View Full Version : Infected by trojan.
chelseafan
2011-12-09, 16:48
I was using the internet and suddenly i disconnected from the internet, the screen went white and froze. I rebooted and this popped up...
'There was a problem starting C:\Users\James\AppData\Local\Temp\0.768814013133.exe
The specified model could not be found.'
and then this popped up...
'OpenOffice.org3.3. Either another instance of openoffice.org is opening your personal settings or your personal settings are located.
Simultaneous access can lead to inconsistencies in your personal settings. Before continuing, you should ensure user ''closes open office.org host''
Do you really want to continue?'
Here's my logfile...
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by Paul at 14:03:06 on 2011-12-09
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3959.1924 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Java\jre6\bin\javaw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\java.exe
C:\Users\James\Documents\Texter\texter.exe
C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = 127.0.0.1
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: FaceSmooch Toolbar: {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll
BHO: Updater For FaceSmooch Toolbar: {41069220-f72a-40ea-a8f3-bcd5e1fbc8f0} - C:\Program Files (x86)\facesmoochtb\auxi\facesmoochAu.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: FaceSmooch Toolbar: {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [AdobeBridge]
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\Paul\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MP3ROC~1.LNK - C:\Program Files (x86)\MP3 Rocket\MP3Rocket.exe
StartupFolder: C:\Users\Paul\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Texter.lnk - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\OnlyWire.LNK - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\044525555475946494 : DhcpNameServer = 10.42.254.10 10.42.254.26
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\2456C6B696E6F5E4F5144435C4F5343313736433 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\35B4952353435333 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\3747164796F6E6F547F677562723 : DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\64C6F6F62753D224 : DhcpNameServer = 10.0.1.1 203.144.207.49
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\75C414E4E45445 : DhcpNameServer = 172.16.0.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\E6F64747F577966696 : DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA} : NameServer = 8.8.8.8,208.67.220.220
TCP: Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA} : DhcpNameServer = 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: FaceSmooch Toolbar: {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll
BHO-X64: FaceSmooch Toolbar - No File
BHO-X64: Updater For FaceSmooch Toolbar: {41069220-f72a-40ea-a8f3-bcd5e1fbc8f0} - C:\Program Files (x86)\facesmoochtb\auxi\facesmoochAu.dll
BHO-X64: Updater For FaceSmooch Toolbar - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: FaceSmooch Toolbar: {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Paul\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-2-17 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-2-17 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2010-6-29 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-2-1 2253688]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-09 12:28:24 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DE93D026-FF32-4BCF-8170-7EB83A8ED13E}\offreg.dll
2011-12-08 19:45:10 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DE93D026-FF32-4BCF-8170-7EB83A8ED13E}\mpengine.dll
2011-12-06 19:25:59 -------- d-----w- C:\Users\Paul\AppData\Local\{E3B6484C-CC8D-456B-AB9C-0E89D4A6E3B6}
2011-12-06 19:25:47 -------- d-----w- C:\Users\Paul\AppData\Local\{7FD2D6D9-9EF2-4759-9A5C-C942209B8236}
2011-11-29 14:12:50 -------- d-----w- C:\Users\Paul\AppData\Local\{3E43F9C9-58FB-4810-A1F5-E0D81AD74A10}
2011-11-29 14:12:39 -------- d-----w- C:\Users\Paul\AppData\Local\{F11BD7AC-FA3C-4B76-A58C-EE0A4119DE80}
2011-11-27 11:37:13 -------- d-----w- C:\Users\Paul\AppData\Local\{4C410295-EADF-499D-9D6F-CFD5CCA8EF8A}
2011-11-19 23:42:32 -------- d-----w- C:\Users\Paul\AppData\Local\{090930C6-A55A-4E56-8715-C825D788A9CF}
2011-11-19 23:42:19 -------- d-----w- C:\Users\Paul\AppData\Local\{0BD7DD2A-D698-4CE1-B0F7-7C3D630C1AF4}
2011-11-19 10:53:57 -------- d-----w- C:\Users\Paul\AppData\Local\{80D1E28B-63EE-4595-A64D-EA30695E31EF}
2011-11-19 10:53:45 -------- d-----w- C:\Users\Paul\AppData\Local\{F4967D60-9D78-460D-955D-75FCAFEED890}
2011-11-09 21:33:24 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 21:33:24 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 21:33:22 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-09 21:33:20 3144704 ----a-w- C:\Windows\System32\win32k.sys
.
==================== Find3M ====================
.
2011-11-19 10:54:38 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 14:03:44.96 ===============
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.
Having said that....Let's get going!! :thumbup:
----------
To start with do you have your system set up on a proxy by chance?
----------
Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.
Right-click and Run as Administrator DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
If it needs to, DeFogger may ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
----------
Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.
