Solved Sirefef.Y virus - computer restarts after 1 min

Petey1411 · Jun 20, 2012

Help! I am new to the site. I have been researching this Sirefef.Y Virus for 3 days and have been unable to remove it myself. When I boot the computer, whether it is a normal boot, Safemode or Safemode w/ Networking, I still get the same popup. MSE will scan when I start and I receive a notification that everything is okay. It eventually scans again and detects the virus. I receive a prompt saying that Windows will shutdown after 1 minute. Even if I don't log in to a User Account, the computer will still restart after a couple of minutes of sitting at the log-in screen.

I have read several other Sirefef.Y removal's here on the site and it seems as if each resolution was strictly for the user who was having the issue. I know the rules, and I'm ready to do what needs to be done in order to get my computer fixed.

If I have violated some rule of posting threads, I apologize. I am new to the site.

Thanks to anyone who can help!!

Broni · Jun 20, 2012

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

================================================

What Windows version is it?

Petey1411 · Jun 20, 2012

My goodness. I forgot to mention anything about my computer. Its Windows Vista Home Premium, 64bit.

Broni · Jun 20, 2012

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Petey1411 · Jun 20, 2012

Scan result of Farbar Recovery Scan Tool Version: 19-06-2012
Ran by SYSTEM at 19-06-2012 23:42:37
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] [x]
HKU\Nikki\...\Run: [HPADVISOR] [x]
HKU\Nikki\...\Run: [Google Update] "C:\Users\Nikki\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-09] (Google Inc.)
HKU\shelly\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [4910912 2011-08-01] (DT Soft Ltd)
HKU\shelly\...\Run: [Google Update] "C:\Users\shelly\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-25] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ======

2 atashost; "C:\Windows\SysWOW64\atashost.exe" [20376 2009-03-06] (WebEx Communications, Inc.)
3 GameConsoleService; "C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe" [246520 2010-09-30] (WildTangent, Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 AMD_RAIDXpert; "C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe" -s [x]
2 LightScribeService; "C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe" [x]

========================== Drivers (Whitelisted) =============

3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [6366720 2010-02-03] (ATI Technologies Inc.)
3 Dot4Print; C:\Windows\System32\DRIVERS\Dot4Prt.sys [19968 2008-01-20] (Microsoft Corporation)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [270912 2012-02-15] (DT Soft Ltd)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
3 Ps2; C:\Windows\System32\Drivers\Ps2.sys [21504 2006-09-07] ()
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-06-19 23:42 - 2012-06-19 23:42 - 00000000 ____D C:\FRST
2012-06-18 21:46 - 2012-06-18 21:46 - 00000910 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-18 21:46 - 2012-06-18 21:46 - 00000910 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-18 21:46 - 2012-06-18 21:46 - 00000000 ____D C:\Users\shelly\Application Data\Malwarebytes
2012-06-18 21:46 - 2012-06-18 21:46 - 00000000 ____D C:\Users\shelly\AppData\Roaming\Malwarebytes
2012-06-18 21:45 - 2012-06-18 21:46 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-18 21:45 - 2012-06-18 21:45 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-18 21:45 - 2012-06-18 21:45 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-06-18 21:45 - 2012-04-04 12:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-18 21:41 - 2012-06-18 21:35 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\shelly\Desktop\mbam-setup-1.61.0.1400.exe
2012-06-17 21:32 - 2012-06-17 21:32 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-17 21:31 - 2012-06-17 21:32 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-17 21:31 - 2012-06-17 21:31 - 00724536 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-17 21:31 - 2012-06-17 21:31 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-17 21:28 - 2010-04-06 00:34 - 00345984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-06-13 00:18 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 00:18 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 00:18 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 00:18 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 00:18 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 00:18 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 00:18 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 00:18 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 00:18 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 00:18 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 00:18 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 00:18 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 00:18 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 00:18 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 00:18 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-13 00:18 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 00:18 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-13 00:18 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-13 00:18 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-13 00:18 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-13 00:18 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-13 00:18 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-13 00:18 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-13 00:18 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-13 00:18 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-13 00:18 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-13 00:18 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-13 00:18 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-12 21:03 - 2012-05-15 12:15 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 21:03 - 2012-05-01 06:29 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-12 21:03 - 2012-04-23 08:25 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-12 21:03 - 2012-04-23 08:25 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-12 21:03 - 2012-04-23 08:25 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-12 21:03 - 2012-04-23 08:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-12 21:03 - 2012-04-23 08:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-12 21:03 - 2012-04-23 08:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-08 23:01 - 2012-06-08 23:01 - 00016507 ____A C:\Users\shelly\My Documents\November.xlsx
2012-06-08 23:01 - 2012-06-08 23:01 - 00016507 ____A C:\Users\shelly\Documents\November.xlsx
2012-06-05 21:24 - 2011-09-04 12:34 - 00296742 ____A C:\Users\shelly\Desktop\su-2.3.6.3-efgh-signed.zip
2012-06-05 20:59 - 2012-06-05 20:59 - 00000000 ____D C:\Users\shelly\Desktop\PC36IMG_HBOOT_6.17
2012-06-05 20:57 - 2012-06-05 21:01 - 226254951 ____A C:\Users\shelly\Desktop\PC36IMG.zip
2012-06-05 20:57 - 2012-06-05 20:57 - 00214642 ____A C:\Users\shelly\Desktop\PC36IMG2.zip
2012-05-31 23:31 - 2012-05-31 23:31 - 00016502 ____A C:\Users\shelly\My Documents\October.xlsx
2012-05-31 23:31 - 2012-05-31 23:31 - 00016502 ____A C:\Users\shelly\Documents\October.xlsx
2012-05-31 22:43 - 2012-05-31 22:43 - 00016438 ____A C:\Users\shelly\My Documents\September.xlsx
2012-05-31 22:43 - 2012-05-31 22:43 - 00016438 ____A C:\Users\shelly\Documents\September.xlsx
2012-05-23 07:37 - 2012-05-23 07:37 - 01227135 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch07.pdf
2012-05-22 11:13 - 2012-05-22 11:13 - 01563506 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Unit06.pdf
2012-05-22 11:01 - 2012-05-22 11:01 - 00003962 ____A C:\Users\Nikki\Downloads\dog plastic surgery.rtf
2012-05-22 11:01 - 2012-05-22 11:01 - 00003962 ____A C:\Users\Nikki\Downloads\dog plastic surgery (1).rtf
2012-05-20 00:01 - 2012-05-20 00:02 - 00000000 ____D C:\179ca23c62359843c509e413d44dd549

