Solved Zeroaccess, Sirefef and Windows 7 reboot loop

[Praankster]

OS: Windows 7 Ultimate 32

Hello and thanks in advance for any help!

I have the same problem as many others - I appear to have the Zeroaccess virus, variants of Win32/Sirefef and following the reinstall of MSE a system that reboots every couple of minutes even in safe mode (although it takes a little longer). I tried a few tools before a friend recommended this forum - then I ran farbar in System Recovery Option (files below).

The full story if it is useful...

It all started after getting redirects using Chrome web browser, and then couldnt access sites such as Microsoft and Sophos. MSE detected a virus but disappeared before I could read what it was. On next boot I could not get MSE service to start, and the firewall was down both giving error messages.

I tried Rogue Killer which identified Zeroaccess in desktop.ini and in services.exe that it could not fix. MBAM also found Zeroaccess. I also lost my network connection - Rogue Killer reported a problem with DNS.

The Microsoft website recommended using their Safety Scanner and MSE. Safety scanner detected Win32/Sirefef.R in services.exe.
I reinstalled MSE. Sirefef.R was detected as above and 'disinfected', Win32/Sirefef.AH was 'removed'. On reboot Win32/Sirefef.AB was detected and since then get a 'Windows has encountered a critical error' after a couple of minutes and the system reboots.

I managed to run TDSSKiller, which found and quarantined 5 objects (log file attached). This did not appear to make any difference to the situation. I then tried Kaspersky Rescue Disk 10 which found no problems. At that point I was contemplating a reinstall, until a friend recommended this site.

I've run farbar (files below) in Systems Recovery Options using Windows Installation Disc.

When I clicked 'Repair your computer' there was an automatic scan for problems, which suggested a repair and reported the following:

--------------------------

Repair details:
The following startup option will be repaired:
Name: Windows Boot Manager
Identifier: {9DEA862C-5CDD-4E70-ACC1-F32B344D4795}

Name: Windows Recovery Environment (recovered)
Path: Recovery\375044d2-f9d9-11df-945b-a8cfbde69105\Winre.wim
Windows Device: Partition=C: (1907627 MB)

A copy of the current boot configuration data will be saved as: C:\Boot\BCD.Backup.0001

--------------------------

I did not repair and reboot, but instead cancelled (fearing more damage) and then ran the farbar scan and a search generating the logs - frst.txt and search.txt ...


FRST.TXT

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 08-08-2012 00:06:23
Running from F:\
Windows 7 Ultimate Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet003

