91 Gb Total Physical Memory | 6.47 Gb Available Physical Memory | 81.85% Memory free
15.81 Gb Paging File | 14.18 Gb Available in Paging File | 89.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 282.45 Gb Total Space | 240.59 Gb Free Space | 85.18% Space Free | Partition Type: NTFS

Computer Name: R830-10C-TOSH | User Name: R830-10C | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4274466072-2097155775-4171246916-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [tralih] -- "C:\Program Files (x86)\Trader's Little Helper\tralih.exe" /0 "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [tralih] -- "C:\Program Files (x86)\Trader's Little Helper\tralih.exe" /0 "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"TCP Query User{F5C85EBB-B664-4DD3-87CB-1CB14758DE9A}C:\users\r830-10c\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\r830-10c\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{D1A881A9-78B2-4CBF-B2ED-28E7650BC077}C:\users\r830-10c\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\r830-10c\appdata\roaming\dropbox\bin\dropbox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00a8ce68-cb2e-4652-aecd-c05c0d9d53a7}.sdb" = Windows Media Player 64-bit Plug-in Fix
"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"{1685AE50-97ED-485B-80F6-145071EE14B0}" = Windows Live Remote Service Resources
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{22950922-8438-4c84-80d5-a17e6c2a5717}.sdb" = Adobe Audition 3 Vista Compatibility
"{24811C12-F4A9-4D0F-8494-A7B8FE46123C}" = TOSHIBA ReelTime
"{2C1A6191-9804-4FDC-AB01-6F9183C91A13}" = Windows Live Remote Client Resources
"{43DBC64B-3DD1-47E2-8788-D3C3B110C574}" = TOSHIBA Bulletin Board
"{4C2E49C0-9276-4324-841D-774CCCE5DB48}" = Windows Live Remote Client Resources
"{57F2BD1C-14A3-4785-8E48-2075B96EB2DF}" = Windows Live Remote Service Resources
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{65486209-5C54-439C-8383-8AC9BBE25932}" = Atheros Bluetooth Filter Driver Package
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{6FF9A012-0254-41E9-81E2-F538C4B53611}" = TOSHIBA eco Utility
"{7AEC844D-448A-455E-A34E-E1032196BBCD}" = Windows Live Remote Service Resources
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{850B8072-2EA7-4EDC-B930-7FE569495E76}" = Windows Live Remote Client Resources
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
"{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
"{A060182D-CDBE-4AD6-B9B4-860B435D6CBD}" = Windows Live Remote Client Resources
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
"{F6CB2C5F-B2C1-4DF1-BF44-39D0DC06FE6F}" = Windows Live Remote Service Resources
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"PROSet" = Intel(R) Network Connections Drivers
"Recuva" = Recuva
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00884F14-05BD-4D8E-90E5-1ABF78948CA4}" = Windows Live Mesh
"{0125DB4D-98A0-4DBF-B68A-23BF08FFA6A3}" = Windows Live Messenger
"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"{08C8666B-C502-4AB3-B4CB-D74AC42D14FE}" = Nero BackItUp 10 Help (CHM)
"{09B7C7EB-3140-4B5E-842F-9C79A7137139}" = Windows Live Mesh ActiveX-kontroll for eksterne tilkoblinger
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0C975FCC-A06E-4CB6-8F54-A9B52CF37781}" = Windows Liven sähköposti
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0FF68F26-416C-4954-ACA5-6AD5F9DE99C1}" = Nero Multimedia Suite 10 Essentials
"{10186F1A-6A14-43DF-A404-F0105D09BB07}" = Windows Live Mail