============ 3 Months Modified Files and Folders =============

2012-06-19 23:42 - 2012-06-19 23:42 - 00000000 ____D C:\FRST
2012-06-19 19:53 - 2010-11-16 13:08 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-06-19 19:52 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-19 19:52 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-19 19:52 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-18 21:51 - 2012-02-25 19:59 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1000UA.job
2012-06-18 21:46 - 2012-06-18 21:46 - 00000910 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-18 21:46 - 2012-06-18 21:46 - 00000910 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-18 21:46 - 2012-06-18 21:46 - 00000000 ____D C:\Users\shelly\Application Data\Malwarebytes
2012-06-18 21:46 - 2012-06-18 21:46 - 00000000 ____D C:\Users\shelly\AppData\Roaming\Malwarebytes
2012-06-18 21:46 - 2012-06-18 21:45 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-18 21:45 - 2012-06-18 21:45 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-18 21:45 - 2012-06-18 21:45 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-06-18 21:35 - 2012-06-18 21:41 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\shelly\Desktop\mbam-setup-1.61.0.1400.exe
2012-06-18 21:34 - 2006-11-02 07:42 - 00032552 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-18 20:54 - 2010-11-14 16:04 - 01230997 ____A C:\Windows\WindowsUpdate.log
2012-06-18 20:54 - 2006-11-02 04:46 - 00710000 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-18 20:48 - 2012-02-16 22:22 - 00000000 __SHD C:\Users\shelly\Local Settings\Application Data\{3288cc8b-e7e0-c51b-daae-6c778c53edff}
2012-06-18 20:48 - 2012-02-16 22:22 - 00000000 __SHD C:\Users\shelly\AppData\Local\{3288cc8b-e7e0-c51b-daae-6c778c53edff}
2012-06-18 20:45 - 2012-02-16 22:22 - 00000000 __SHD C:\Users\shelly\Local Settings\{3288cc8b-e7e0-c51b-daae-6c778c53edff}
2012-06-18 19:56 - 2012-04-09 06:51 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1001UA.job
2012-06-17 21:41 - 2012-04-08 12:43 - 00000000 ____D C:\Users\shelly\Application Data\vlc
2012-06-17 21:41 - 2012-04-08 12:43 - 00000000 ____D C:\Users\shelly\AppData\Roaming\vlc
2012-06-17 21:33 - 2010-11-14 16:22 - 00000000 ____D C:\Program Files (x86)\Microsoft Works
2012-06-17 21:32 - 2012-06-17 21:32 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-17 21:32 - 2012-06-17 21:31 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-17 21:31 - 2012-06-17 21:31 - 00724536 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-17 21:31 - 2012-06-17 21:31 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-17 18:24 - 2012-04-09 06:51 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1001Core.job
2012-06-16 22:51 - 2012-02-25 19:59 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1000Core.job
2012-06-16 16:14 - 2012-04-09 06:52 - 00002044 ____A C:\Users\Nikki\Desktop\Google Chrome.lnk
2012-06-15 06:44 - 2010-12-24 09:45 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-06-13 00:55 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\rescache
2012-06-13 00:39 - 2006-11-02 07:21 - 00371112 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 00:38 - 2008-12-08 18:39 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-06-13 00:38 - 2008-01-20 19:26 - 00232770 ____A C:\Windows\PFRO.log
2012-06-13 00:20 - 2012-04-12 07:54 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-13 00:20 - 2012-04-12 07:54 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2012-06-13 00:10 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-11 17:54 - 2012-02-25 20:08 - 00002049 ____A C:\Users\shelly\Desktop\Google Chrome.lnk
2012-06-10 13:52 - 2012-05-15 17:07 - 00000000 ____D C:\Users\Nikki\My Documents\ENG 130
2012-06-10 13:52 - 2012-05-15 17:07 - 00000000 ____D C:\Users\Nikki\Documents\ENG 130
2012-06-08 23:01 - 2012-06-08 23:01 - 00016507 ____A C:\Users\shelly\My Documents\November.xlsx
2012-06-08 23:01 - 2012-06-08 23:01 - 00016507 ____A C:\Users\shelly\Documents\November.xlsx
2012-06-05 21:01 - 2012-06-05 20:57 - 226254951 ____A C:\Users\shelly\Desktop\PC36IMG.zip
2012-06-05 20:59 - 2012-06-05 20:59 - 00000000 ____D C:\Users\shelly\Desktop\PC36IMG_HBOOT_6.17
2012-06-05 20:57 - 2012-06-05 20:57 - 00214642 ____A C:\Users\shelly\Desktop\PC36IMG2.zip
2012-05-31 23:31 - 2012-05-31 23:31 - 00016502 ____A C:\Users\shelly\My Documents\October.xlsx
2012-05-31 23:31 - 2012-05-31 23:31 - 00016502 ____A C:\Users\shelly\Documents\October.xlsx
2012-05-31 22:43 - 2012-05-31 22:43 - 00016438 ____A C:\Users\shelly\My Documents\September.xlsx
2012-05-31 22:43 - 2012-05-31 22:43 - 00016438 ____A C:\Users\shelly\Documents\September.xlsx
2012-05-29 21:22 - 2012-05-16 23:26 - 00016237 ____A C:\Users\shelly\My Documents\Family monthly budget1.xlsx
2012-05-29 21:22 - 2012-05-16 23:26 - 00016237 ____A C:\Users\shelly\Documents\Family monthly budget1.xlsx
2012-05-28 20:54 - 2010-12-04 19:55 - 00000000 ____D C:\Users\shelly\Local Settings\Microsoft Games
2012-05-28 20:54 - 2010-12-04 19:55 - 00000000 ____D C:\Users\shelly\Local Settings\Application Data\Microsoft Games
2012-05-28 20:54 - 2010-12-04 19:55 - 00000000 ____D C:\Users\shelly\AppData\Local\Microsoft Games
2012-05-23 07:37 - 2012-05-23 07:37 - 01227135 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch07.pdf
2012-05-22 11:13 - 2012-05-22 11:13 - 01563506 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Unit06.pdf
2012-05-22 11:04 - 2012-04-12 07:55 - 00000000 ____D C:\Users\Nikki\Local Settings\Microsoft Help
2012-05-22 11:04 - 2012-04-12 07:55 - 00000000 ____D C:\Users\Nikki\Local Settings\Application Data\Microsoft Help
2012-05-22 11:04 - 2012-04-12 07:55 - 00000000 ____D C:\Users\Nikki\AppData\Local\Microsoft Help
2012-05-22 11:01 - 2012-05-22 11:01 - 00003962 ____A C:\Users\Nikki\Downloads\dog plastic surgery.rtf
2012-05-22 11:01 - 2012-05-22 11:01 - 00003962 ____A C:\Users\Nikki\Downloads\dog plastic surgery (1).rtf
2012-05-20 00:02 - 2012-05-20 00:01 - 00000000 ____D C:\179ca23c62359843c509e413d44dd549
2012-05-19 16:30 - 2012-02-15 21:08 - 00000000 ____D C:\Users\shelly\My Documents\Cubase Projects
2012-05-19 16:30 - 2012-02-15 21:08 - 00000000 ____D C:\Users\shelly\Documents\Cubase Projects
2012-05-17 18:47 - 2012-06-13 00:18 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-13 00:18 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-13 00:18 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-13 00:18 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-13 00:18 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-13 00:18 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-13 00:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-13 00:18 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-13 00:18 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-13 00:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-13 00:18 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-13 00:18 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-13 00:18 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-13 00:18 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-13 00:18 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-13 00:18 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-13 00:18 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-13 00:18 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-13 00:18 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 00:18 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-13 00:18 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-13 00:18 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 00:18 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-13 00:18 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 00:18 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-13 00:18 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 00:18 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 00:18 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-15 12:15 - 2012-06-12 21:03 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-14 10:24 - 2012-05-14 10:23 - 00000000 ____D C:\Users\Nikki\Application Data\BitTorrent
2012-05-14 10:24 - 2012-05-14 10:23 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\BitTorrent
2012-05-14 10:23 - 2012-04-25 08:20 - 00000000 ____D C:\Users\Nikki\Application Data\vlc
2012-05-14 10:23 - 2012-04-25 08:20 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\vlc
2012-05-14 10:08 - 2012-05-14 10:08 - 00768307 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch23.pdf
2012-05-14 09:57 - 2012-05-14 09:57 - 01014872 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch21.pdf
2012-05-14 09:27 - 2012-05-14 09:27 - 01261819 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch12.pdf
2012-05-14 09:12 - 2012-05-14 09:12 - 00895796 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch04.pdf
2012-05-14 08:52 - 2012-05-14 08:52 - 01100234 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch03.pdf
2012-05-14 08:43 - 2012-05-14 08:43 - 01015151 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch02.pdf
2012-05-14 08:22 - 2012-05-14 08:22 - 01550542 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_Ch01.pdf
2012-05-14 08:21 - 2012-05-14 08:21 - 00475336 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_BM (1).pdf
2012-05-14 07:56 - 2012-05-14 07:56 - 00475336 ____A C:\Users\Nikki\Downloads\A_Writers_Workshop_3e_BM.pdf
2012-05-12 23:09 - 2012-02-20 00:29 - 00000000 ____D C:\Users\shelly\Application Data\BitTorrent
2012-05-12 23:09 - 2012-02-20 00:29 - 00000000 ____D C:\Users\shelly\AppData\Roaming\BitTorrent
2012-05-11 00:37 - 2006-11-02 07:07 - 00000000 ____D C:\Windows\SysWOW64\XPSViewer
2012-05-11 00:37 - 2006-11-02 07:07 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-11 00:19 - 2012-05-11 00:19 - 00000000 ____D C:\79954928bb63774209eb