========================== Registry (Whitelisted) =============

HKLM\...\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" [17408 2010-07-04] ()
HKLM\...\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r [1733120 2010-01-17] (VIA)
HKLM\...\Run: [VIAAUD] C:\Program Files\VIA\VIAudioi\VDeck\VIAAUD.exe [x]
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [1043968 2010-11-16] (Check Point Software Technologies LTD)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\praAnkster\...\Run: [Google Update] "C:\Users\praAnkster\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-11-26] (Google Inc.)
HKU\praAnkster\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 ERDAS-Net License Server; C:\Program Files\ERDAS\Shared\licensing\bin\ntx86\lmgrd.exe [1423440 2009-11-11] (Macrovision Corporation)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 vsmon; C:\Windows\System32\ZoneLabs\vsmon.exe -service [2435592 2010-11-16] (Check Point Software Technologies LTD)
3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 AEILAB; C:\Windows\System32\DRIVERS\AEILAB.SYS [24299 2000-09-05] (USB2LAN Provider)
3 Afc; C:\Windows\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.)
1 archlp; C:\Windows\System32\drivers\archlp.sys [96384 2008-08-12] ()
3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2009-07-13] (Microsoft Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
2 Nsynas32; C:\Windows\System32\Drivers\Nsynas32.sys [17784 2001-04-09] (Syncrosoft Hard- und Software GmbH)
1 RapportCerberus_34302; \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [228208 2011-12-15] ()
3 RapportIaso; \??\c:\programdata\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys [21520 2012-05-28] (Trusteer Ltd.)
0 RapportKELL; C:\Windows\System32\Drivers\RapportKELL.sys [65752 2012-07-07] (Trusteer Ltd.)
3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1119232 2010-01-11] (VIA Technologies, Inc.)
1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [461400 2010-05-15] (Check Point Software Technologies LTD)
3 FXDrv32; \??\D:\FXDrv32.sys [x]
1 RapportEI; \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [x]
1 RapportPG; \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 TrueSight; \??\c:\windows\system32\drivers\TrueSight.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-06 19:36 - 2012-08-06 19:50 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-08-06 16:16 - 2012-08-06 16:16 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-08-06 06:58 - 2012-08-06 06:58 - 00000186 ____A C:\Users\praAnkster\Desktop\New shortcut.lnk
2012-08-06 06:54 - 2012-08-06 06:54 - 00023288 ____A C:\Users\praAnkster\Desktop\FRST.txt
2012-08-03 06:17 - 2012-08-06 06:53 - 00002843 ____A C:\Users\praAnkster\Desktop\FRST_.txt
2012-08-02 14:17 - 2012-08-06 06:54 - 00000000 ____D C:\FRST
2012-08-02 14:17 - 2012-08-02 14:17 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\oyzqmrff.sys
2012-08-02 12:20 - 2012-08-02 12:20 - 00892822 ____A (Farbar) C:\Users\praAnkster\Desktop\FRST.exe
2012-08-02 09:10 - 2012-08-02 09:10 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\orniwxlf.sys
2012-08-02 07:49 - 2012-08-02 07:49 - 00002057 ____A C:\Users\praAnkster\Desktop\RKreport[20].txt
2012-08-02 07:24 - 2012-08-02 07:24 - 00002052 ____A C:\Users\praAnkster\Desktop\RKreport[19].txt
2012-08-02 07:24 - 2012-08-02 07:24 - 00002019 ____A C:\Users\praAnkster\Desktop\RKreport[18].txt
2012-08-02 06:52 - 2012-08-02 06:52 - 00002176 ____A C:\Users\praAnkster\Desktop\RKreport[17].txt
2012-08-02 06:51 - 2012-08-02 06:51 - 00002143 ____A C:\Users\praAnkster\Desktop\RKreport[16].txt
2012-08-02 06:26 - 2012-08-02 06:26 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-08-02 05:02 - 2012-08-02 05:02 - 00002136 ____A C:\Users\praAnkster\Desktop\RKreport[15].txt
2012-08-02 05:01 - 2012-08-02 05:01 - 00002103 ____A C:\Users\praAnkster\Desktop\RKreport[14].txt
2012-08-02 04:57 - 2012-08-02 04:57 - 00001936 ____A C:\Users\praAnkster\Desktop\RKreport[13].txt
2012-08-02 04:56 - 2012-08-02 04:56 - 00001903 ____A C:\Users\praAnkster\Desktop\RKreport[12].txt
2012-08-02 03:08 - 2012-08-02 03:08 - 00001898 ____A C:\Users\praAnkster\Desktop\RKreport[11].txt
2012-08-02 03:07 - 2012-08-02 03:07 - 00001863 ____A C:\Users\praAnkster\Desktop\RKreport[10].txt
2012-08-01 14:49 - 2012-08-01 14:49 - 00001857 ____A C:\Users\praAnkster\Desktop\RKreport[9].txt
2012-08-01 14:48 - 2012-08-01 14:48 - 00001825 ____A C:\Users\praAnkster\Desktop\RKreport[8].txt
2012-08-01 11:45 - 2012-08-01 11:45 - 00001807 ____A C:\Users\praAnkster\Desktop\RKreport[7].txt
2012-08-01 11:45 - 2012-08-01 11:45 - 00000615 ____A C:\Users\praAnkster\Desktop\RKreport[6].txt
2012-08-01 11:44 - 2012-08-01 11:44 - 00001769 ____A C:\Users\praAnkster\Desktop\RKreport[5].txt
2012-08-01 11:09 - 2012-08-01 11:09 - 00001751 ____A C:\Users\praAnkster\Desktop\RKreport[4].txt
2012-08-01 11:09 - 2012-08-01 11:09 - 00000855 ____A C:\Users\praAnkster\Desktop\RKreport[3].txt
2012-08-01 11:08 - 2012-08-01 11:08 - 00001999 ____A C:\Users\praAnkster\Desktop\RKreport[2].txt
2012-08-01 11:05 - 2012-08-01 11:05 - 00139856 ____A C:\Windows\Minidump\080112-23150-01.dmp
2012-08-01 11:03 - 2012-08-01 11:03 - 00002002 ____A C:\Users\praAnkster\Desktop\RKreport[1].txt
2012-08-01 10:58 - 2012-08-01 10:59 - 00144072 ____A C:\Windows\Minidump\080112-23821-01.dmp
2012-08-01 07:44 - 2012-08-01 07:44 - 00002567 ____A C:\Users\praAnkster\Desktop\RKreport[10]_2.txt
2012-08-01 03:57 - 2012-08-01 03:57 - 00002002 ____A C:\Users\praAnkster\Desktop\RKreport[7]_2.txt
2012-08-01 03:56 - 2012-08-01 03:56 - 00001952 ____A C:\Users\praAnkster\Desktop\RKreport[6]_2.txt
2012-07-31 16:37 - 2012-07-31 16:37 - 00002106 ____A C:\Users\praAnkster\Desktop\RKreport[4]_2.txt
2012-07-31 16:36 - 2012-07-31 16:36 - 00002038 ____A C:\Users\praAnkster\Desktop\RKreport[3]_2.txt
2012-07-31 14:59 - 2012-07-31 14:59 - 00002070 ____A C:\Users\praAnkster\Desktop\RKreport[2]_2.txt
2012-07-31 14:58 - 2012-07-31 14:58 - 00002002 ____A C:\Users\praAnkster\Desktop\RKreport[1]_2.txt
2012-07-31 14:54 - 2012-07-31 14:54 - 00000053 ____A C:\Users\praAnkster\AppData\Roaming\mbam.context.scan
2012-07-31 14:49 - 2012-07-31 14:49 - 00420800 ___AH C:\Windows\System32\Drivers\vsconfig.xml
2012-07-31 14:49 - 2012-07-31 14:49 - 00000000 ____D C:\Windows\System32\ZoneLabs
2012-07-31 14:49 - 2010-11-16 08:45 - 01238528 ____A (Check Point Software Technologies LTD) C:\Windows\System32\zpeng25.dll
2012-07-31 14:49 - 2010-11-16 08:45 - 00302592 ____A (Check Point Software Technologies LTD) C:\Windows\System32\vspubapi.dll
2012-07-31 14:49 - 2010-11-16 08:45 - 00112128 ____A (Check Point Software Technologies LTD) C:\Windows\System32\vsdata.dll
2012-07-31 14:49 - 2010-11-16 08:45 - 00110080 ____A (Check Point Software Technologies LTD) C:\Windows\System32\vsxml.dll
2012-07-31 14:49 - 2010-11-16 08:45 - 00108032 ____A (Check Point Software Technologies LTD) C:\Windows\System32\vsmonapi.dll
2012-07-31 14:49 - 2010-11-16 08:45 - 00104448 ____A (Check Point Software Technologies LTD) C:\Windows\System32\zlcommdb.dll
2012-07-31 14:49 - 2010-11-16 08:45 - 00069120 ____A (Check Point Software Technologies LTD) C:\Windows\System32\zlcomm.dll
2012-07-31 14:49 - 2010-11-16 08:45 - 00058368 ____A (Check Point Software Technologies LTD) C:\Windows\System32\vsregexp.dll
2012-07-31 14:49 - 2010-11-16 08:45 - 00043008 ____A (Check Point Software Technologies LTD) C:\Windows\System32\vswmi.dll
2012-07-31 14:49 - 2010-05-15 07:30 - 00461400 ____A (Check Point Software Technologies LTD) C:\Windows\System32\Drivers\vsdatant.sys
2012-07-31 14:48 - 2012-07-31 14:48 - 00000000 ____D C:\Program Files\Zone Labs
2012-07-31 14:48 - 2010-11-16 08:45 - 00715264 ____A (Check Point Software Technologies LTD) C:\Windows\System32\vsutil.dll
2012-07-31 14:48 - 2010-11-16 08:45 - 00228864 ____A (Check Point Software Technologies LTD) C:\Windows\System32\vsinit.dll
2012-07-31 11:54 - 2012-08-01 08:31 - 00000000 ____D C:\Users\praAnkster\Desktop\RK reports
2012-07-31 07:30 - 2012-07-31 07:30 - 00144072 ____A C:\Windows\Minidump\073112-25630-01.dmp
2012-07-31 07:26 - 2012-07-31 07:26 - 00000000 ____D C:\Users\All Users\ZA_PreservedFiles
2012-07-30 13:49 - 2012-07-30 13:50 - 00144072 ____A C:\Windows\Minidump\073012-23946-01.dmp
2012-07-30 12:57 - 2012-08-02 07:49 - 00000000 ____D C:\Users\praAnkster\Desktop\RK_Quarantine
2012-07-30 12:56 - 2012-07-30 12:56 - 01552384 ____A C:\Users\praAnkster\Desktop\RogueKiller.exe
2012-07-30 11:37 - 2012-07-30 11:37 - 00000000 ____D C:\Users\All Users\CheckPoint
2012-07-30 11:03 - 2012-07-30 11:03 - 00144072 ____A C:\Windows\Minidump\073012-33852-01.dmp
2012-07-30 09:10 - 2012-07-30 09:11 - 00144072 ____A C:\Windows\Minidump\073012-24632-01.dmp
2012-07-30 08:49 - 2012-07-30 08:49 - 00000000 ____D C:\Users\praAnkster\AppData\Roaming\Malwarebytes
2012-07-30 08:48 - 2012-07-30 11:08 - 00001176 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-30 08:48 - 2012-07-30 08:59 - 00000000 ____D C:\Program Files\DESTROY Malwarebytes' Anti-Malware
2012-07-30 08:48 - 2012-07-30 08:48 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-30 08:48 - 2012-07-03 04:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-30 08:36 - 2012-07-30 08:36 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-30 08:29 - 2012-07-30 08:29 - 00144072 ____A C:\Windows\Minidump\073012-36629-01.dmp
2012-07-30 08:23 - 2012-07-30 08:23 - 00000000 ____D C:\Users\praAnkster\AppData\Local\{E3DE8E83-DA62-11E1-8270-B8AC6F996F26}
2012-07-30 08:22 - 2012-07-30 08:22 - 00000012 ____A C:\Windows\srun.log
2012-07-30 08:01 - 2012-08-01 10:56 - 00738286 ____A C:\Users\praAnkster\AppData\Local\hfwiudnu.log
2012-07-30 08:01 - 2012-07-30 08:01 - 00135507 ____A C:\Users\praAnkster\AppData\Local\tardhnsx.log
2012-07-30 08:01 - 2012-07-30 08:01 - 00003247 ____A C:\Users\praAnkster\AppData\Local\xoksmwpv.log
2012-07-30 08:01 - 2012-07-30 08:01 - 00002865 ____A C:\Users\praAnkster\AppData\Local\rhbguoor.log
2012-07-30 08:00 - 2012-07-30 08:00 - 00004048 ____A C:\Users\praAnkster\AppData\Local\kxuagrty.log
2012-07-30 08:00 - 2012-07-30 08:00 - 00000000 ____A C:\Users\praAnkster\AppData\Local\hwlonyvp.log
2012-07-30 08:00 - 2012-07-30 08:00 - 00000000 ____A C:\Users\praAnkster\AppData\Local\brdepvjb.log
2012-07-30 07:58 - 2012-08-01 14:43 - 00000000 ____D C:\Users\praAnkster\AppData\Local\vfvwxwct
2012-07-30 07:58 - 2012-08-01 10:57 - 00000024 ____A C:\Users\praAnkster\AppData\Local\foafbyde.log
2012-07-30 07:58 - 2012-07-30 08:00 - 00440304 ____A C:\Users\praAnkster\AppData\Local\gfhpwvke.log
2012-07-30 07:58 - 2012-07-30 07:58 - 00000064 ____A C:\Users\All Users\spiaynhf.log
2012-07-27 07:27 - 2012-07-27 07:27 - 03028656 ____A (TeamViewer) C:\Users\praAnkster\Downloads\TeamViewerQS_en.exe
2012-07-27 07:15 - 2012-07-27 08:00 - 00000000 ____D C:\Users\praAnkster\AppData\Roaming\TeamViewer
2012-07-27 07:13 - 2012-07-27 07:13 - 03610576 ____A (TeamViewer GmbH) C:\Users\praAnkster\Downloads\TeamViewer_Setup_en.exe
2012-07-23 09:22 - 2012-07-23 09:23 - 00000000 ____D C:\CV
2012-07-21 10:08 - 2012-07-21 10:08 - 00000000 ____D C:\New folder
2012-07-19 14:56 - 2012-07-19 14:56 - 00001028 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-07-19 14:53 - 2012-07-19 14:53 - 04411280 ____A C:\Users\praAnkster\Downloads\fallen.ogg
2012-07-19 12:29 - 2012-07-24 03:28 - 00000000 ____D C:\TV and Radio
2012-07-17 04:11 - 2012-07-17 04:11 - 00132428 ____A C:\Users\praAnkster\Desktop\important.jpg-large
2012-07-14 09:12 - 2012-07-14 09:12 - 02456064 ____A C:\Users\praAnkster\Documents\Radiance MET Office - Matricardi_TC_2012.ppt
2012-07-13 14:04 - 2012-07-23 07:25 - 00000000 ____D C:\Users\praAnkster\Documents\Olympic cycling road race and sailing
2012-07-12 12:45 - 2012-07-22 06:23 - 00000000 ____D C:\Users\praAnkster\Documents\Invoices