Right click and Run as Administrator the aswMBR icon to run it.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
----------
In your next reply please let me know about the proxy settings and post the log created by aswMBR. :)
chelseafan
2011-12-12, 20:28
cheers jeff, here are the results
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-12 18:18:18
-----------------------------
18:18:18.539 OS Version: Windows x64 6.1.7601 Service Pack 1
18:18:18.539 Number of processors: 4 586 0x2502
18:18:18.540 ComputerName: PAUL-PC UserName: Paul
18:18:19.228 Initialize success
18:18:33.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:18:33.753 Disk 0 Vendor: WDC_WD5000BEVT-22A0RT0 01.01A01 Size: 476940MB BusType: 3
18:18:35.770 Disk 0 MBR read successfully
18:18:35.776 Disk 0 MBR scan
18:18:35.779 Disk 0 Windows 7 default MBR code
18:18:35.784 Service scanning
18:18:36.610 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
18:18:37.268 Modules scanning
18:18:37.274 Disk 0 trace - called modules:
18:18:37.326 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:18:37.332 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800527e060]
18:18:37.338 3 CLASSPNP.SYS[fffff8800197143f] -> nt!IofCallDriver -> [0xfffffa8004fe3580]
18:18:37.344 5 ACPI.sys[fffff88000f8a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004fd1060]
18:18:37.351 Scan finished successfully
18:18:49.769 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Desktop\MBR.dat"
18:18:49.800 The log file has been saved successfully to "C:\Users\Paul\Desktop\aswMBR.txt"
Hi Chelseafan,
Do you know if your computer is set to run on a proxy? :)
chelseafan
2011-12-14, 01:38
I don't know what you mean, sorry.
Hi,
I don't know what you mean, sorry.If you don't know what I mean than you didn't do it. :bigthumb:
I will be back soon with the next set of instructions.
Hi chelseafan,
I am so sorry about the delay in response. :(
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.
chelseafan
2011-12-15, 22:20
I'm having a problem with combofix, when the computer restarts the combofix window opens and constantly flickers very fast, the only way to stop it is to open another window for it to stop for a few seconds so i can click exit.
Hi chelseafan,
Ok...lets use something else for now. :)
-------
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
chelseafan
2011-12-15, 23:05
OTL logfile created on: 12/15/2011 9:00:22 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\James\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.87 Gb Total Physical Memory | 2.74 Gb Available Physical Memory | 70.79% Memory free
7.73 Gb Paging File | 6.42 Gb Available in Paging File | 83.01% Paging File free
Paging file location(s): ?:\pagefile.sys
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 8.58 Gb Free Space | 8.79% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 41.39 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
Drive E: | 270.44 Gb Total Space | 108.46 Gb Free Space | 40.11% Space Free | Partition Type: NTFS
Drive F: | 452.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 100.00 Mb Total Space | 70.07 Mb Free Space | 70.07% Space Free | Partition Type: NTFS
Computer Name: PAUL-PC | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\James\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Java\jre6\bin\javaw.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\java.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
PRC - C:\Users\James\My Documents\Texter\texter.exe ()
========== Modules (No Company Name) ==========
MOD - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
MOD - C:\Users\James\My Documents\Texter\texter.exe ()
========== Win32 Services (SafeList) ==========
SRV:[b]64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SRV:64bit: - (NisSrv) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (TeamViewer6) -- C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Crypkey License) -- C:\Windows\SysWow64\Crypserv.exe (CrypKey (Canada) Ltd.)
========== Driver Services (SafeList) ==========
DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SeratoUsb) -- C:\Windows\SysNative\drivers\SeratoUsb.sys (Cristalink Ltd)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (cpuz135) -- C:\Windows\SysNative\drivers\cpuz135_x64.sys (CPUID)
DRV:64bit: - (taphss) -- C:\Windows\SysNative\drivers\taphss.sys (AnchorFree Inc)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (k57nd60a) Broadcom NetLink (TM) -- C:\Windows\SysNative\drivers\k57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (RimUsb) -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys (Research In Motion Limited)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
DRV - (NetworkX) -- C:\Windows\system32\ckldrv.sys ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 18 A0 14 D3 06 3F CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
========== FireFox ==========
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: savedpasswords@adamfranco.com:1.2.3
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.7
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: add-to-searchbox@maltekraus.de:2.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:4.0.0
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.72.0
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.7.2
FF - prefs.js..extensions.enabledItems: pbupload@photobucket.com:1.3.1
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/10/10 20:56:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/10/16 09:58:30 | 000,000,000 | ---D | M]
[2011/02/01 15:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Extensions
[2011/11/27 11:37:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions
[2011/11/27 11:37:12 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2011/11/27 11:37:14 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/02/01 15:16:02 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2011/03/19 10:54:31 | 000,000,000 | ---D | M] (Add to Search Bar) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\add-to-searchbox@maltekraus.de
[2011/11/27 11:37:10 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\foxmarks@kei.com
[2011/09/13 12:04:11 | 000,000,000 | ---D | M] (Awesome screenshot: Capture and Annotate) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack
[2011/05/17 22:31:45 | 000,000,000 | ---D | M] (Saved Passwords Button) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\savedpasswords@adamfranco.com
[2011/11/27 11:37:11 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\support@lastpass.com
[2011/03/19 11:03:06 | 000,002,454 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\google-image-search.xml
[2011/03/23 22:45:21 | 000,001,097 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\mrtzcmp3--3.xml