2012-05-09 20:06 - 2012-05-08 08:45 - 00000000 ___HD C:\Program Files (x86)\InstallJammer Registry
2012-05-09 16:16 - 2012-05-09 16:16 - 00059556 ____A C:\Users\Nikki\Downloads\Professional+Competence.pptx
2012-05-09 16:16 - 2012-04-12 06:49 - 00000000 ____D C:\Users\Nikki\My Documents\gen 200
2012-05-09 16:16 - 2012-04-12 06:49 - 00000000 ____D C:\Users\Nikki\Documents\gen 200
2012-05-08 09:53 - 2012-05-08 09:53 - 02355076 ____A C:\Users\Nikki\Downloads\RiverpointWriterSetup (4).zip
2012-05-08 08:57 - 2012-05-08 08:57 - 00000000 ____D C:\Users\Nikki\Downloads\RiverpointWriterSetup (3)
2012-05-08 08:56 - 2012-05-08 08:56 - 02355076 ____A C:\Users\Nikki\Downloads\RiverpointWriterSetup (3).zip
2012-05-08 08:47 - 2012-05-08 08:47 - 02355076 ____A C:\Users\Nikki\Downloads\RiverpointWriterSetup (2).zip
2012-05-08 08:44 - 2012-05-08 08:44 - 02355076 ____A C:\Users\Nikki\Downloads\RiverpointWriterSetup (1).zip
2012-05-06 23:11 - 2012-05-06 13:36 - 00000000 ____D C:\Users\shelly\Downloads\Iron.Man.REPACK.1080p.BluRay.x264-1920
2012-05-06 15:59 - 2012-02-15 20:42 - 00017920 ____A C:\Users\shelly\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-06 15:59 - 2012-02-15 20:42 - 00017920 ____A C:\Users\shelly\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-06 15:59 - 2012-02-15 20:42 - 00017920 ____A C:\Users\shelly\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-06 15:39 - 2012-05-06 15:12 - 00000000 ____D C:\Users\shelly\Downloads\Madagascar[2005]DvDrip-aXXo
2012-05-06 14:23 - 2012-05-06 14:22 - 00000000 ____D C:\Users\shelly\Downloads\Iron Man[2008]DvDrip[Eng]-FXG
2012-05-03 08:11 - 2012-05-03 08:11 - 02355076 ____A C:\Users\Nikki\Downloads\RiverpointWriterSetup.zip
2012-05-03 08:03 - 2012-05-03 08:03 - 00001503 ____A C:\Users\Nikki\Downloads\ethical.rtf
2012-05-03 01:11 - 2012-05-03 01:11 - 00000000 ____D C:\Users\Nikki\Application Data\HpUpdate
2012-05-03 01:11 - 2012-05-03 01:11 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\HpUpdate
2012-05-01 06:29 - 2012-06-12 21:03 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 08:28 - 2012-04-26 08:28 - 00362888 ____A C:\Users\Nikki\Downloads\Plagiarism Review at the CWE _ Transcript.pdf
2012-04-25 08:06 - 2012-04-25 08:06 - 00017185 ____A C:\Users\Nikki\Desktop\Annotatedbibliography.pdf
2012-04-25 08:04 - 2012-04-25 08:03 - 00000000 ____D C:\Users\Nikki\Local Settings\Application Data\Adobe
2012-04-25 08:04 - 2012-04-25 08:03 - 00000000 ____D C:\Users\Nikki\Local Settings\Adobe
2012-04-25 08:04 - 2012-04-25 08:03 - 00000000 ____D C:\Users\Nikki\AppData\Local\Adobe
2012-04-25 08:03 - 2012-04-09 06:51 - 00000000 ____D C:\Users\Nikki\Application Data\Adobe
2012-04-25 08:03 - 2012-04-09 06:51 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\Adobe
2012-04-23 08:25 - 2012-06-12 21:03 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 08:25 - 2012-06-12 21:03 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 08:25 - 2012-06-12 21:03 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 08:00 - 2012-06-12 21:03 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 08:00 - 2012-06-12 21:03 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 08:00 - 2012-06-12 21:03 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-17 22:00 - 2012-04-14 09:08 - 05778018 ____A C:\Users\shelly\Desktop\Girl Like You.mp3
2012-04-16 15:32 - 2012-04-09 06:50 - 00097400 ____A C:\Users\Nikki\Local Settings\GDIPFONTCACHEV1.DAT
2012-04-16 15:32 - 2012-04-09 06:50 - 00097400 ____A C:\Users\Nikki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-04-16 15:32 - 2012-04-09 06:50 - 00097400 ____A C:\Users\Nikki\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-15 06:29 - 2012-04-15 06:29 - 02151199 ____A C:\Users\shelly\My Documents\Untitled (6).wma
2012-04-15 06:29 - 2012-04-15 06:29 - 02151199 ____A C:\Users\shelly\Documents\Untitled (6).wma
2012-04-15 06:26 - 2012-04-15 06:26 - 00085799 ____A C:\Users\shelly\My Documents\Untitled (2).wma
2012-04-15 06:26 - 2012-04-15 06:26 - 00085799 ____A C:\Users\shelly\Documents\Untitled (2).wma
2012-04-15 06:19 - 2012-04-15 06:19 - 00880529 ____A C:\Users\shelly\My Documents\Untitled (5).wma
2012-04-15 06:19 - 2012-04-15 06:19 - 00880529 ____A C:\Users\shelly\Documents\Untitled (5).wma
2012-04-15 06:18 - 2012-04-15 06:18 - 00736849 ____A C:\Users\shelly\My Documents\Untitled (3).wma
2012-04-15 06:18 - 2012-04-15 06:18 - 00736849 ____A C:\Users\shelly\Documents\Untitled (3).wma
2012-04-15 06:16 - 2012-04-15 06:16 - 00790729 ____A C:\Users\shelly\My Documents\Untitled.wma
2012-04-15 06:16 - 2012-04-15 06:16 - 00790729 ____A C:\Users\shelly\Documents\Untitled.wma
2012-04-14 09:13 - 2012-04-14 09:13 - 03021520 ____A C:\Users\shelly\Downloads\Bella's lullaby.mp3
2012-04-14 08:11 - 2012-04-14 08:11 - 00867059 ____A C:\Users\shelly\My Documents\Untitled (4).wma
2012-04-14 08:11 - 2012-04-14 08:11 - 00867059 ____A C:\Users\shelly\Documents\Untitled (4).wma
2012-04-13 00:13 - 2012-04-13 00:13 - 00466106 ____A C:\Windows\dd_vcredistMSI4977.txt
2012-04-13 00:13 - 2012-04-13 00:13 - 00063742 ____A C:\Windows\dd_vcredistUI4977.txt
2012-04-13 00:13 - 2012-04-13 00:12 - 00464098 ____A C:\Windows\dd_vcredistMSI48F8.txt
2012-04-13 00:13 - 2012-04-13 00:12 - 00063790 ____A C:\Windows\dd_vcredistUI48F8.txt
2012-04-13 00:12 - 2006-11-02 05:33 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-04-13 00:05 - 2012-04-13 00:05 - 00000000 ____D C:\Users\Default\Local Settings\Microsoft Help
2012-04-13 00:05 - 2012-04-13 00:05 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\Microsoft Help
2012-04-13 00:05 - 2012-04-13 00:05 - 00000000 ____D C:\Users\Default\AppData\Local\Microsoft Help
2012-04-13 00:05 - 2012-04-13 00:05 - 00000000 ____D C:\Users\Default User\Local Settings\Microsoft Help
2012-04-13 00:05 - 2012-04-13 00:05 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\Microsoft Help
2012-04-13 00:05 - 2012-04-13 00:05 - 00000000 ____D C:\Users\Default User\AppData\Local\Microsoft Help
2012-04-12 18:25 - 2010-11-14 16:26 - 00097400 ____A C:\Users\shelly\Local Settings\GDIPFONTCACHEV1.DAT
2012-04-12 18:25 - 2010-11-14 16:26 - 00097400 ____A C:\Users\shelly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-04-12 18:25 - 2010-11-14 16:26 - 00097400 ____A C:\Users\shelly\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-12 08:00 - 2012-04-12 08:00 - 00000000 ____D C:\Windows\PCHEALTH
2012-04-12 08:00 - 2010-11-14 16:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2012-04-12 07:56 - 2012-04-12 07:56 - 00000000 ____D C:\Program Files\Microsoft Office
2012-04-12 07:55 - 2012-04-12 07:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2012-04-12 07:55 - 2006-11-02 07:07 - 00000000 ____D C:\Windows\ShellNew
2012-04-12 07:54 - 2012-04-12 07:54 - 00000000 __RHD C:\MSOCache
2012-04-12 07:40 - 2012-04-12 07:27 - 65110016 ____A (Microsoft Corporation) C:\Users\Nikki\Downloads\Unconfirmed 16940.crdownload
2012-04-12 07:05 - 2012-04-12 06:52 - 987942848 ____A (Microsoft Corporation) C:\Users\Nikki\Downloads\X17-75058.exe
2012-04-12 06:49 - 2012-04-12 06:49 - 00000000 ____D C:\Users\Nikki\Application Data\WinRAR
2012-04-12 06:49 - 2012-04-12 06:49 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\WinRAR
2012-04-09 06:52 - 2012-04-09 06:51 - 00000000 ____D C:\Users\Nikki\Local Settings\Google
2012-04-09 06:52 - 2012-04-09 06:51 - 00000000 ____D C:\Users\Nikki\Local Settings\Application Data\Google
2012-04-09 06:52 - 2012-04-09 06:51 - 00000000 ____D C:\Users\Nikki\AppData\Local\Google
2012-04-09 06:51 - 2012-04-09 06:51 - 00000000 ____D C:\Users\Nikki\Application Data\Macromedia
2012-04-09 06:51 - 2012-04-09 06:51 - 00000000 ____D C:\Users\Nikki\AppData\Roaming\Macromedia
2012-04-09 06:50 - 2012-04-09 06:50 - 00000020 ___SH C:\Users\Nikki\ntuser.ini
2012-04-09 06:50 - 2012-04-09 06:50 - 00000000 ____D C:\Users\Nikki\Local Settings\VirtualStore
2012-04-09 06:50 - 2012-04-09 06:50 - 00000000 ____D C:\Users\Nikki\Local Settings\Application Data\VirtualStore
2012-04-09 06:50 - 2012-04-09 06:50 - 00000000 ____D C:\Users\Nikki\AppData\Local\VirtualStore
2012-04-09 06:50 - 2012-04-09 06:50 - 00000000 ____D C:\users\Nikki
2012-04-08 20:59 - 2012-04-08 19:21 - 00000000 ____D C:\Users\shelly\Downloads\CHILD'S PLAY 3 [1991-Eng-DVDrip]-haSak
2012-04-08 20:23 - 2012-04-08 18:08 - 00000000 ____D C:\Users\shelly\Downloads\A.Bug's.Life.1998.720p.BluRay.DTS.x264-ESiR
2012-04-08 08:15 - 2012-04-08 08:15 - 00000863 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-04-08 08:15 - 2012-04-08 08:15 - 00000863 ____A C:\Users\All Users\Desktop\VLC media player.lnk
2012-04-08 08:14 - 2012-04-08 08:14 - 00000000 ____D C:\Program Files (x86)\VideoLAN
2012-04-08 06:56 - 2012-04-08 05:50 - 00000000 ____D C:\Users\shelly\Downloads\CHILD'S PLAY 2 [1990-Eng-DVDrip]-haSak
2012-04-04 12:56 - 2012-06-18 21:45 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-03 00:22 - 2012-05-10 09:06 - 04699520 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-02 22:38 - 2012-04-01 21:42 - 10567098 ____A C:\Users\shelly\Desktop\allroundaproductions+newsingforthemomentfreedl.mp3
2012-04-02 21:28 - 2012-04-01 21:41 - 09606837 ____A C:\Users\shelly\Desktop\allroundaproductions+newbeneathgreyskiesfreedl.mp3
2012-04-01 21:42 - 2012-04-01 21:42 - 09530643 ____A C:\Users\shelly\Desktop\allroundaproductions+newdifferentstoryfreedl.mp3
2012-04-01 17:19 - 2012-04-01 17:18 - 00000000 ____D C:\Users\shelly\Downloads\Weeds.Season.7
2012-03-30 04:45 - 2012-05-10 09:09 - 01422720 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-29 21:20 - 2010-12-13 21:47 - 00000000 ____D C:\Users\shelly\Application Data\HpUpdate
2012-03-29 21:20 - 2010-12-13 21:47 - 00000000 ____D C:\Users\shelly\AppData\Roaming\HpUpdate
2012-03-29 06:22 - 2012-05-10 09:09 - 00040448 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