============ 3 Months Modified Files ========================

2012-08-07 09:31 - 2012-08-07 09:31 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\znwtofdo.sys
2012-08-07 09:31 - 2010-11-28 07:59 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-07 09:30 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-07 09:29 - 2009-07-13 20:39 - 00378509 ____A C:\Windows\setupact.log
2012-08-06 06:58 - 2012-08-06 06:58 - 00000186 ____A C:\Users\praAnkster\Desktop\New shortcut.lnk
2012-08-06 06:54 - 2012-08-06 06:54 - 00023288 ____A C:\Users\praAnkster\Desktop\FRST.txt
2012-08-06 06:53 - 2012-08-03 06:17 - 00002843 ____A C:\Users\praAnkster\Desktop\FRST_.txt
2012-08-06 06:48 - 2010-11-28 07:59 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-03 06:38 - 2010-11-26 12:00 - 00733518 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-02 14:17 - 2012-08-02 14:17 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\oyzqmrff.sys
2012-08-02 12:20 - 2012-08-02 12:20 - 00892822 ____A (Farbar) C:\Users\praAnkster\Desktop\FRST.exe
2012-08-02 09:10 - 2012-08-02 09:10 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\orniwxlf.sys
2012-08-02 07:49 - 2012-08-02 07:49 - 00002057 ____A C:\Users\praAnkster\Desktop\RKreport[20].txt
2012-08-02 07:37 - 2012-04-10 07:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-02 07:37 - 2010-11-26 12:49 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3402657652-3708558674-1240141188-1000UA.job
2012-08-02 07:26 - 2011-02-06 05:50 - 00020386 ____A C:\Windows\PFRO.log
2012-08-02 07:24 - 2012-08-02 07:24 - 00002052 ____A C:\Users\praAnkster\Desktop\RKreport[19].txt
2012-08-02 07:24 - 2012-08-02 07:24 - 00002019 ____A C:\Users\praAnkster\Desktop\RKreport[18].txt
2012-08-02 06:56 - 2011-04-05 03:52 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-02 06:52 - 2012-08-02 06:52 - 00002176 ____A C:\Users\praAnkster\Desktop\RKreport[17].txt
2012-08-02 06:51 - 2012-08-02 06:51 - 00002143 ____A C:\Users\praAnkster\Desktop\RKreport[16].txt
2012-08-02 06:36 - 2009-07-13 20:34 - 00014192 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-02 06:36 - 2009-07-13 20:34 - 00014192 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-02 05:02 - 2012-08-02 05:02 - 00002136 ____A C:\Users\praAnkster\Desktop\RKreport[15].txt
2012-08-02 05:01 - 2012-08-02 05:01 - 00002103 ____A C:\Users\praAnkster\Desktop\RKreport[14].txt
2012-08-02 04:57 - 2012-08-02 04:57 - 00001936 ____A C:\Users\praAnkster\Desktop\RKreport[13].txt
2012-08-02 04:56 - 2012-08-02 04:56 - 00001903 ____A C:\Users\praAnkster\Desktop\RKreport[12].txt
2012-08-02 03:08 - 2012-08-02 03:08 - 00001898 ____A C:\Users\praAnkster\Desktop\RKreport[11].txt
2012-08-02 03:07 - 2012-08-02 03:07 - 00001863 ____A C:\Users\praAnkster\Desktop\RKreport[10].txt
2012-08-01 14:49 - 2012-08-01 14:49 - 00001857 ____A C:\Users\praAnkster\Desktop\RKreport[9].txt
2012-08-01 14:48 - 2012-08-01 14:48 - 00001825 ____A C:\Users\praAnkster\Desktop\RKreport[8].txt
2012-08-01 11:45 - 2012-08-01 11:45 - 00001807 ____A C:\Users\praAnkster\Desktop\RKreport[7].txt
2012-08-01 11:45 - 2012-08-01 11:45 - 00000615 ____A C:\Users\praAnkster\Desktop\RKreport[6].txt
2012-08-01 11:44 - 2012-08-01 11:44 - 00001769 ____A C:\Users\praAnkster\Desktop\RKreport[5].txt
2012-08-01 11:09 - 2012-08-01 11:09 - 00001751 ____A C:\Users\praAnkster\Desktop\RKreport[4].txt
2012-08-01 11:09 - 2012-08-01 11:09 - 00000855 ____A C:\Users\praAnkster\Desktop\RKreport[3].txt
2012-08-01 11:08 - 2012-08-01 11:08 - 00001999 ____A C:\Users\praAnkster\Desktop\RKreport[2].txt
2012-08-01 11:05 - 2012-08-01 11:05 - 00139856 ____A C:\Windows\Minidump\080112-23150-01.dmp
2012-08-01 11:05 - 2011-04-25 11:37 - 232493646 ____A C:\Windows\MEMORY.DMP
2012-08-01 11:03 - 2012-08-01 11:03 - 00002002 ____A C:\Users\praAnkster\Desktop\RKreport[1].txt
2012-08-01 10:59 - 2012-08-01 10:58 - 00144072 ____A C:\Windows\Minidump\080112-23821-01.dmp
2012-08-01 10:57 - 2012-07-30 07:58 - 00000024 ____A C:\Users\praAnkster\AppData\Local\foafbyde.log
2012-08-01 10:56 - 2012-07-30 08:01 - 00738286 ____A C:\Users\praAnkster\AppData\Local\hfwiudnu.log
2012-08-01 07:44 - 2012-08-01 07:44 - 00002567 ____A C:\Users\praAnkster\Desktop\RKreport[10]_2.txt
2012-08-01 03:57 - 2012-08-01 03:57 - 00002002 ____A C:\Users\praAnkster\Desktop\RKreport[7]_2.txt
2012-08-01 03:56 - 2012-08-01 03:56 - 00001952 ____A C:\Users\praAnkster\Desktop\RKreport[6]_2.txt
2012-07-31 16:37 - 2012-07-31 16:37 - 00002106 ____A C:\Users\praAnkster\Desktop\RKreport[4]_2.txt
2012-07-31 16:36 - 2012-07-31 16:36 - 00002038 ____A C:\Users\praAnkster\Desktop\RKreport[3]_2.txt
2012-07-31 14:59 - 2012-07-31 14:59 - 00002070 ____A C:\Users\praAnkster\Desktop\RKreport[2]_2.txt
2012-07-31 14:58 - 2012-07-31 14:58 - 00002002 ____A C:\Users\praAnkster\Desktop\RKreport[1]_2.txt
2012-07-31 14:54 - 2012-07-31 14:54 - 00000053 ____A C:\Users\praAnkster\AppData\Roaming\mbam.context.scan
2012-07-31 14:49 - 2012-07-31 14:49 - 00420800 ___AH C:\Windows\System32\Drivers\vsconfig.xml
2012-07-31 14:49 - 2010-11-26 11:52 - 01166814 ____A C:\Windows\WindowsUpdate.log
2012-07-31 07:30 - 2012-07-31 07:30 - 00144072 ____A C:\Windows\Minidump\073112-25630-01.dmp
2012-07-30 13:50 - 2012-07-30 13:49 - 00144072 ____A C:\Windows\Minidump\073012-23946-01.dmp
2012-07-30 12:56 - 2012-07-30 12:56 - 01552384 ____A C:\Users\praAnkster\Desktop\RogueKiller.exe
2012-07-30 11:08 - 2012-07-30 08:48 - 00001176 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-30 11:03 - 2012-07-30 11:03 - 00144072 ____A C:\Windows\Minidump\073012-33852-01.dmp
2012-07-30 09:11 - 2012-07-30 09:10 - 00144072 ____A C:\Windows\Minidump\073012-24632-01.dmp
2012-07-30 08:29 - 2012-07-30 08:29 - 00144072 ____A C:\Windows\Minidump\073012-36629-01.dmp
2012-07-30 08:22 - 2012-07-30 08:22 - 00000012 ____A C:\Windows\srun.log
2012-07-30 08:01 - 2012-07-30 08:01 - 00135507 ____A C:\Users\praAnkster\AppData\Local\tardhnsx.log
2012-07-30 08:01 - 2012-07-30 08:01 - 00003247 ____A C:\Users\praAnkster\AppData\Local\xoksmwpv.log
2012-07-30 08:01 - 2012-07-30 08:01 - 00002865 ____A C:\Users\praAnkster\AppData\Local\rhbguoor.log
2012-07-30 08:00 - 2012-07-30 08:00 - 00004048 ____A C:\Users\praAnkster\AppData\Local\kxuagrty.log
2012-07-30 08:00 - 2012-07-30 08:00 - 00000000 ____A C:\Users\praAnkster\AppData\Local\hwlonyvp.log
2012-07-30 08:00 - 2012-07-30 08:00 - 00000000 ____A C:\Users\praAnkster\AppData\Local\brdepvjb.log
2012-07-30 08:00 - 2012-07-30 07:58 - 00440304 ____A C:\Users\praAnkster\AppData\Local\gfhpwvke.log
2012-07-30 07:58 - 2012-07-30 07:58 - 00000064 ____A C:\Users\All Users\spiaynhf.log
2012-07-29 14:24 - 2010-11-26 12:49 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3402657652-3708558674-1240141188-1000Core.job
2012-07-27 07:27 - 2012-07-27 07:27 - 03028656 ____A (TeamViewer) C:\Users\praAnkster\Downloads\TeamViewerQS_en.exe
2012-07-27 07:13 - 2012-07-27 07:13 - 03610576 ____A (TeamViewer GmbH) C:\Users\praAnkster\Downloads\TeamViewer_Setup_en.exe
2012-07-27 01:34 - 2012-04-10 07:11 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-27 01:34 - 2011-06-17 12:33 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-25 05:02 - 2011-01-10 04:39 - 00001524 ____A C:\Users\praAnkster\Desktop\stuff.txt
2012-07-19 14:56 - 2012-07-19 14:56 - 00001028 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-07-19 14:53 - 2012-07-19 14:53 - 04411280 ____A C:\Users\praAnkster\Downloads\fallen.ogg
2012-07-17 04:11 - 2012-07-17 04:11 - 00132428 ____A C:\Users\praAnkster\Desktop\important.jpg-large
2012-07-16 02:25 - 2011-02-27 10:41 - 00000000 ____A C:\Windows\System32\synsopos.soj
2012-07-14 09:59 - 2010-12-18 16:27 - 00007602 ____A C:\Users\praAnkster\AppData\Local\Resmon.ResmonCfg
2012-07-14 09:12 - 2012-07-14 09:12 - 02456064 ____A C:\Users\praAnkster\Documents\Radiance MET Office - Matricardi_TC_2012.ppt
2012-07-07 22:19 - 2012-07-07 22:19 - 00065752 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys
2012-07-07 05:59 - 2012-07-07 05:37 - 1796533693 ____A C:\Users\praAnkster\Downloads\Wimbledon_2012_30_06_2012_b01ks80t_1341108740.wmv
2012-07-07 04:34 - 2012-07-07 04:34 - 00000228 ____A C:\Users\praAnkster\.swfinfo
2012-07-06 16:25 - 2012-07-06 16:25 - 08288706 ____A C:\Users\praAnkster\Downloads\ipdl.exe
2012-07-06 16:11 - 2012-07-06 16:11 - 06761918 ____A C:\Users\praAnkster\Downloads\get_iplayer_setup_latest.exe
2012-07-03 09:21 - 2012-07-03 09:21 - 00004096 ___AH C:\Users\praAnkster\AppData\Local\keyfile3.drm
2012-07-03 04:46 - 2012-07-30 08:48 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 18:13 - 2010-11-26 13:00 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-07 08:08 - 2012-06-07 08:08 - 01383424 ____A C:\Users\praAnkster\Downloads\eggsurvey2007.xls
2012-06-02 14:19 - 2012-06-21 04:31 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 04:31 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 04:31 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 04:30 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 04:30 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 04:31 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 04:30 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 06:19 - 2012-06-21 04:30 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 06:12 - 2012-06-21 04:30 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-30 07:36 - 2012-05-30 07:36 - 04886564 ____A C:\Users\praAnkster\Downloads\Pictures from St. Kitts.zip
2012-05-28 12:15 - 2012-05-28 12:15 - 00972893 ____A C:\Users\praAnkster\Downloads\spoty honda (3).zip
2012-05-28 12:14 - 2012-05-28 12:14 - 00000000 ____A C:\Users\praAnkster\Downloads\spoty honda (2).zip.crdownload
2012-05-28 12:14 - 2012-05-28 12:14 - 00000000 ____A C:\Users\praAnkster\Downloads\spoty honda (1).zip.crdownload
2012-05-28 12:13 - 2012-05-28 12:13 - 00972893 ____A C:\Users\praAnkster\Downloads\spoty honda.zip
2012-05-26 13:15 - 2009-07-13 20:53 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-21 11:15 - 2012-05-21 11:15 - 00615072 ____A C:\Users\praAnkster\Downloads\car.zip
2012-05-20 15:34 - 2012-05-20 15:34 - 00012922 ____A C:\Users\praAnkster\Downloads\Final_HDTV_X264-SuperS-((www.Demonoid.me)).torrent
2012-05-14 14:03 - 2012-05-14 14:03 - 00001563 ____A C:\Windows\System32\Frequency-of-precipitation-and-temperature-extremes-over-France-in-an-anthropogenic-scenario-Model-results-and-statistical-correction-according-to-observed-values_2007_Global-and-Planetary-Change.lnk


ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3839.18 MB
Available physical RAM: 3297.98 MB
Total Pagefile: 3837.46 MB
Available Pagefile: 3308.11 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.21 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:1862.92 GB) (Free:1737.11 GB) NTFS
2 Drive e: () (Removable) (Total:14.92 GB) (Free:12.42 GB) NTFS
3 Drive f: () (Removable) (Total:0.98 GB) (Free:0.07 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 1863 GB 0 B
Disk 1 Online 14 GB 0 B
Disk 2 Online 1003 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 1862 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 1862 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 22 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E NTFS Removable 14 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1002 MB 16 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 1002 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-28 05:19

======================= End Of Log ==========================



SEARCH.TXT


Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-08 00:08:24
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===




THANKS IN ADVANCE FOR ANY HELP!!! Matt

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Praankster]

Many thanks for the swift and helpful response Broni!

I have run the FRST fix as instructed, here is the fixlog...



Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-08 05:26:25 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet003\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
C:\Windows\System32\Drivers\oyzqmrff.sys moved successfully.
C:\Windows\System32\Drivers\orniwxlf.sys moved successfully.
C:\Users\praAnkster\AppData\Local\hfwiudnu.log moved successfully.
C:\Users\praAnkster\AppData\Local\tardhnsx.log moved successfully.
C:\Users\praAnkster\AppData\Local\xoksmwpv.log moved successfully.
C:\Users\praAnkster\AppData\Local\rhbguoor.log moved successfully.
C:\Users\praAnkster\AppData\Local\kxuagrty.log moved successfully.
C:\Users\praAnkster\AppData\Local\hwlonyvp.log moved successfully.
C:\Users\praAnkster\AppData\Local\brdepvjb.log moved successfully.
C:\Users\praAnkster\AppData\Local\vfvwxwct moved successfully.
C:\Users\praAnkster\AppData\Local\foafbyde.log moved successfully.
C:\Users\praAnkster\AppData\Local\gfhpwvke.log moved successfully.
C:\Users\All Users\spiaynhf.log moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====



After running the FRST fix, I restarted normally as instructed. The PC did not have the critical error and reboot itself.

However I do not APPEAR to have any internet connection; network connection indicates that it is alive but if I request a page in the browser the network indicates 'not connected' and the request fails. I did get the network up again for a short time when changing adapter settings from DHCP to fixed settings (or vice versa) but then as before it goes down. However, it looks from the modem that there is some activity.

This means I can't download Combofix directly to the desktop as per your instructions!

Should I transfer via a USB or CDROM?

Many thanks

 

[Broni]

Should I transfer via a USB or CDROM?

Yes please.

IMPORTANT!
To protect your good computer...
Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

 

[Praankster]

Thanks Broni - I didn't want to jump the gun...I'll run Combofix now and let you know the results.
(and USB Immunizer is now installed).

 

[Broni]

I didn't want to jump the gun

It's always a good idea to ask before you do anything

 

[Praankster]

Well that was a long and winding road! I ran ComboFix and the "C:\ComboFix.txt" is below. Things seem to be working much better, I have internet access and MSE seems happy and has updated. I had some issues along the way...

I turned off firewalls, anti-malware etc before running Combofix, and had an issue where I couldn't get into the Windows 7 firewall settings (although I don't think it was on), and got the message:
"Update your settings
Windows firewall is not using the recommended settings to protect your computer."
When trying to access settings I got:
"Windows firewall cannot change some of your settings. Error code: 0x80070424"

I ran ComboFix, the machine automatically rebooted and then on restart ComboFix began generating a log file. Upon reboot ZoneAlarm automatically restarted - could this affect the result of ComboFix?
ComboFix finished generating the log file "C:\ComboFix.txt".