"{110668B7-54C6-47C9-BAC4-1CE77F156AF5}" = Windows Live Mesh
"{11417707-1F72-4279-95A3-01E0B898BBF5}" = Windows Live Mesh
"{133D9D67-D475-4407-AC3C-D558087B2453}" = Windows Live Movie Maker
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1A72337E-D126-4BAF-AC89-E6122DB71866}" = Windows Liven valokuvavalikoima
"{1E03DB52-D5CB-4338-A338-E526DD4D4DB1}" = Bing Bar
"{1E63ACB5-D45E-4856-8FC9-78F4B0D7BB80}" = TOSHIBA Security Assist
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}" = Nero MediaHub 10
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{220C7F8C-929D-4F71-9DC7-F7A6823B38E4}" = Windows Live UX Platform Language Pack
"{2290A680-4083-410A-ADCC-7092C67FC052}" = TOSHIBA Online Product Information
"{237CCB62-8454-43E3-B158-3ACD0134852E}" = High-Definition Video Playback
"{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10
"{24DF33E0-F924-4D0D-9B96-11F28F0D602D}" = Windows Live UX Platform Language Pack
"{25CD4B12-8CC5-433E-B723-C9CB41FA8C5A}" = Windows Live Writer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{28B9D2D8-4304-483F-AD71-51890A063A74}" = Windows Live Photo Common
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2C303EE0-A595-3543-A71A-931C7AC40EDE}" = Microsoft Primary Interoperability Assemblies 2005
"{2E50E321-4747-4EB5-9ECB-BBC6C3AC0F31}" = Windows Live Writer Resources
"{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App" = Update Installer for WildTangent Games App
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{33643918-7957-4839-92C7-EA96CB621A98}" = Nero Express 10 Help (CHM)
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{376D59B1-42D9-4FA2-B6CC-E346B6BE14F5}" = ActiveX-kontroll för fjärranslutningar för Windows Live Mesh
"{38C52F7D-A6CB-4CE7-A189-8AABE8774D8A}" = TOSHIBA ConfigFree
"{39BDD209-5704-480C-9F4A-B69D0370DDBB}" = Windows Live Messenger
"{39F95B0B-A0B7-4FA7-BB6C-197DA2546468}" = Windows Live Mesh
"{3C349576-B3B4-6708-F73C-DC2932065357}" = BBC iPlayer Desktop
"{3D047C6C-19EE-46E3-C14B-9FA84260DF9B}" = Photo Service - powered by myphotobook
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{429DF1A0-3610-4E9E-8ACE-3C8AC1BA8FCA}" = Windows Live Photo Gallery
"{461F6F0D-7173-4902-9604-AB1A29108AF2}" = TOSHIBA Places Icon Utility
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A04DB63-8F81-4EF4-9D09-61A2057EF419}" = Windows Live Essentials
"{4CF6F287-5121-483C-A5A2-07BDE19D8B4E}" = Windows Live Meshin etäyhteyksien ActiveX-komponentti
"{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)
"{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
"{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM)
"{57220148-3B2B-412A-A2E0-82B9DF423696}" = Windows Live Mesh ActiveX-objekt til fjernforbindelser
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5BA99779-6E12-49EF-BE49-F35B1EDB4DF9}" = TOSHIBA Wireless LAN Indicator
"{5C2F5C1B-9732-4F81-8FBF-6711627DC508}" = Windows Live Fotogalleri
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{654F7484-88C5-46DC-AB32-C66BCB0E2102}" = TOSHIBA Sleep Utility
"{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
"{66049135-9659-4AAD-9169-9CCA269EBB3E}" = Nero InfoTool 10 Help (CHM)
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{68AB6930-5BFF-4FF6-923B-516A91984FE6}" = Nero BackItUp 10
"{69CAC24D-B1DC-4B97-A1BE-FE21843108FE}" = Windows Live Writer Resources
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA VIDEO PLAYER
"{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}" = TOSHIBA Resolution+ Plug-in for Windows Media Player