ZeroAccess:
C:\Windows\Installer\{3288cc8b-e7e0-c51b-daae-6c778c53edff}
C:\Windows\Installer\{3288cc8b-e7e0-c51b-daae-6c778c53edff}\@
C:\Windows\Installer\{3288cc8b-e7e0-c51b-daae-6c778c53edff}\L
C:\Windows\Installer\{3288cc8b-e7e0-c51b-daae-6c778c53edff}\n
C:\Windows\Installer\{3288cc8b-e7e0-c51b-daae-6c778c53edff}\U

ZeroAccess:
C:\Users\shelly\AppData\Local\{3288cc8b-e7e0-c51b-daae-6c778c53edff}
C:\Users\shelly\AppData\Local\{3288cc8b-e7e0-c51b-daae-6c778c53edff}\@
C:\Users\shelly\AppData\Local\{3288cc8b-e7e0-c51b-daae-6c778c53edff}\L
C:\Users\shelly\AppData\Local\{3288cc8b-e7e0-c51b-daae-6c778c53edff}\U

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 18%
Total physical RAM: 3831.2 MB
Available physical RAM: 3129.34 MB
Total Pagefile: 3480.7 MB
Available Pagefile: 3106 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:284.61 GB) (Free:143.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:13.41 GB) (Free:1.83 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (USB20FD) (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 3824 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 285 GB 32 KB
Partition 2 Primary 13 GB 285 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C HP NTFS Partition 285 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D FACTORY_IMA NTFS Partition 13 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 572 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F USB20FD FAT32 Removable 3823 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-18 21:02

======================= End Of Log ==========================

Broni · Jun 20, 2012

In Vista or Windows 7: Boot to System Recovery Options and run FRST.
In Windows XP: Please boot to UBCD and run FRST.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

Petey1411 · Jun 20, 2012

If I still have FRST open from when I ran the first log, do I need to reboot before getting the Search.txt log? Or can I go ahead and search for services.exe and post the log?

Broni · Jun 20, 2012

Go ahead.

Petey1411 · Jun 20, 2012

Farbar Recovery Scan Tool Version: 19-06-2012
Ran by SYSTEM at 2012-06-20 00:16:38
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2010-11-16 13:08] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2010-11-16 13:08] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719
C:\Windows\SysWOW64\services.exe
[2010-11-16 13:08] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\System32\services.exe
[2010-11-16 13:08] - [2012-06-19 19:53] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229
====== End Of Search ======

Broni · Jun 20, 2012

This will be my last post for tonight - bed time

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Try to boot normally.

If successful...

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

Double-click on the Rkill icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Petey1411 · Jun 20, 2012

Hope I'm catching you before you log off for the night. Dont see the Fixlist.txt attached to your reply

Broni · Jun 20, 2012

Ooops....sorry

Petey1411 · Jun 21, 2012

Just got home from work. Will start now

Petey1411 · Jun 21, 2012

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 19-06-2012
Ran by SYSTEM at 2012-06-20 23:21:47 Run:1
Running from F:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
C:\Windows\System32\consrv.dll not found.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR Value deleted successfully.
HKEY_USERS\Nikki\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR Value deleted successfully.
C:\Windows\Installer\{3288cc8b-e7e0-c51b-daae-6c778c53edff} moved successfully.
C:\Users\shelly\AppData\Local\{3288cc8b-e7e0-c51b-daae-6c778c53edff} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

Petey1411 · Jun 21, 2012

Booted as normal, computer is not being forced to shut down. Moving on to combofix.

Broni · Jun 21, 2012

Good news

Petey1411 · Jun 21, 2012

Computer has been a bit sluggish. Combofix is still running, says it has completed stage_4