The next bit of information might be useful for others using ComboFix...

When I tried to open explorer from the taskbar to find the log file I got an error:
"C:\Windows\explorer.exe
Illegal operation attempted on a registry key that has been marked for deletion"
(Bear in mind that explorer from taskbar had been acting slightly strangely since the reboot loop issue began).
I got the same error when I tried to open or move "C:\ComboFix.txt".

I also had no network connection, so rebooted again as suggested in your directions.

After the reboot network connections came up and I no longer received the "Illegal operation" errors. I could also happily access "C:\ComboFix.txt". I could access the internet with Chrome with no obvious issues, able to access sites I could not before such as ZoneAlarm and MSE (which both updated).

After ZA updated - when launching Chrome Zone Alarm update detected suspicious behaviour reporting:
Google chrome is trying to launch rundll32.exe


Thanks for the help, Matt


"C:\ComboFix.txt"

ComboFix 12-08-07.05 - praAnkster 08/08/2012 17:51:43.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3071.2218 [GMT 1:00]
Running from: c:\users\praAnkster\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
.
.
2012-08-08 16:56 . 2012-08-08 16:56--------d-----w-c:\users\Default\AppData\Local\temp
2012-08-08 16:34 . 2012-08-08 16:5856200----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C0417563-7314-4884-A5E2-BA91AFAE76C7}\offreg.dll
2012-08-07 03:36 . 2012-08-07 03:50--------d---a-w-C:\Kaspersky Rescue Disk 10.0
2012-08-07 00:16 . 2012-08-07 00:16--------d-----w-C:\TDSSKiller_Quarantine
2012-08-02 22:17 . 2012-08-06 14:54--------d-----w-C:\FRST
2012-08-02 21:56 . 2012-08-02 21:5629904----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C0417563-7314-4884-A5E2-BA91AFAE76C7}\MpKsl1129c67b.sys
2012-08-02 17:10 . 2012-08-02 17:1029904----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C0417563-7314-4884-A5E2-BA91AFAE76C7}\MpKslfb4d4ae0.sys
2012-08-02 16:14 . 2012-08-02 16:1429904----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C0417563-7314-4884-A5E2-BA91AFAE76C7}\MpKsldb2a530f.sys
2012-08-02 15:34 . 2012-08-02 15:3429904----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C0417563-7314-4884-A5E2-BA91AFAE76C7}\MpKsl35dc80ae.sys
2012-08-02 14:54 . 2012-06-29 08:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C0417563-7314-4884-A5E2-BA91AFAE76C7}\mpengine.dll
2012-08-02 14:26 . 2012-08-02 14:26--------d-----w-c:\windows\system32\MpEngineStore
2012-07-31 22:49 . 2010-11-16 16:4569120----a-w-c:\windows\system32\zlcomm.dll
2012-07-31 22:49 . 2010-11-16 16:45104448----a-w-c:\windows\system32\zlcommdb.dll
2012-07-31 22:49 . 2010-11-16 16:451238528----a-w-c:\windows\system32\zpeng25.dll
2012-07-31 22:49 . 2010-05-15 15:30461400----a-w-c:\windows\system32\drivers\vsdatant.sys
2012-07-31 22:49 . 2012-07-31 22:49--------d-----w-c:\windows\system32\ZoneLabs
2012-07-31 22:48 . 2012-07-31 22:48--------d-----w-c:\program files\Zone Labs
2012-07-31 22:48 . 2012-08-08 16:58--------d-----w-c:\windows\Internet Logs
2012-07-31 15:26 . 2012-07-31 15:26--------d-----w-c:\programdata\ZA_PreservedFiles
2012-07-30 22:44 . 2012-08-01 16:37--------d-----w-c:\users\praAnkster\AppData\Local\Diagnostics
2012-07-30 19:37 . 2012-07-30 19:37--------d-----w-c:\programdata\CheckPoint
2012-07-30 16:49 . 2012-07-30 16:49--------d-----w-c:\users\praAnkster\AppData\Roaming\Malwarebytes
2012-07-30 16:48 . 2012-07-30 16:59--------d-----w-c:\program files\DESTROY Malwarebytes' Anti-Malware
2012-07-30 16:48 . 2012-07-30 16:48--------d-----w-c:\programdata\Malwarebytes
2012-07-30 16:48 . 2012-07-03 12:4622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-07-30 16:36 . 2012-07-30 16:36--------d-sh--w-c:\windows\system32\%APPDATA%
2012-07-30 16:23 . 2012-07-30 16:23--------d-----w-c:\users\praAnkster\AppData\Local\{E3DE8E83-DA62-11E1-8270-B8AC6F996F26}
2012-07-27 15:15 . 2012-07-27 15:15--------d-----w-c:\users\praAnkster\temp
2012-07-27 15:15 . 2012-07-27 16:00--------d-----w-c:\users\praAnkster\AppData\Roaming\TeamViewer
2012-07-23 17:22 . 2012-07-23 17:23--------d-----w-C:\CV
2012-07-21 18:08 . 2012-07-21 18:08--------d-----w-C:\New folder
2012-07-19 20:29 . 2012-07-24 11:28--------d-----w-C:\TV and Radio
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 09:34 . 2012-04-10 15:11426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-07-27 09:34 . 2011-06-17 20:3370344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 06:19 . 2012-07-08 06:1965752----a-w-c:\windows\system32\drivers\RapportKELL.sys
2012-06-29 08:44 . 2012-03-15 13:066891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-02 22:19 . 2012-06-21 12:3153784----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 12:3145080----a-w-c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 12:3035864----a-w-c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 12:30577048----a-w-c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 12:311933848----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 12:312422272----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 12:3088576----a-w-c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-21 12:30171904----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 14:12 . 2012-06-21 12:3033792----a-w-c:\windows\system32\wuapp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2010-01-18 1733120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [x]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [x]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\AEILAB.SYS [x]
R3 FXDrv32;FXDrv32;D:\FXDrv32.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [x]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 ERDAS-Net License Server;ERDAS-Net License Server;c:\program files\ERDAS\Shared\licensing\bin\ntx86\lmgrd.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 09:34]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-28 15:59]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-28 15:59]
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3402657652-3708558674-1240141188-1000Core.job
- c:\users\praAnkster\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 20:49]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3402657652-3708558674-1240141188-1000UA.job
- c:\users\praAnkster\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 20:49]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.87.64.7 212.87.64.10
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-VIAAUD - c:\program files\VIA\VIAudioi\VDeck\VIAAUD.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-08-08 18:02:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-08 17:02
.
Pre-Run: 1,867,486,793,728 bytes free
Post-Run: 1,868,182,474,752 bytes free
.
- - End Of File - - 4D8BF8E44148EEEF620B5F97419973E2

 

[Praankster]

Apologies - I forgot to mention that MSE shows Trojan:Win32/Sirefef.AB in Quarantined Items.

 

[Broni]

That's fine.

We'll look into firewall settings.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Combofix log looks good

===============================

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer IF MBAM asks you to do so.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

================================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Praankster]

Apologies ...

​

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.​

... I actually read that and forgot by the time the problem began occurring, I'm an *****!
Glad combofix is good! Running the other scans now...

 

[Praankster]

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.08.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
praAnkster :: PRAANKSTER-PC [administrator]

08/08/2012 22:03:06
mbam-log-2012-08-08 (22-03-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201979
Time elapsed: 7 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Praankster]

The first OTL file...(I noticed that on the list of programs at the end there are a couple I don't recognise).