"{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10
"{6EF2BE2C-3121-48B7-B7A6-C56046B3A588}" = Windows Live Movie Maker
"{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}" = TOSHIBA Web Camera Application
"{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10
"{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-toshiba" = WildTangent Games App (Toshiba Games)
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{734104DE-C2BF-412F-BB97-FCCE1EC94229}" = Windows Live Writer Resources
"{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TOSHIBA Recovery Media Creator Reminder
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7ADFA72D-2A9F-4DEC-80A5-2FAA27E23F0F}" = Windows Live Photo Common
"{7F6021AE-E688-4D03-843A-C2260482BA0D}" = Windows Live Messenger
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{80C3019B-3BA4-4674-AC90-A0B402593BA5}_is1" = WMP Tag Plus version 2.0
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{827D3E4A-0186-48B7-9801-7D1E9DD40C07}" = Windows Live Essentials
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{885F1BCD-C344-4758-85BD-09640CF449A5}" = Windows Live Photo Gallery
"{8909CFA8-97BF-4077-AC0F-6925243FFE08}" = Windows Liven asennustyökalu
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8CF5D47D-27B7-49D6-A14F-10550B92749D}" = Windows Live UX Platform Language Pack
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
"{90FF4432-21B7-4AF6-BA6E-FB8C1FED9173}" = Toshiba Manuals
"{924B4D82-1B97-48EB-8F1E-55C4353C22DB}" = Windows Live Mail
"{92E25238-61A3-4ACD-A407-3C480EEF47A7}" = Nero RescueAgent 10 Help (CHM)
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A74F16FA-1D5B-405B-8D8D-1BC6F9DAED8B}" = Amazon.co.uk
"{A899DA1F-D626-401C-8651-F2921E3B4CB3}" = 3Connect
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.3) MUI
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
"{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}" = TOSHIBA Assist
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C7A4F26F-F9B0-41B2-8659-99181108CDE3}" = TOSHIBA Media Controller
"{CCF62642-ECB1-4D2B-80C0-3FD3286AEAED}" = TOSHIBA Sync Utility
"{CD442136-9115-4236-9C14-278F6A9DCB3F}" = Windows Live Movie Maker
"{CD7CB1E6-267A-408F-877D-B532AD2C882E}" = Windows Live Photo Common
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}" = Adobe Audition 3.0.1 Patch
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CF671BFE-6BA3-44E7-98C1-500D9C51D947}" = Windows Live Photo Gallery
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D1725D54-279A-41C5-A73D-23C1785DB920}_is1" = AoA DVD Ripper
"{D31169F2-CD71-4337-B783-3E53F29F4CAD}" = Windows Live Mail
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DA29F644-2420-4448-8128-1331BE588999}" = Windows Live Writer
"{DB1208F4-B2FE-44E9-BFE6-8824DBD7891B}" = Windows Live Movie Maker
"{DCAB6BA7-6533-44BF-9235-E5BF33B7431C}" = Windows Live Writer
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E337E787-CF61-4B7B-B84F-509202A54023}" = Nero RescueAgent 10
"{E5DD4723-FE0B-436E-A815-DC23CF902A0B}" = Windows Live UX Platform Language Pack
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{E8524B28-3BBB-4763-AC83-0E83FE31C350}" = Windows Live Writer
"{E9D98402-21AB-4E9F-BF6B-47AF36EF7E97}" = Windows Live Writer Resources
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
"{F082CB11-4794-4259-99A1-D91BA762AD15}" = TOSHIBA TEMPRO