Petey1411 · Jun 21, 2012

ComboFix 12-06-20.02 - shelly 06/20/2012 23:42:33.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3831.2095 [GMT -5:00]
Running from: c:\users\shelly\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\SearchToolbar.dll
c:\program files (x86)\UNWISE.EXE
c:\users\shelly\AppData\Roaming\PriceGong
c:\users\shelly\AppData\Roaming\PriceGong\Data\1.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\a.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\b.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\c.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\d.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\e.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\f.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\g.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\h.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\I.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\J.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\k.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\l.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\m.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\mru.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\n.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\o.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\p.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\q.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\r.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\s.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\t.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\u.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\v.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\w.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\x.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\y.xml
c:\users\shelly\AppData\Roaming\PriceGong\Data\z.xml
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))
.
.
2012-06-21 05:03 . 2012-06-21 05:03 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F493BA10-F171-42C6-AB37-4A4F0A668825}\offreg.dll
2012-06-21 05:01 . 2012-06-21 05:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-21 05:01 . 2012-06-21 05:04 -------- d-----w- c:\users\shelly\AppData\Local\temp
2012-06-21 05:01 . 2012-06-21 05:01 -------- d-----w- c:\users\Nikki\AppData\Local\temp
2012-06-20 07:42 . 2012-06-20 07:43 -------- d-----w- C:\FRST
2012-06-19 05:46 . 2012-06-19 05:46 -------- d-----w- c:\users\shelly\AppData\Roaming\Malwarebytes
2012-06-19 05:45 . 2012-06-19 05:45 -------- d-----w- c:\programdata\Malwarebytes
2012-06-19 05:45 . 2012-04-04 20:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-19 05:45 . 2012-06-19 05:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-18 05:36 . 2012-06-18 05:35 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{391523ED-B0E9-4987-B90C-8275F7FC80D5}\gapaengine.dll
2012-06-18 05:36 . 2012-05-08 15:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F493BA10-F171-42C6-AB37-4A4F0A668825}\mpengine.dll
2012-06-18 05:31 . 2012-06-18 05:31 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-06-18 05:31 . 2012-06-18 05:32 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-18 05:28 . 2010-04-06 08:34 345984 ----a-w- c:\windows\system32\drivers\netio.sys
2012-06-13 05:03 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 05:03 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 05:03 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 05:03 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 05:03 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 05:03 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-13 05:03 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-13 05:03 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-08 07:30 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F282D44-69DB-447D-A3D1-32196B7F95F6}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-03 08:22 . 2012-05-10 17:06 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 12:45 . 2012-05-10 17:09 1422720 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-29 14:22 . 2012-05-10 17:09 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files (x86)\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\BitTorrentBar\prxtbBitT.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files (x86)\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-19 54576]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1000Core.job
- c:\users\shelly\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-26 03:59]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1000UA.job
- c:\users\shelly\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-26 03:59]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1001Core.job
- c:\users\Nikki\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-09 14:51]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1001UA.job
- c:\users\Nikki\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-09 14:51]
.
2010-12-14 c:\windows\Tasks\HPCeeScheduleForshelly.job
- c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-12-09 19:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{b9b97401-98e1-4942-930d-c36652dab7f2} - (no file)
WebBrowser-{B9B97401-98E1-4942-930D-C36652DAB7F2} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\atashost.exe
c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-06-21 00:15:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-21 05:15
.
Pre-Run: 154,259,935,232 bytes free
Post-Run: 154,267,967,488 bytes free
.
- - End Of File - - EAEC70CC9D5D92199FD75780CBA04F83

Broni · Jun 21, 2012

Looks good.

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /I " " /c
dir /b "%systemroot%\*.exe" | find /I " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Petey1411 · Jun 21, 2012

OTL logfile created on: 6/21/2012 9:32:06 PM - Run 1
OTL by OldTimer - Version 3.2.51.0 Folder = C:\Users\shelly\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.74 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 56.23% Memory free
7.66 Gb Paging File | 5.94 Gb Available in Paging File | 77.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 284.61 Gb Total Space | 143.34 Gb Free Space | 50.36% Space Free | Partition Type: NTFS
Drive D: | 13.41 Gb Total Space | 1.83 Gb Free Space | 13.69% Space Free | Partition Type: NTFS

Computer Name: SHELLY-PC | User Name: shelly | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/21 21:29:48 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\shelly\Desktop\OTL.exe
PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/02 02:33:30 | 004,910,912 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
PRC - [2010/11/14 19:47:47 | 000,233,936 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe
PRC - [2009/03/06 15:59:12 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\SysWOW64\atashost.exe
PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2007/04/18 10:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2010/02/03 05:17:12 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/03/18 16:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/03/06 15:59:12 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\atashost.exe -- (atashost)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/04/04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/02/29 08:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/15 22:56:13 | 000,270,912 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2010/02/03 05:55:20 | 006,366,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2010/02/03 05:55:20 | 006,366,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\atipmdag.sys -- (amdkmdag)
DRV:64bit: - [2010/02/03 04:24:00 | 000,186,880 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2009/05/24 08:36:52 | 000,626,176 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\netr7364.sys -- (netr7364)
DRV:64bit: - [2009/05/09 04:14:20 | 000,015,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\NuidFltr.sys -- (NuidFltr)
DRV:64bit: - [2008/10/09 19:04:04 | 000,225,296 | ---- | M] (Advanced Micro Devices, Inc) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\ahcix64s.sys -- (ahcix64s)
DRV:64bit: - [2008/08/06 11:26:08 | 000,174,592 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/05/28 20:54:18 | 000,026,168 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\usbfilter.sys -- (usbfilter)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {61779C73-4B7B-4E2A-9BB7-CF28FCE5BD7D}
IE:64bit: - HKLM\..\SearchScopes\{61779C73-4B7B-4E2A-9BB7-CF28FCE5BD7D}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
IE:64bit: - HKLM\..\SearchScopes\{A3B673D8-615A-462A-8161-F1606C194F87}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cndt
IE - HKLM\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{61779C73-4B7B-4E2A-9BB7-CF28FCE5BD7D}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPDTDF
IE - HKLM\..\SearchScopes\{A3B673D8-615A-462A-8161-F1606C194F87}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2438727

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\SearchScopes,DefaultScope = {36377DD7-B3EB-42f5-986F-680BAF59BA9D}
IE - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}: "URL" = http://start.iplay.com/searchresults.aspx?o=chrome&q={searchTerms}
IE - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\SearchScopes\{61779C73-4B7B-4E2A-9BB7-CF28FCE5BD7D}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
IE - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\SearchScopes\{A3B673D8-615A-462A-8161-F1606C194F87}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@plugin.couponnetwork.com/Coupon Print Activator;version=4.5: C:\Users\shelly\AppData\Roaming\E-centives\NPcolPM460.dll (Invenda)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\shelly\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\shelly\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/12/14 00:47:34 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/12/14 00:47:34 | 000,000,000 | ---D | M]

[2012/02/20 03:33:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\shelly\AppData\Roaming\mozilla\Firefox\extensions
[2012/02/20 03:33:10 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Users\shelly\AppData\Roaming\mozilla\Firefox\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google

riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\shelly\AppData\Local\Google\Chrome\Application\19.0.1084.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\shelly\AppData\Local\Google\Chrome\Application\19.0.1084.56\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\shelly\AppData\Local\Google\Chrome\Application\19.0.1084.56\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\shelly\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U22 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
CHR - plugin: Google Update (Enabled) = C:\Users\shelly\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Coupon Activator Netscape Plugin v. 4.5.0.0 (Enabled) = C:\Users\shelly\AppData\Roaming\E-centives\NPcolPM460.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\shelly\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\shelly\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\shelly\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/06/21 00:03:58 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O3 - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\Toolbar\WebBrowser: (BitTorrentBar Toolbar) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html File not found
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{54B7543B-F3A6-4E10-99FA-A93B81555AC9}: DhcpNameServer = 192.168.2.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D676556F-AE30-481D-986F-C3803D3C05F3}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files (x86)\Common Files\Microsoft Shared\Information Retrieval\msitss.dll File not found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (GTGina.dll) - File not found
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img11.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img11.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\SysWow64\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/06/21 21:29:37 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\shelly\Desktop\OTL.exe
[2012/06/21 00:15:08 | 000,000,000 | ---D | C] -- C:\Users\shelly\AppData\Local\temp
[2012/06/21 00:04:03 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012/06/20 23:36:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/06/20 23:36:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/06/20 23:36:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/06/20 23:35:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/20 23:31:13 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/06/20 23:29:42 | 004,563,905 | R--- | C] (Swearware) -- C:\Users\shelly\Desktop\ComboFix.exe
[2012/06/20 02:42:30 | 000,000,000 | ---D | C] -- C:\FRST
[2012/06/19 00:46:13 | 000,000,000 | ---D | C] -- C:\Users\shelly\AppData\Roaming\Malwarebytes
[2012/06/19 00:45:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/19 00:45:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/06/19 00:45:48 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/06/19 00:45:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/06/19 00:41:47 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\shelly\Desktop\mbam-setup-1.61.0.1400.exe
[2012/06/18 00:31:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/06/18 00:31:10 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/06/05 23:59:44 | 000,000,000 | ---D | C] -- C:\Users\shelly\Desktop\PC36IMG_HBOOT_6.17