OTL logfile created on: 08/08/2012 22:25:25 - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\praAnkster\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.09 Gb Available Physical Memory | 69.82% Memory free
6.00 Gb Paging File | 4.99 Gb Available in Paging File | 83.21% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 1862.92 Gb Total Space | 1739.73 Gb Free Space | 93.39% Space Free | Partition Type: NTFS
Drive F: | 1002.72 Mb Total Space | 171.28 Mb Free Space | 17.08% Space Free | Partition Type: FAT

Computer Name: PRAANKSTER-PC | User Name: praAnkster | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/08 22:23:53 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\praAnkster\Desktop\OTL.exe
PRC - [2012/07/30 12:31:04 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2012/07/30 11:59:48 | 000,073,392 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2012/07/14 14:59:32 | 000,497,320 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2012/07/14 14:59:08 | 000,738,984 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/01/03 14:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/06/24 05:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2010/11/20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 13:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 13:16:54 | 000,100,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe
PRC - [2010/07/04 20:51:26 | 000,017,408 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2010/01/18 01:24:08 | 001,733,120 | R--- | M] (VIA) -- C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
PRC - [2009/11/11 16:47:34 | 001,423,440 | ---- | M] (Macrovision Corporation) -- C:\Program Files\ERDAS\Shared\licensing\bin\ntx86\lmgrd.exe


========== Modules (No Company Name) ==========

MOD - [2010/07/04 22:32:36 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2010/07/04 20:51:26 | 000,017,408 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
MOD - [2009/11/03 04:11:50 | 047,628,288 | R--- | M] () -- C:\Program Files\VIA\VIAudioi\VDeck\skin.dll
MOD - [2009/06/22 00:26:00 | 000,305,664 | ---- | M] () -- C:\Program Files\TeraCopy\TeraCopyExt.dll
MOD - [2009/05/07 09:53:18 | 000,106,496 | R--- | M] () -- C:\Program Files\VIA\VIAudioi\VDeck\Dts2ApoApi.dll
MOD - [2009/05/07 09:50:46 | 000,073,728 | R--- | M] () -- C:\Program Files\VIA\VIAudioi\VDeck\QsApoApi.dll
MOD - [2008/02/14 06:57:00 | 000,094,208 | R--- | M] () -- C:\Program Files\VIA\VIAudioi\VDeck\VMicApi.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2012/07/30 12:31:04 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2012/07/27 10:34:15 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/14 14:59:32 | 000,497,320 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/01/03 14:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/11/27 01:03:30 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/11 16:47:34 | 001,423,440 | ---- | M] (Macrovision Corporation) [Auto | Running] -- C:\Program Files\ERDAS\Shared\licensing\bin\ntx86\lmgrd.exe -- (ERDAS-Net License Server)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Unknown] -- c:\windows\system32\drivers\TrueSight.sys -- (TrueSight)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\FXDrv32.sys -- (FXDrv32)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\PRAANK~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/08/08 21:59:03 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{25FD2A96-A5DA-455B-AC3F-D3C4966C80E9}\MpKsld6dd56e3.sys -- (MpKsld6dd56e3)
DRV - [2012/07/14 14:59:44 | 000,027,056 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2012/07/08 07:19:18 | 000,065,752 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2012/05/28 21:45:27 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- c:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys -- (RapportIaso)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/12/15 17:43:00 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2011/05/07 17:51:28 | 000,455,256 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsdatant.sys -- (Vsdatant)
DRV - [2010/11/20 13:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 13:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 13:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 11:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 10:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 10:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 10:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/01/11 11:02:44 | 001,119,232 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2009/07/13 23:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/08/12 18:06:12 | 000,096,384 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ArcHlp.sys -- (archlp)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
DRV - [2001/04/09 13:03:00 | 000,017,784 | ---- | M] (Syncrosoft Hard- und Software GmbH) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NSynas32.sys -- (Nsynas32)
DRV - [2000/09/05 14:10:00 | 000,024,299 | ---- | M] (USB2LAN Provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AEILAB.SYS -- (AEILAB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3402657652-3708558674-1240141188-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
IE - HKU\S-1-5-21-3402657652-3708558674-1240141188-1000\..\SearchScopes,DefaultScope = {7BC09B10-8B78-4154-BEED-26455DB088F5}
IE - HKU\S-1-5-21-3402657652-3708558674-1240141188-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3402657652-3708558674-1240141188-1000\..\SearchScopes\{7BC09B10-8B78-4154-BEED-26455DB088F5}: "URL" = http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-3402657652-3708558674-1240141188-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\praAnkster\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\praAnkster\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/08/08 19:47:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/06/12 14:13:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/06/02 09:18:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\praAnkster\AppData\Roaming\Mozilla\Extensions
[2011/06/02 09:18:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\praAnkster\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/08/08 18:36:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/14 00:23:39 | 000,000,000 | ---D | M] (Lightning) -- C:\USERS\PRAANKSTER\APPDATA\ROAMING\THUNDERBIRD\PROFILES\RSXLQDA2.DEFAULT\EXTENSIONS\{E2FDA1A4-762B-4020-B5AD-A41DF1933103}
[2012/05/14 00:29:26 | 000,000,000 | ---D | M] (Exchange 2007/2010 Calendar and Tasks Provider) -- C:\USERS\PRAANKSTER\APPDATA\ROAMING\THUNDERBIRD\PROFILES\RSXLQDA2.DEFAULT\EXTENSIONS\EXCHANGECALENDAR@EXTENSIONS.1ST-SETUP.NL
[2012/05/13 22:06:43 | 000,564,732 | ---- | M] () (No name found) -- C:\USERS\PRAANKSTER\APPDATA\ROAMING\THUNDERBIRD\PROFILES\RSXLQDA2.DEFAULT\EXTENSIONS\TBTESTPILOT@LABS.MOZILLA.COM.XPI