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F0F9505B-3ACF-4158-9311-D0285136AA00}" = Windows Live Essentials
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F26FDF57-483E-42C8-A9C9-EEE1EDB256E0}" = TOSHIBA Media Controller Plug-in
"{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10
"{F467862A-D9CA-47ED-8D81-B4B3C9399272}" = Nero MediaHub 10 Help (CHM)
"{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic
"{F6117F9C-ADB5-4590-9BE4-12C7BEC28702}" = Nero StartSmart 10 Help (CHM)
"{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}" = Nero StartSmart 10
"{F694D1F7-1F12-4550-9B7A-C871273ABAD5}" = Windows Live Messenger
"{FDE58148-57E7-43BF-879A-29CCE818C078}" = eBay
"{FE041B02-234C-4AAA-9511-80DF6482A458}" = RICOH Media Driver v2.13.17.01
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Adobe Audition 3.0" = Adobe Audition 3.0
"Advanced X Video Converter_is1" = Advanced X Video Converter
"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
"CD Wave Editor_is1" = CD Wave Editor 1.98
"dBpoweramp m4a Codec" = dBpoweramp m4a Codec
"dBpoweramp Monkeys Audio Codec" = dBpoweramp Monkeys Audio Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"dBpoweramp Shorten Codec" = dBpoweramp Shorten Codec
"dBpoweramp WavPack Codec" = dBpoweramp WavPack Codec
"ESET Online Scanner" = ESET Online Scanner v3
"eu.myphotobook.001F9DF2D0BAABEB11F42CCEE43224607B61109C.1" = Photo Service - powered by myphotobook
"Free Download Manager_is1" = Free Download Manager 3.8
"Free FLV to Audio Converter_is1" = Free FLV to Audio Converter
"InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"InstallShield_{24811C12-F4A9-4D0F-8494-A7B8FE46123C}" = TOSHIBA ReelTime
"InstallShield_{43DBC64B-3DD1-47E2-8788-D3C3B110C574}" = TOSHIBA Bulletin Board
"InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"InstallShield_{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}" = TOSHIBA Web Camera Application
"InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TOSHIBA Recovery Media Creator Reminder
"InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
"Mozilla Firefox 13.0 (x86 en-GB)" = Mozilla Firefox 13.0 (x86 en-GB)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Mp3tag" = Mp3tag v2.49b
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"Replay Media Catcher 4" = Replay Media Catcher 4 (4.4.3)
"TradersLittleHelper_is1" = Trader's Little Helper 2.7.0
"uTorrent" = µTorrent
"WildTangent toshiba Master Uninstall" = WildTangent Games
"WinLiveSuite" = Windows Live Essentials
"WTA-2058196c-98f6-47e8-8e49-7b9db79b4382" = Bejeweled 2 Deluxe
"WTA-25e652e7-ce4b-45b9-afb6-937ec7d4a770" = Penguins!
"WTA-36d4befc-f503-44de-bea3-1d827d955008" = Slingo Deluxe
"WTA-5e2223f0-8e11-4484-a0fb-d9e741aa2376" = FATE
"WTA-6809f5ba-7ad8-4258-9dca-c5b0be41d2fa" = Zuma Deluxe
"WTA-76c624b9-ecac-4676-b703-016afdc31fb0" = Polar Bowler
"WTA-7989028d-3591-4ad5-94fa-3e5ed00591ee" = Plants vs. Zombies - Game of the Year
"WTA-7c0e9af9-d86c-4af4-bc20-2e03fdfbc451" = Final Drive: Nitro
"WTA-93b69783-0a69-4dcf-af37-99ccfe3404c3" = Insaniquarium Deluxe
"WTA-a4780e93-64bb-4cfb-bd1a-2f8db42c3a85" = Wedding Dash 2 - Rings Around the World
"WTA-adea9a12-a7d7-4e42-95cc-dd64328f08ff" = Chicken Invaders 3 - Revenge of the Yolk
"WTA-b139436b-f88a-473a-98bf-2668fc5ba606" = Bejeweled 3
"WTA-d253692e-1bc0-49fe-93b8-c5ed5728f6be" = Diner Dash 2 Restaurant Rescue
"WTA-f9aaf03e-f2ce-4f9b-9926-ef0450411346" = Chuzzle Deluxe
"Xvid_is1" = Xvid 1.2.2 final uninstall
"ZTE_1.2059.0.8" = ZTE_1.2059.0.8