========== Files - Modified Within 30 Days ==========

[2012/06/21 21:35:16 | 000,710,000 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/06/21 21:35:16 | 000,608,452 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/06/21 21:35:16 | 000,106,056 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/06/21 21:29:48 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\shelly\Desktop\OTL.exe
[2012/06/21 21:27:51 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/21 21:27:51 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/21 21:27:39 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/21 01:56:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1001UA.job
[2012/06/21 01:51:01 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1000Core.job
[2012/06/21 01:51:00 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1000UA.job
[2012/06/21 00:03:58 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/06/20 23:29:46 | 004,563,905 | R--- | M] (Swearware) -- C:\Users\shelly\Desktop\ComboFix.exe
[2012/06/19 00:46:01 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/19 00:35:38 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\shelly\Desktop\mbam-setup-1.61.0.1400.exe
[2012/06/18 00:32:27 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/06/18 00:31:42 | 000,724,536 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/06/17 21:24:35 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1001Core.job
[2012/06/13 03:39:24 | 000,371,112 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/06/11 20:54:10 | 000,002,049 | ---- | M] () -- C:\Users\shelly\Desktop\Google Chrome.lnk
[2012/06/11 20:54:10 | 000,002,011 | ---- | M] () -- C:\Users\shelly\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/06/06 00:01:13 | 226,254,951 | ---- | M] () -- C:\Users\shelly\Desktop\PC36IMG.zip
[2012/06/05 23:57:46 | 000,214,642 | ---- | M] () -- C:\Users\shelly\Desktop\PC36IMG2.zip

========== Files Created - No Company Name ==========

[2012/06/20 23:36:53 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/06/20 23:36:53 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/06/20 23:36:53 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/06/20 23:36:53 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/06/20 23:36:53 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/06/19 00:46:01 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/18 00:32:27 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/06/18 00:32:00 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/06/18 00:31:42 | 000,724,536 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/06/06 00:24:02 | 000,296,742 | ---- | C] () -- C:\Users\shelly\Desktop\su-2.3.6.3-efgh-signed.zip
[2012/06/05 23:57:46 | 226,254,951 | ---- | C] () -- C:\Users\shelly\Desktop\PC36IMG.zip
[2012/06/05 23:57:46 | 000,214,642 | ---- | C] () -- C:\Users\shelly\Desktop\PC36IMG2.zip
[2012/02/15 23:42:14 | 000,017,920 | ---- | C] () -- C:\Users\shelly\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/14 00:41:13 | 000,168,617 | ---- | C] () -- C:\Windows\hphins33.dat
[2010/12/06 22:38:20 | 000,006,836 | ---- | C] () -- C:\Users\shelly\AppData\Local\d3d9caps.dat
[2010/12/05 21:19:12 | 008,892,928 | ---- | C] () -- C:\ProgramData\atscie.msi
[2010/11/16 16:08:38 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2010/11/16 16:08:15 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2010/11/16 16:07:54 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2010/06/30 03:12:16 | 000,013,312 | ---- | C] () -- C:\Windows\LPRES.DLL

========== LOP Check ==========

[2012/05/14 13:24:02 | 000,000,000 | ---D | M] -- C:\Users\Nikki\AppData\Roaming\BitTorrent
[2012/05/13 02:09:28 | 000,000,000 | ---D | M] -- C:\Users\shelly\AppData\Roaming\BitTorrent
[2012/02/15 23:06:28 | 000,000,000 | ---D | M] -- C:\Users\shelly\AppData\Roaming\DAEMON Tools Lite
[2010/12/14 17:37:11 | 000,000,000 | ---D | M] -- C:\Users\shelly\AppData\Roaming\E-centives
[2012/02/16 00:07:00 | 000,000,000 | ---D | M] -- C:\Users\shelly\AppData\Roaming\Steinberg
[2012/02/19 01:57:53 | 000,000,000 | ---D | M] -- C:\Users\shelly\AppData\Roaming\VST3 Presets
[2010/12/12 23:58:33 | 000,000,000 | ---D | M] -- C:\Users\shelly\AppData\Roaming\WildTangent
[2010/11/15 19:48:51 | 000,000,000 | ---D | M] -- C:\Users\shelly\AppData\Roaming\WinBatch
[2012/06/21 01:58:29 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2008/12/08 20:17:54 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2012/06/21 00:15:06 | 000,014,688 | ---- | M] () -- C:\ComboFix.txt
[2010/12/14 17:39:10 | 000,000,375 | ---- | M] () -- C:\FINIS_IT.TXT
[2010/11/28 21:03:23 | 000,000,000 | ---- | M] () -- C:\install.rdf
[2005/09/23 03:39:38 | 000,894,976 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
[2012/06/21 21:27:34 | 036,913,151 | -HS- | M] () -- C:\pagefile.sys
[2010/12/14 00:48:01 | 000,000,682 | ---- | M] () -- C:\updatedatfix.log

< %systemroot%\Fonts\*.com >
[2006/11/02 10:06:41 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 10:06:41 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 10:06:41 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2010/11/26 14:58:09 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 16:35:48 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/01/20 22:21:59 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2012/02/18 01:28:06 | 000,000,286 | -HS- | M] () -- C:\Users\shelly\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2012/06/20 23:29:46 | 004,563,905 | R--- | M] (Swearware) -- C:\Users\shelly\Desktop\ComboFix.exe
[2012/06/19 00:35:38 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\shelly\Desktop\mbam-setup-1.61.0.1400.exe
[2012/06/21 21:29:48 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\shelly\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\tasks\*.* >
[2012/06/21 01:51:01 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1000Core.job
[2012/06/21 01:51:00 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1000UA.job
[2012/06/17 21:24:35 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1001Core.job
[2012/06/21 01:56:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1240105264-1919951416-3980006800-1001UA.job
[2010/12/14 17:49:03 | 000,000,338 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForshelly.job
[2012/06/21 21:27:45 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2012/06/21 01:58:29 | 000,032,552 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/11/14 19:27:56 | 000,000,402 | -HS- | M] () -- C:\Users\shelly\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2010/12/05 21:19:12 | 008,892,928 | ---- | M] () -- C:\ProgramData\atscie.msi
[2012/02/15 21:52:25 | 000,002,269 | ---- | M] () -- C:\ProgramData\hpzinstall.log

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /I " " /c >

< dir /b "%systemroot%\*.exe" | find /I " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs >

< >
< End of report >

Petey1411 · Jun 21, 2012

OTL Extras logfile created on: 6/21/2012 9:32:06 PM - Run 1
OTL by OldTimer - Version 3.2.51.0 Folder = C:\Users\shelly\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.74 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 56.23% Memory free
7.66 Gb Paging File | 5.94 Gb Available in Paging File | 77.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 284.61 Gb Total Space | 143.34 Gb Free Space | 50.36% Space Free | Partition Type: NTFS
Drive D: | 13.41 Gb Total Space | 1.83 Gb Free Space | 13.69% Space Free | Partition Type: NTFS

Computer Name: SHELLY-PC | User Name: shelly | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]
"VistaSp2" = 50 A5 FD 0B A7 8D CB 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{318AD65D-4A2D-108F-CC1A-F57F5CD3A0D5}" = ATI Catalyst Install Manager
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{4FFA2088-8317-3B14-93CD-4C699DB37843}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{6A5F0AF2-0C80-4933-B78E-7BAA275903A1}" = ccc-utility64
"{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{96178C0A-BAF9-4E49-A2A5-CDE76722105B}" = HP Deskjet D1600 Printer Driver Software 14.0 Rel. 6
"{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{BE930E38-7BB3-45B6-85B2-5251F374F844}" = 64 Bit HP CIO Components Installer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2F7994F-661E-46D1-A1DF-67F2887AAA7E}" = HP MediaSmart SmartMenu
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"HP Imaging Device Functions" = HP Imaging Device Functions 14.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 14.0
"HPExtendedCapabilities" = HP Customer Participation Program 14.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"PC-Doctor for Windows" = Hardware Diagnostic Tools