========== Chrome ==========

CHR - homepage: http://www/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\praAnkster\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\praAnkster\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\praAnkster\AppData\Local\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\praAnkster\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\praAnkster\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\praAnkster\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: History Calendar Button = C:\Users\praAnkster\AppData\Local\Google\Chrome\User Data\Default\Extensions\jndhhfkgkmpbnepfodnmmigomenknlcg\1.11.0_0\
CHR - Extension: Gmail = C:\Users\praAnkster\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/08/08 17:58:40 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Zonealarm Helper Object) - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll (Montera Technologeis LTD)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll (Montera Technologeis LTD)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3402657652-3708558674-1240141188-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3402657652-3708558674-1240141188-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3402657652-3708558674-1240141188-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.87.64.7 212.87.64.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BE8B6DE9-38A0-4D0F-97D1-078EE110B7FF}: DhcpNameServer = 212.87.64.7 212.87.64.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D8A5C7D7-C03C-400A-880D-0DABC2B54A54}: DhcpNameServer = 212.87.64.7 212.87.64.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FB180F5E-8965-4A50-B318-C4C022DD0083}: DhcpNameServer = 212.87.64.7 212.87.64.10
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/08 22:23:57 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\praAnkster\Desktop\OTL.exe
[2012/08/08 19:47:59 | 000,000,000 | ---D | C] -- C:\Windows\Internet Logs
[2012/08/08 19:47:23 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\Documents\ForceField Shared Files
[2012/08/08 19:47:23 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\AppData\Roaming\CheckPoint
[2012/08/08 19:47:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Check Point
[2012/08/08 18:37:01 | 000,000,000 | ---D | C] -- C:\Program Files\Check Point Software Technologies LTD
[2012/08/08 18:36:57 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/08/08 18:36:41 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2012/08/08 18:02:07 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/08/08 17:56:48 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/08/08 17:49:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/08/08 17:49:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/08/08 17:49:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/08/08 17:49:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/08/08 17:49:07 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/08/08 05:11:07 | 004,729,922 | R--- | C] (Swearware) -- C:\Users\praAnkster\Desktop\ComboFix.exe
[2012/08/07 04:36:19 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012/08/07 01:16:22 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/08/02 23:17:09 | 000,000,000 | ---D | C] -- C:\FRST
[2012/08/02 21:20:14 | 000,892,822 | ---- | C] (Farbar) -- C:\Users\praAnkster\Desktop\FRST.exe
[2012/08/02 15:26:58 | 000,000,000 | ---D | C] -- C:\Windows\System32\MpEngineStore
[2012/08/01 17:29:22 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\Desktop\MUSIC
[2012/08/01 17:27:23 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\Desktop\Cranfield DESKTOP
[2012/07/31 20:54:54 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\Desktop\RK reports
[2012/07/31 16:26:22 | 000,000,000 | ---D | C] -- C:\ProgramData\ZA_PreservedFiles
[2012/07/30 23:44:20 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\AppData\Local\Diagnostics
[2012/07/30 21:57:16 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\Desktop\RK_Quarantine
[2012/07/30 20:37:40 | 000,000,000 | ---D | C] -- C:\ProgramData\CheckPoint
[2012/07/30 17:49:23 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\AppData\Roaming\Malwarebytes
[2012/07/30 17:48:39 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/07/30 17:48:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/07/30 17:48:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DESTROY Malwarebytes' Anti-Malware
[2012/07/30 17:48:39 | 000,000,000 | ---D | C] -- C:\Program Files\DESTROY Malwarebytes' Anti-Malware
[2012/07/30 17:36:13 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/07/30 17:23:30 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\AppData\Local\{E3DE8E83-DA62-11E1-8270-B8AC6F996F26}
[2012/07/27 16:15:01 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\temp
[2012/07/27 16:15:00 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\AppData\Roaming\TeamViewer
[2012/07/23 18:22:38 | 000,000,000 | ---D | C] -- C:\CV
[2012/07/21 19:08:57 | 000,000,000 | ---D | C] -- C:\New folder
[2012/07/19 23:56:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2012/07/19 21:29:36 | 000,000,000 | ---D | C] -- C:\TV and Radio
[2012/07/13 23:04:31 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\Documents\Olympic cycling road race and sailing
[2012/07/12 21:45:49 | 000,000,000 | ---D | C] -- C:\Users\praAnkster\Documents\Invoices
[1 C:\Users\praAnkster\Desktop\*.tmp files -> C:\Users\praAnkster\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/08/08 22:23:53 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\praAnkster\Desktop\OTL.exe
[2012/08/08 22:19:55 | 000,633,028 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/08/08 22:19:55 | 000,112,052 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/08/08 22:06:20 | 000,014,192 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/08 22:06:20 | 000,014,192 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/08 21:59:15 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/08/08 21:58:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/08 21:58:45 | 2415,271,936 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/08 20:34:00 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3402657652-3708558674-1240141188-1000UA.job
[2012/08/08 20:34:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/08/08 19:48:44 | 000,415,933 | ---- | M] () -- C:\Windows\System32\drivers\vsconfig.xml
[2012/08/08 19:47:04 | 000,000,732 | ---- | M] () -- C:\Users\Public\Desktop\ZoneAlarm Security.lnk
[2012/08/08 19:44:11 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/08/08 18:37:02 | 000,000,125 | ---- | M] () -- C:\user.js
[2012/08/08 17:58:40 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/08/08 05:09:58 | 004,729,922 | R--- | M] (Swearware) -- C:\Users\praAnkster\Desktop\ComboFix.exe
[2012/08/06 15:58:53 | 000,000,186 | ---- | M] () -- C:\Users\praAnkster\Desktop\New shortcut.lnk
[2012/08/02 21:20:14 | 000,892,822 | ---- | M] (Farbar) -- C:\Users\praAnkster\Desktop\FRST.exe
[2012/08/02 15:56:55 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/08/01 20:05:36 | 232,493,646 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/07/31 23:54:31 | 000,000,053 | ---- | M] () -- C:\Users\praAnkster\AppData\Roaming\mbam.context.scan
[2012/07/30 21:56:14 | 001,552,384 | ---- | M] () -- C:\Users\praAnkster\Desktop\RogueKiller.exe
[2012/07/30 20:08:59 | 000,001,176 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/30 18:06:16 | 000,125,308 | ---- | M] () -- C:\Users\praAnkster\Desktop\destroy mbam 1st quick scan results.png
[2012/07/29 23:24:51 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3402657652-3708558674-1240141188-1000Core.job
[2012/07/24 14:11:43 | 000,038,231 | ---- | M] () -- C:\Users\praAnkster\Desktop\italia.jpg
[2012/07/19 23:56:41 | 000,001,028 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2012/07/17 13:11:38 | 000,132,428 | ---- | M] () -- C:\Users\praAnkster\Desktop\important.jpg-large
[2012/07/16 11:25:57 | 000,000,000 | ---- | M] () -- C:\Windows\System32\synsopos.soj
[2012/07/14 18:59:58 | 000,007,602 | ---- | M] () -- C:\Users\praAnkster\AppData\Local\Resmon.ResmonCfg
[1 C:\Users\praAnkster\Desktop\*.tmp files -> C:\Users\praAnkster\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/08/08 19:47:27 | 000,415,933 | ---- | C] () -- C:\Windows\System32\drivers\vsconfig.xml
[2012/08/08 19:47:04 | 000,000,732 | ---- | C] () -- C:\Users\Public\Desktop\ZoneAlarm Security.lnk
[2012/08/08 18:37:02 | 000,000,125 | ---- | C] () -- C:\user.js
[2012/08/08 17:49:28 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/08/08 17:49:28 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/08/08 17:49:28 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/08/08 17:49:28 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/08/08 17:49:28 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/08/06 15:58:53 | 000,000,186 | ---- | C] () -- C:\Users\praAnkster\Desktop\New shortcut.lnk
[2012/08/02 15:54:23 | 000,001,915 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/07/31 23:54:31 | 000,000,053 | ---- | C] () -- C:\Users\praAnkster\AppData\Roaming\mbam.context.scan
[2012/07/30 21:56:13 | 001,552,384 | ---- | C] () -- C:\Users\praAnkster\Desktop\RogueKiller.exe
[2012/07/30 18:06:16 | 000,125,308 | ---- | C] () -- C:\Users\praAnkster\Desktop\destroy mbam 1st quick scan results.png
[2012/07/30 17:48:39 | 000,001,176 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/24 14:11:50 | 000,038,231 | ---- | C] () -- C:\Users\praAnkster\Desktop\italia.jpg
[2012/07/19 23:56:41 | 000,001,028 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2012/07/17 13:11:38 | 000,132,428 | ---- | C] () -- C:\Users\praAnkster\Desktop\important.jpg-large
[2012/07/07 13:34:29 | 000,000,228 | ---- | C] () -- C:\Users\praAnkster\.swfinfo
[2012/07/03 18:21:59 | 000,004,096 | -H-- | C] () -- C:\Users\praAnkster\AppData\Local\keyfile3.drm
[2012/04/01 01:44:31 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2012/04/01 01:42:53 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/11/02 21:29:58 | 000,096,384 | ---- | C] () -- C:\Windows\System32\drivers\ArcHlp.sys
[2011/07/26 09:58:38 | 000,000,000 | ---- | C] () -- C:\Users\praAnkster\AppData\Local\{1B73ED50-68E1-493D-B008-743D6B49F39E}
[2011/07/05 13:46:44 | 000,003,625 | ---- | C] () -- C:\Users\praAnkster\.ganttproject
[2011/06/02 09:18:47 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/05/15 14:02:04 | 000,000,000 | ---- | C] () -- C:\Users\praAnkster\AppData\Local\{45C302F0-1490-43B3-81A1-0F9B2638895F}
[2011/04/04 17:33:53 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2011/02/27 19:50:04 | 000,002,464 | ---- | C] () -- C:\Program Files\Absynth 1.3 prefs.ini
[2011/02/27 19:49:28 | 016,371,712 | ---- | C] () -- C:\Windows\System32\AbsynthIAC.dll
[2011/02/27 05:06:48 | 000,000,024 | ---- | C] () -- C:\Windows\System32\synsopos.ini
[2011/02/27 04:55:19 | 000,000,128 | ---- | C] () -- C:\Windows\Rb20upd.dat
[2011/02/27 04:54:11 | 000,129,024 | ---- | C] () -- C:\Windows\UNWISE.EXE
[2010/12/19 18:35:08 | 000,000,506 | ---- | C] () -- C:\Windows\Tuareg2.ini
[2010/12/19 01:27:56 | 000,007,602 | ---- | C] () -- C:\Users\praAnkster\AppData\Local\Resmon.ResmonCfg
[2010/11/29 23:53:08 | 000,002,927 | ---- | C] () -- C:\Users\praAnkster\New_Model.gmd
[2010/11/26 20:51:22 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/11/26 20:51:22 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat

========== LOP Check ==========

[2011/04/28 22:24:17 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\Trusteer
[2011/04/28 22:24:17 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\Trusteer
[2011/11/23 19:21:52 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\avidemux
[2012/08/08 19:47:23 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\CheckPoint
[2011/10/26 15:18:36 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\ESRI
[2011/07/09 01:38:42 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\GetRightToGo
[2011/07/09 01:41:18 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\IrfanView
[2011/05/11 23:41:25 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\REAPER
[2011/10/25 11:51:53 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\Safe Software
[2011/02/27 19:41:28 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\Steinberg
[2012/07/27 17:00:41 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\TeamViewer
[2012/08/08 18:27:08 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\TeraCopy
[2011/06/02 09:18:47 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\Thunderbird
[2010/12/28 19:26:20 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\Trusteer
[2012/05/21 01:47:18 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\uTorrent
[2011/01/22 17:35:30 | 000,000,000 | ---D | M] -- C:\Users\praAnkster\AppData\Roaming\wxAstroCapture
[2012/08/08 17:58:22 | 000,032,608 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

 

[Praankster]

OTL Extras logfile created on: 08/08/2012 22:25:25 - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\praAnkster\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.09 Gb Available Physical Memory | 69.82% Memory free
6.00 Gb Paging File | 4.99 Gb Available in Paging File | 83.21% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 1862.92 Gb Total Space | 1739.73 Gb Free Space | 93.39% Space Free | Partition Type: NTFS
Drive F: | 1002.72 Mb Total Space | 171.28 Mb Free Space | 17.08% Space Free | Partition Type: FAT