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4274466072-2097155775-4171246916-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/30/2012 12:30:38 AM | Computer Name = R830-10C-TOSH | Source = WinMgmt | ID = 10
Description =

Error - 5/30/2012 2:10:44 AM | Computer Name = R830-10C-TOSH | Source = Application Hang | ID = 1002
Description = The program Audition.exe version 3.0.8347.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 142c Start
Time: 01cd3e2549284fc0 Termination Time: 8 Application Path: C:\Program Files (x86)\Adobe\Adobe
Audition 3.0\Audition.exe Report Id: 273f4897-aa1e-11e1-b54b-e89d87adc928

Error - 5/30/2012 3:08:21 AM | Computer Name = R830-10C-TOSH | Source = Microsoft-Windows-Defrag | ID = 257
Description =

Error - 5/30/2012 4:18:18 AM | Computer Name = R830-10C-TOSH | Source = Microsoft-Windows-Defrag | ID = 257
Description =

Error - 5/30/2012 4:29:17 AM | Computer Name = R830-10C-TOSH | Source = WinMgmt | ID = 10
Description =

Error - 5/30/2012 5:00:58 AM | Computer Name = R830-10C-TOSH | Source = WinMgmt | ID = 10
Description =

Error - 5/30/2012 5:09:43 AM | Computer Name = R830-10C-TOSH | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error - 5/30/2012 12:09:47 PM | Computer Name = R830-10C-TOSH | Source = Application Hang | ID = 1002
Description = The program Wilog.exe version 2.8.34.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Action Center control panel. Process ID: 810 Start Time:
01cd3e57b0614dc9 Termination Time: 11 Application Path: C:\Program Files (x86)\3
Mobile Broadband\3Connect\Wilog.exe Report Id: dbd38782-aa71-11e1-b6f0-e89d87adc928

Error - 6/1/2012 12:50:37 AM | Computer Name = R830-10C-TOSH | Source = WinMgmt | ID = 10
Description =

Error - 6/1/2012 12:59:11 AM | Computer Name = R830-10C-TOSH | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.

[ System Events ]
Error - 6/16/2012 1:34:49 PM | Computer Name = R830-10C-TOSH | Source = Service Control Manager | ID = 7000
Description = The Mobile IP Route Manager service failed to start due to the following
error: %%1275

Error - 6/16/2012 1:35:22 PM | Computer Name = R830-10C-TOSH | Source = Service Control Manager | ID = 7034
Description = The SeaPort service terminated unexpectedly. It has done this 1 time(s).

Error - 6/16/2012 1:44:01 PM | Computer Name = R830-10C-TOSH | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 6/16/2012 1:45:27 PM | Computer Name = R830-10C-TOSH | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.127.1977.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error
code: 0x8024402c Error description: An unexpected problem occurred while checking
for updates. For information on installing or troubleshooting updates, see Help
and Support.

Error - 6/16/2012 1:46:27 PM | Computer Name = R830-10C-TOSH | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 6/16/2012 1:47:10 PM | Computer Name = R830-10C-TOSH | Source = Service Control Manager | ID = 7023
Description = The Windows Defender service terminated with the following error:
%%126

Error - 6/16/2012 1:47:14 PM | Computer Name = R830-10C-TOSH | Source = Application Popup | ID = 1060
Description = \??\C:\windows\SysWow64\drivers\mdvrmng.sys has been blocked from
loading due to incompatibility with this system. Please contact your software vendor
for a compatible version of the driver.

Error - 6/16/2012 1:47:14 PM | Computer Name = R830-10C-TOSH | Source = Service Control Manager | ID = 7000
Description = The Mobile IP Route Manager service failed to start due to the following
error: %%1275

Error - 6/16/2012 7:37:48 PM | Computer Name = R830-10C-TOSH | Source = Application Popup | ID = 1060
Description = \??\C:\windows\SysWow64\drivers\mdvrmng.sys has been blocked from
loading due to incompatibility with this system. Please contact your software vendor
for a compatible version of the driver.