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03BF5CB1-B72E-4CA6-A278-F65680F05420}" = HP Picasso Media Center Add-In
"{04462E0D-D4EC-7274-71E6-BE09242BE7C6}" = Catalyst Control Center Localization Russian
"{0EB37B0C-312B-3730-D5A8-03DEF93D8F88}" = CCC Help French
"{0FDEC602-1C69-B08C-C351-689B9E0395BC}" = CCC Help German
"{11BE5E20-76C9-DCAF-ECEA-BC7B04C82920}" = Catalyst Control Center Localization Spanish
"{1458BB78-1DC5-4BC0-B9A3-2B644F5A8105}" = DeviceDiscovery
"{150B6201-E9E6-4DFB-960E-CCBD53FBDDED}" = HPProductAssistant
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{19506BDB-4EA7-491F-E8AB-E97109FDB296}" = muvee Reveal
"{1A2A3DE7-9FEB-8328-0C54-517B05606341}" = Catalyst Control Center Localization Finnish
"{1BF9C714-2DA7-53FA-B2A0-06B494A91360}" = Catalyst Control Center Localization Norwegian
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{259F8154-8D39-8346-5B1D-7A2175686D27}" = Catalyst Control Center Localization Thai
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox
"{2ED95A60-5AE1-7F13-FC1E-11FD9DD05E82}" = CCC Help Dutch
"{2FB9EA69-51D4-4913-9AD5-762C034DE811}" = Status
"{3127BE74-0D37-3CFE-93F5-1A5AC0FA4E3F}" = CCC Help Portuguese
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{343A1706-26A4-45EA-88CF-37CA172B0F27}" = D1600
"{38058455-8C21-4C2F-B2F6-14ED166039CB}" = HP Total Care Setup
"{3C85A64F-67A3-DB7F-952A-CF28AA180BFF}" = Catalyst Control Center Graphics Previews Vista
"{3FB81D45-08CF-22A0-F167-38E246CF2641}" = Catalyst Control Center Localization Turkish
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}" = HP Advisor
"{413E908B-9634-3CA4-0820-955741413401}" = Catalyst Control Center Localization French
"{41D3C3F4-99A5-D45E-DFC6-3076CDAD63AC}" = Catalyst Control Center Localization Chinese Traditional
"{46C20FC4-3932-0B64-0CDF-6FC3590B72DD}" = Catalyst Control Center Localization Swedish
"{490BF87E-1F75-4453-BF55-9F540543A3CA}" = Steinberg Drum Loop Expansion 01
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A19D6AC-ADE0-4A07-80FF-9C9812C45557}" = Steinberg Cubase 5
"{4D454CF8-12FD-464D-B57B-B46FE27B78BB}" = Steinberg LoopMash Content
"{4FAB5122-775E-4418-B8D9-E2873BC93570}" = Microsoft Live Search Toolbar
"{508D42C6-1CB1-6E14-3C04-B51F2988AC24}" = CCC Help Chinese Traditional
"{515CB78F-31E8-A196-FBA2-C54BEB58D4A1}" = ccc-core-static
"{532B917B-8235-4FA5-BE36-643A8BB053A5}" = Steinberg REVerence Content 01
"{54DFCA39-7269-8FAD-699C-EB42DC337601}" = Catalyst Control Center Localization Dutch
"{5BD0CB24-11AF-4BA8-A198-38D25257C656}" = LightScribe Template Labeler
"{5DCF0E4B-F8EA-4229-A0BD-5CA6D4AFB749}" = SolutionCenter
"{5FFDF42B-96BC-5845-2D39-4F5021092336}" = Catalyst Control Center Localization Hungarian
"{62819EFD-659D-D507-013E-0541FFDF71C7}" = Skins
"{64B9E2F5-558E-4C56-B419-A1679518F6E7}" = HP Customer Experience Enhancements
"{64C61623-E9E9-AD76-4E3D-632ABDB3D3B7}" = Catalyst Control Center Localization Chinese Standard
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{6820EA16-B5AD-4221-E0F6-22C52BC4F4BD}" = CCC Help Italian
"{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
"{6CF622FF-B0C8-5CE5-4CF7-E1790A50BCE9}" = Catalyst Control Center Localization Korean
"{6D161FB9-98B8-399B-1029-D6EFE4F7250F}" = Catalyst Control Center InstallProxy
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update
"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer
"{814B6CB8-9268-C19C-8297-2ECF7F02EBE8}" = Catalyst Control Center Localization Portuguese
"{865D9ED1-EAC2-436D-AFA7-0B750EB5AAAB}" = Steinberg HALionOne Studio Drum Set
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B76B8E9-F773-4B75-A08C-120079EB765E}" = RAIDXpert
"{8EE94FD8-5F52-4463-A340-185D16328158}" = WebReg
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0409-1000-0000000FF1CE}_Office14.SingleImage_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0116-0409-1000-0000000FF1CE}_Office14.SingleImage_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95E75AEE-CC70-62FC-317E-CD6CBBF2AF2B}" = Catalyst Control Center Graphics Full New
"{97ABD26A-3249-46CB-B2E2-F66E64B2E480}" = HP Demo
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D8A4CBF-236E-8BFA-C56A-2FA3BDBA6647}" = Catalyst Control Center Localization German
"{9E67B8B9-23A7-BA38-27CA-1BD20387EBB5}" = Catalyst Control Center Graphics Light
"{9F2EEB98-2578-E655-32EC-48991FC65149}" = CCC Help Russian
"{A0640EC2-B97E-4FC1-AD14-227C9E386BB4}" = HP Recovery Manager RSS
"{A068D32D-D140-40CE-9E8D-2F7563066A6D}" = Catalyst Control Center - Branding
"{A3AB35FA-943E-4799-99DC-46EFD59E998F}" = AMD USB Audio Driver Filter
"{A516050E-4461-DA8B-98BE-E5804F50452A}" = CCC Help English
"{A5885BCC-94DD-F74D-32E6-C72C72CFAEE2}" = Catalyst Control Center Core Implementation
"{A7A34EC1-ADC1-B523-5B27-0A4A927E4F68}" = CCC Help Japanese
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.0
"{AC776273-B538-D23E-5636-9862787B134A}" = CCC Help Polish
"{AC997F93-0757-4ED4-A701-F40C2D654D09}" = Steinberg HALionOne GM Drum Set
"{B2A30878-64C6-7145-BA60-5B3E6FC594F9}" = Catalyst Control Center Localization Czech
"{B2AE9662-A748-DEBB-D252-8758F02AA9BC}" = CCC Help Czech
"{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B41F7D8C-115E-CA45-F80A-1BFF49CD3EC7}" = CCC Help Thai
"{B4742B42-C7DD-0E0B-11B2-D00EF50E9F1E}" = CCC Help Finnish
"{B8461E91-76C3-2EC2-2277-AB565F39AB73}" = Catalyst Control Center Localization Japanese
"{B8628316-6B40-4315-F3F6-C40DA20476AD}" = CCC Help Danish
"{B9468C91-0ACB-A5FA-9BB6-D5705741875B}" = Catalyst Control Center Localization Danish
"{BB3447F6-9553-4AA9-960E-0DB5310C5779}" = GPBaseService2
"{BD86F1AC-B594-46E4-85DC-1258AC9E2232}" = Steinberg Groove Agent ONE Content
"{C0928BDC-D926-EADB-9F49-3DA217886AE8}" = Catalyst Control Center Graphics Full Existing
"{C2B9AA2E-FEA1-307C-1D51-98A5BA67BBA6}" = CCC Help Greek
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C9B2F671-870B-43A0-8B9D-7DB30CEBD87E}" = DJ_SF_06_D1600_SW_Min
"{CA07FCFD-2BD4-93DC-C96C-E710254ADF0F}" = Catalyst Control Center Localization Italian
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CD31E63D-47FD-491C-8117-CF201D0AFAB5}" = TrayApp
"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
"{CF7077C9-D94E-BA7F-26FD-303EB48A58C7}" = CCC Help Norwegian
"{D23CBFDA-C46B-4920-BA70-FC7878A3F05A}" = Steinberg HALionOne Studio Set
"{D32CB7FD-DCB6-2211-21D4-A7ABA3704CC7}" = CCC Help Korean
"{D360FA88-17C8-4F14-B67F-13AAF9607B12}" = MarketResearch
"{D6F47BAC-5757-665D-3CDD-BC490B9E0534}" = CCC Help Spanish
"{D82CDA0D-C182-42C8-8FF2-5649C98D6003}" = Steinberg HALionOne Pro Set
"{DA9DAC64-C947-47BA-B411-8A1959B177CF}" = LightScribe System Software 1.14.25.1
"{DBE17B8C-3B2B-6480-C3A1-BFA72FB7A5BD}" = CCC Help Chinese Standard
"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"{DE788E95-F906-45F1-025A-EF2BC39A76FB}" = Catalyst Control Center Localization Greek
"{DFBD51BC-0132-7D56-CBC0-057A13B25116}" = CCC Help Swedish
"{E1D0F3DF-08CE-8051-3027-F40D3B012E8A}" = CCC Help Turkish
"{E22AD5D3-EB60-4A8F-835C-6C10E369DCE2}" = Steinberg HALionOne Expression Set
"{E70E7159-93B1-470D-9FBD-D8E9EF34B538}" = Steinberg HALionOne
"{F057965A-D974-4C64-ADB1-4381CD4B8956}" = Steinberg HALionOne GM Set
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2C19F3A-9A6A-AF80-E136-88F056AECCFE}" = Catalyst Control Center Localization Polish
"{F3AFD063-8BAD-485E-B641-E7F5A2C5AE71}" = Steinberg HALionOne Additional Content Set 01
"{F855C3AE-992D-4B84-A09D-07103CDCDAC2}" = Compact Wireless-G USB Adapter
"{FA0FF682-CC70-4C57-93CD-E276F3E7537E}" = BufferChm
"{FC188F5E-27F7-7BA6-3433-6ABAE6AF7B28}" = CCC Help Hungarian
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ASIO4ALL" = ASIO4ALL
"BitTorrent" = BitTorrent
"BitTorrentBar Toolbar" = BitTorrentBar Toolbar
"DAEMON Tools Lite" = DAEMON Tools Lite
"HP Photo Creations" = HP Photo Creations
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{8B76B8E9-F773-4B75-A08C-120079EB765E}" = RAIDXpert
"InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Office14.SingleImage" = Microsoft Office Home and Student 2010
"sp44626" = sp44626
"VLC media player" = VLC media player 2.0.1
"WildTangent hp Master Uninstall" = My HP Games
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1240105264-1919951416-3980006800-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6/18/2012 11:37:55 PM | Computer Name = shelly-PC | Source = WinMgmt | ID = 10
Description =