Computer Name: PRAANKSTER-PC | User Name: praAnkster | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3402657652-3708558674-1240141188-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D87F300-4FF0-4E32-961C-DB8532CAF446}" = ERDAS IMAGINE 2010
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{237AC5EF-4585-4343-B8DB-02A328861AF3}" = LPS 2010
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{28EBD8EA-6050-431C-8258-23B268E9DB53}" = ZoneAlarm Firewall
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F44B5AE-82A6-4A8A-A3E3-E24D489728E3}" = Microsoft SQL Server 2008 Native Client
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{64665955-E1A1-4A8B-BFFA-673A95318909}" = ArcGIS Desktop 10
"{64F574FE-D3D2-437A-9F4A-B274AA0A503E}" = ERDAS-Net Licensing 2010
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91FE96F0-B37C-4E95-8F1B-A5B86A9178B5}_is1" = wxAstroCapture 1.8-1
"{93E4DD5D-6937-4292-98FE-A567A5A51448}" = ZoneAlarm Security
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A94E95FB-0E38-4E36-B5B7-0A2C3528ED34}" = Data Interoperability Extension
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{B24839E5-A70C-48AD-B4D9-B9FB46B4B038}_is1" = Hydrogen 0.9.6 preview release for windows
"{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}" = Skype™ 5.3
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"AP Tuner 3.06" = AP Tuner 3.06
"ArcGIS Desktop 10" = ArcGIS Desktop 10
"ArcGIS Desktop 10 SP3" = ArcGIS Desktop 10 Service Pack 3
"ASIO4ALL" = ASIO4ALL
"Avidemux 2.5" = Avidemux 2.5 (32-bit)
"Cubase SX" = Steinberg Cubase SX
"Data Interoperability Extension" = Data Interoperability Extension
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"GanttProject" = GanttProject
"get_iplayer" = get_iplayer 4.5
"HammerHead Rhythm Station" = HammerHead Rhythm Station
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Memory_is1" = Memory 1.0
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Thunderbird 12.0.1 (x86 en-GB)" = Mozilla Thunderbird 12.0.1 (x86 en-GB)
"Native Instruments Battery v1.0" = Native Instruments Battery v1.0
"PitchPerfect" = PitchPerfect Musical Instrument Tuner
"Rainlendar2" = Rainlendar2 (remove only)
"Rapport_msi" = Rapport
"REAPER" = REAPER
"SopCast" = SopCast 3.3.2
"SSL LMC-1" = SSL LMC-1 v1.0
"SSL X-ISM" = SSL X-ISM v1.1
"SSL X-ORCISM" = SSL X-ORCISM v1.1
"Steinberg Magneto VST v1.5" = Steinberg Magneto VST v1.5
"TeraCopy_is1" = TeraCopy 2.12
"Unlocker" = Unlocker 1.9.0
"uTorrent" = µTorrent
"VLC media player" = VLC media player 2.0.2
"WinRAR archiver" = WinRAR archiver
"ZoneAlarm Free Firewall" = ZoneAlarm Free Firewall
"ZoneAlarm LTD Toolbar" = ZoneAlarm LTD Toolbar
"ZoneAlarm Security Toolbar" = ZoneAlarm Security Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3402657652-3708558674-1240141188-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 08/08/2012 13:22:06 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 13:22:06 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 13:22:06 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 13:24:56 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 13:32:55 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 13:32:58 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 13:36:41 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 13:36:53 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 14:47:19 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 08/08/2012 14:47:35 | Computer Name = praAnkster-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

[ OSession Events ]
Error - 18/09/2011 20:33:55 | Computer Name = praAnkster-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 50866
seconds with 12180 seconds of active time. This session ended with a crash.

Error - 21/09/2011 20:10:39 | Computer Name = praAnkster-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 51999
seconds with 8280 seconds of active time. This session ended with a crash.

Error - 31/07/2012 18:50:11 | Computer Name = praAnkster-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 10185
seconds with 300 seconds of active time. This session ended with a crash.

Error - 31/07/2012 21:51:55 | Computer Name = praAnkster-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 10307
seconds with 60 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 08/08/2012 13:20:20 | Computer Name = praAnkster-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
archlp cdrom

Error - 08/08/2012 13:22:01 | Computer Name = praAnkster-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.131.973.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 08/08/2012 13:22:01 | Computer Name = praAnkster-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.131.973.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803
User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 08/08/2012 14:35:15 | Computer Name = praAnkster-PC | Source = Application Popup | ID = 875
Description = Driver archlp.sys has been blocked from loading.

Error - 08/08/2012 14:35:46 | Computer Name = praAnkster-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
archlp cdrom

Error - 08/08/2012 14:47:50 | Computer Name = praAnkster-PC | Source = Service Control Manager | ID = 7030
Description = The TrueVector Internet Monitor service is marked as an interactive
service. However, the system is configured to not allow interactive services.
This service may not function properly.

Error - 08/08/2012 14:50:56 | Computer Name = praAnkster-PC | Source = Application Popup | ID = 875
Description = Driver archlp.sys has been blocked from loading.

Error - 08/08/2012 14:51:36 | Computer Name = praAnkster-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
archlp cdrom

Error - 08/08/2012 16:58:44 | Computer Name = praAnkster-PC | Source = Application Popup | ID = 875
Description = Driver archlp.sys has been blocked from loading.

Error - 08/08/2012 16:59:17 | Computer Name = praAnkster-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
archlp cdrom


< End of report >

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  [2012/08/02 23:17:09 | 000,000,000 | ---D | C] -- C:\FRST
  
  :Commands
  [purity]
  [emptytemp]
  [emptyjava]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

=====================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[Praankster]

All processes killed
========== OTL ==========
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\FRST\Quarantine\vfvwxwct folder moved successfully.
Folder move failed. C:\FRST\Quarantine scheduled to be moved on reboot.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: praAnkster
->Temp folder emptied: 2333801 bytes
->Temporary Internet Files folder emptied: 27778656 bytes
->Java cache emptied: 3806083 bytes
->Google Chrome cache emptied: 479227658 bytes
->Flash cache emptied: 523 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8077539 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 497.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: praAnkster
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: praAnkster
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.56.0 log created on 08092012_012118

Files\Folders moved on Reboot...
File\Folder C:\FRST\Quarantine not found!
C:\Users\praAnkster\AppData\Local\Temp\~DFE1CE0B65E729D3A8.TMP moved successfully.
File\Folder C:\Windows\temp\TMP0000000109E68346487364DA not found!
File\Folder C:\Windows\temp\ZLT060d7.TMP not found!

PendingFileRenameOperations files...
File C:\FRST\Quarantine not found!
File C:\Users\praAnkster\AppData\Local\Temp\~DFE1CE0B65E729D3A8.TMP not found!
File C:\Windows\temp\TMP0000000109E68346487364DA not found!
File C:\Windows\temp\ZLT060d7.TMP not found!

Registry entries deleted on Reboot...

 

[Praankster]

just running the other scans now...

 

[Praankster]

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Eusing Free Registry Cleaner
Java(TM) 6 Update 31
Java version out of Date!
Adobe Reader X (10.1.3)
Mozilla Thunderbird 12.0.1 Thunderbird out of Date!
Google Chrome 20.0.1132.47
Google Chrome 20.0.1132.57
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

[Praankster]

Farbar Service Scanner Version: 06-08-2012
Ran by praAnkster (administrator) on 09-08-2012 at 01:52:07
Running from "C:\Users\praAnkster\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Destination is offline
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****

 

[Praankster]

I have run TFC, now gonna run online scan...

 

[Praankster]

And finally the ESET report:

C:\_OTL\MovedFiles\08092012_012118\C_\FRST\Quarantine\services.exeWin32/Sirefef.FC trojan


Thanks for the help thus far, I await your reply...

 

[Broni]

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Do NOT post JavaRa log.

======================================

We have one corrupted registry key affecting Windows updates.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on bits.reg file and confirm the prompt.
Restart computer.
Post new FSS log.

 

[Praankster]

Sorry this is taking forever...I've just completed the Java Update and removal as outlined above, and will have to do the registry key in the morning.

There were a couple of issues with step 1, outlined here in case its important...

I followed the link in Step 1. I was prompted to "Verify Java version". I was then prompted to install Java 7.5 and this seemed to complete. I went to check for the Java quick starter service as per Step 1 note 2, could not see Java in COntrol Panel, and looked under programs. At that point the system hung. I restarted, then went back into Control Panel > Programs > Java, and the java quick starter box was greyed out. Still no Java symbol on the Control Panel. I rechecked that link to verify the version, and it reported that Java was not installed. There was a link to a Java test which also failed. I rebooted and had the same situation.
So I tried a manual reinstall (the installer detected an installation), during this Windows reported being low on memory.
The install seemed to successfully complete and I verified with the web link. I successfully ran JavaRa.

I'll let you know how the reg key edit pans out...

Many thanks
Matt

 

[Broni]

OK

 

[Praankster]

Back again!

I updated the registry as per your instructions above, and then FSS...



Farbar Service Scanner Version: 06-08-2012
Ran by praAnkster (administrator) on 09-08-2012 at 18:29:56
Running from "C:\Users\praAnkster\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Destination is offline
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

[Broni]

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.