Error - 6/16/2012 7:37:48 PM | Computer Name = R830-10C-TOSH | Source = Service Control Manager | ID = 7000
Description = The Mobile IP Route Manager service failed to start due to the following
error: %%1275

< End of report >

Broni · Jun 16, 2012

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
@Alternate Data Stream - 181 bytes -> C:\ProgramData\TEMP:3B71D0B4

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

=========================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Do NOT post JavaRa log.

=======================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click on List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

IanMcK · Jun 16, 2012

OTL log below. Running other tasks now.

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
ADS C:\ProgramData\TEMP:3B71D0B4 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: R830-10C
->Temp folder emptied: 1141 bytes
->Temporary Internet Files folder emptied: 134935135 bytes
->Java cache emptied: 47345 bytes
->FireFox cache emptied: 57624914 bytes
->Flash cache emptied: 176927 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13700 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 110766572 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 290.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: R830-10C
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: R830-10C
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.49.0 log created on 06172012_011801

Files\Folders moved on Reboot...
C:\Users\R830-10C\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

IanMcK · Jun 16, 2012

Java updated but still claiming out of date?? Here are the next logs:

Security Check:

Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
JavaFX 2.1.1
Java(TM) 6 Update 20
Java(TM) 7 Update 5
Out of date Java installed!
Adobe Reader X (10.1.3)
Mozilla Firefox (x86 en-GB..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
TOSHIBA TOSHIBA Online Product Information TOPI.exe
``````````End of Log````````````

FSS log:

Farbar Service Scanner Version: 09-06-2012
Ran by R830-10C (administrator) on 17-06-2012 at 01:35:57
Running from "C:\Users\R830-10C\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Broni · Jun 16, 2012

Did you run JavaRa?

IanMcK · Jun 16, 2012

Yes. Just run it again and it tells me that it has removed C:\Program Files (x86)\Java\jre6 but it is still there. It also fails to write a log file.

Broni · Jun 16, 2012

That's fine.

Go ahead with Eset.

IanMcK · Jun 17, 2012

ESET results:

C:\FRST\Quarantine\{1c09dfac-831f-9bb6-02a2-a70c71aea57a}\U\80000000.@ Win64/Sirefef.AE trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{1c09dfac-831f-9bb6-02a2-a70c71aea57a}\U\800000cb.@ Win64/Sirefef.AH trojan cleaned by deleting - quarantined

Broni · Jun 17, 2012

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

IanMcK · Jun 17, 2012

System restore reset. Log below. Proceening with rest of instructions.

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: R830-10C
->Temp folder emptied: 197098 bytes
->Temporary Internet Files folder emptied: 3579640 bytes
->Java cache emptied: 136794 bytes
->FireFox cache emptied: 290234457 bytes
->Flash cache emptied: 981 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2336 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 281.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: R830-10C
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: R830-10C
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.49.0 log created on 06172012_154824

Files\Folders moved on Reboot...
C:\Users\R830-10C\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Broni · Jun 17, 2012

13. Please, let me know, how your computer is doing.

IanMcK · Jun 17, 2012

Everything downloaded, installed and scanned. Laptop seems back to normal. Sincere thanks for your help and I'll try not to let it happen again.

Broni · Jun 17, 2012

Yes!!

Good luck and stay safe

Solved Sirefef infection on laptop

IanMcK

Posts: 23 +0

IanMcK

Posts: 23 +0

Broni

Posts: 56,041 +516

IanMcK

Posts: 23 +0

IanMcK

Posts: 23 +0

Broni

Posts: 56,041 +516

IanMcK

Posts: 23 +0

Broni

Posts: 56,041 +516

IanMcK

Posts: 23 +0

Broni

Posts: 56,041 +516

IanMcK

Posts: 23 +0

Broni

Posts: 56,041 +516

IanMcK

Posts: 23 +0

Broni

Posts: 56,041 +516

Similar threads

Latest posts