Error - 6/18/2012 11:41:25 PM | Computer Name = shelly-PC | Source = WinMgmt | ID = 10
Description =

Error - 6/18/2012 11:44:46 PM | Computer Name = shelly-PC | Source = WinMgmt | ID = 10
Description =

Error - 6/18/2012 11:47:36 PM | Computer Name = shelly-PC | Source = EventSystem | ID = 4609
Description =

Error - 6/18/2012 11:48:00 PM | Computer Name = shelly-PC | Source = WinMgmt | ID = 10
Description =

Error - 6/18/2012 11:48:59 PM | Computer Name = shelly-PC | Source = Microsoft-Windows-CAPI2 | ID = 131584
Description =

Error - 6/18/2012 11:52:24 PM | Computer Name = shelly-PC | Source = WinMgmt | ID = 10
Description =

Error - 6/18/2012 11:55:44 PM | Computer Name = shelly-PC | Source = WinMgmt | ID = 10
Description =

Error - 6/18/2012 11:59:02 PM | Computer Name = shelly-PC | Source = WinMgmt | ID = 10
Description =

Error - 6/19/2012 12:02:29 AM | Computer Name = shelly-PC | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 12/26/2010 7:20:46 PM | Computer Name = shelly-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/26/2010 8:16:18 PM | Computer Name = shelly-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 1/2/2012 5:22:35 PM | Computer Name = shelly-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:24:29 PM on 12/26/2010 was unexpected.

Error - 1/2/2012 5:23:46 PM | Computer Name = shelly-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 1/2/2012 5:27:25 PM | Computer Name = shelly-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 2/15/2012 10:29:27 PM | Computer Name = shelly-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 1:29:46 PM on 1/2/2012 was unexpected.

Error - 2/15/2012 10:30:50 PM | Computer Name = shelly-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 2/15/2012 11:22:13 PM | Computer Name = shelly-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 2/16/2012 12:29:23 AM | Computer Name = shelly-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 2/16/2012 1:17:10 AM | Computer Name = shelly-PC | Source = DCOM | ID = 10010
Description =

< End of report >

Broni · Jun 21, 2012

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O3 - HKU\S-1-5-21-1240105264-1919951416-3980006800-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O8:64bit: - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html File not found
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

==========================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click on List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

Petey1411 · Jun 22, 2012

This is the OTL log created after choosing Run Fix

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-1240105264-1919951416-3980006800-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ not found.
Registry value HKEY_USERS\S-1-5-21-1240105264-1919951416-3980006800-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ not found.
Starting removal of ActiveX control {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
C:\ProgramData\webex\ieatgpc.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData
->Temp folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Nikki
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 142674146 bytes
->Google Chrome cache emptied: 510566013 bytes
->Flash cache emptied: 26126 bytes

User: Public
->Temp folder emptied: 0 bytes

User: shelly
->Temp folder emptied: 654328 bytes
->Temporary Internet Files folder emptied: 203414603 bytes
->Java cache emptied: 59616 bytes
->Google Chrome cache emptied: 127104784 bytes
->Flash cache emptied: 2895704 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 797070 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33109 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 200385776 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,134.00 mb

[EMPTYJAVA]

User: All Users

User: AppData

User: Default

User: Default User

User: Nikki

User: Public

User: shelly
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: AppData

User: Default

User: Default User

User: Nikki
->Flash cache emptied: 0 bytes

User: Public

User: shelly
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.51.0 log created on 06212012_222625
Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\TMP0000004207566194F376A7C1 not found!
Registry entries deleted on Reboot...

Petey1411 · Jun 22, 2012

Results of screen317's Security Check version 0.99.24
Windows Vista x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
Java(TM) 6 Update 22
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player ( 10.1.102.64) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Spybot Teatimer.exe is disabled!
Microsoft Security Essentials msseces.exe
``````````End of Log````````````

Petey1411 · Jun 22, 2012

Farbar Service Scanner Version: 19-06-2012 01
Ran by shelly (administrator) on 21-06-2012 at 23:18:23
Running from "C:\Users\shelly\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

File Check:
========
C:\Windows\System32\nsisvc.dll
[2008-01-20 21:49] - [2008-01-20 21:49] - 0024576 ____A (Microsoft Corporation) ACB62BAA1C319B17752553DF3026EEEB
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2010-11-16 16:07] - [2009-04-11 02:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7
C:\Windows\System32\drivers\afd.sys
[2012-02-17 01:16] - [2012-01-03 09:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-10 12:09] - [2012-03-30 07:45] - 1422720 ____A (Microsoft Corporation) AC8D5728E6AD6A7C4819D9A67008337A
C:\Windows\System32\dnsrslvr.dll
[2012-02-17 03:58] - [2011-03-02 11:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0
C:\Windows\System32\mpssvc.dll
[2010-11-16 16:08] - [2009-04-11 02:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C
C:\Windows\System32\bfe.dll
[2010-11-16 16:07] - [2009-04-11 02:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2008-01-20 21:47] - [2008-01-20 21:47] - 0128000 ____A (Microsoft Corporation) 4FF71B076A7760FE75EA5AE2D0EE0018
C:\Windows\System32\vssvc.exe
[2010-11-16 16:08] - [2009-04-11 02:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1
C:\Windows\System32\wscsvc.dll
[2010-11-16 16:07] - [2009-04-11 02:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A
C:\Windows\System32\wbem\WMIsvc.dll
[2010-11-16 16:08] - [2009-04-11 02:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02
C:\Windows\System32\wuaueng.dll
[2010-11-14 19:13] - [2009-08-06 21:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D
C:\Windows\System32\qmgr.dll
[2010-11-16 16:08] - [2009-04-11 02:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C
C:\Windows\System32\es.dll
[2010-11-16 16:08] - [2009-04-11 02:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF
C:\Windows\System32\cryptsvc.dll
[2012-06-13 00:03] - [2012-04-23 11:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31
C:\Program Files\Windows Defender\MpSvc.dll
[2008-01-20 21:47] - [2008-01-20 21:47] - 0383544 ____A (Microsoft Corporation) 7D2A43E8FDF725A1133F6C6056A72CDC
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-16 16:08] - [2009-04-11 02:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF

**** End of log ****

Solved Sirefef.Y virus - computer restarts after 1 min

Posts: 20 +0

Posts: 56,041 +516

Posts: 20 +0

Posts: 56,041 +516

Posts: 20 +0

Posts: 56,041 +516

Posts: 20 +0

Posts: 56,041 +516

Posts: 20 +0

Posts: 56,041 +516

Posts: 20 +0

Posts: 56,041 +516

Attachments

Posts: 20 +0

Posts: 20 +0

Posts: 20 +0

Posts: 56,041 +516

Posts: 20 +0

Posts: 20 +0

Posts: 56,041 +516

Posts: 20 +0

Posts: 20 +0

Posts: 56,041 +516

Posts: 20 +0

Posts: 20 +0

Posts: 20 +0

Similar threads