[2011/03/19 10:59:26 | 000,001,060 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-internet-movie-database-imdb.xml
[2010/11/07 07:14:56 | 000,001,597 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-pirate-bay.xml
[2010/05/27 14:39:22 | 000,002,057 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\youtube-video-search.xml
[2011/07/22 18:02:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/06/29 08:42:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/04 20:25:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/24 18:30:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/22 18:02:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/06/12 04:20:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{02450954-CDD9-410F-B1DA-DB804E18C671}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{DDC359D1-844A-42A7-9AA1-88A850A938A8}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\PBUPLOAD@PHOTOBUCKET.COM.XPI
[2011/10/10 20:56:04 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/10/10 20:56:02 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2010/10/29 19:12:14 | 000,002,185 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\facesmoochtb.xml
========== Chrome ==========
CHR - default_search_provider: The Internet Movie Database (IMDb) (Enabled)
CHR - default_search_provider: search_url = http://www.imdb.com/find?s=all&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U20 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.14_0\
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.16_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_1\
O1 HOSTS File: ([2011/12/15 19:24:19 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
O2 - BHO: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O2 - BHO: (Updater For FaceSmooch Toolbar) - {41069220-f72a-40ea-a8f3-bcd5e1fbc8f0} - C:\Program Files (x86)\facesmoochtb\auxi\facesmoochAu.dll File not found
O3 - HKLM\..\Toolbar: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF17639.3XE (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF17639.3XE (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MP3 Rocket (Minimized).lnk = File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Texter.lnk = C:\Program Files (x86)\Texter\texter.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O1364bit: - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: NameServer = 8.8.8.8,208.67.220.220
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/12/15 20:15:06 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/15 20:15:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\temp
[2011/12/15 19:58:18 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/12/15 19:13:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/15 19:13:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/15 19:13:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/15 19:13:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/15 19:13:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/14 21:12:49 | 000,702,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2011/12/14 21:12:49 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2011/12/14 21:12:49 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2011/12/14 21:12:48 | 000,134,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2011/12/14 21:12:48 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2011/12/14 21:12:48 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/12/14 21:12:48 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/12/14 20:36:11 | 000,723,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/12/14 20:36:10 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/12/14 20:11:40 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2011/12/12 18:21:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{48145C7F-EE2A-4542-8DE2-EB933E2C2562}
[2011/12/06 19:25:59 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{E3B6484C-CC8D-456B-AB9C-0E89D4A6E3B6}
[2011/12/06 19:25:47 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{7FD2D6D9-9EF2-4759-9A5C-C942209B8236}
[2011/11/29 14:12:50 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{3E43F9C9-58FB-4810-A1F5-E0D81AD74A10}
[2011/11/29 14:12:39 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F11BD7AC-FA3C-4B76-A58C-EE0A4119DE80}
[2011/11/27 11:37:13 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{4C410295-EADF-499D-9D6F-CFD5CCA8EF8A}
[2011/11/19 23:42:32 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{090930C6-A55A-4E56-8715-C825D788A9CF}
[2011/11/19 23:42:19 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{0BD7DD2A-D698-4CE1-B0F7-7C3D630C1AF4}
[2011/11/19 10:53:57 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{80D1E28B-63EE-4595-A64D-EA30695E31EF}
[2011/11/19 10:53:45 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F4967D60-9D78-460D-955D-75FCAFEED890}
========== Files - Modified Within 30 Days ==========
[2011/12/15 20:33:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/15 20:23:33 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/15 20:23:33 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/15 20:20:42 | 000,782,638 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/12/15 20:20:42 | 000,667,092 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/12/15 20:20:42 | 000,126,696 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/12/15 20:16:24 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/15 20:15:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/15 20:15:50 | 3113,295,872 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/15 19:24:19 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/12/15 03:21:04 | 004,853,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/12/12 18:19:55 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:38 | 000,000,168 | ---- | M] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,971 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/12/10 14:59:13 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | M] () -- C:\Users\Paul\Desktop\Attach.zip
[2011/11/19 10:54:38 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
========== Files Created - No Company Name ==========
[2011/12/15 19:13:09 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/15 19:13:09 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/15 19:13:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/15 19:13:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/15 19:13:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/12 18:19:55 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:37 | 000,000,168 | ---- | C] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,947 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | C] () -- C:\Users\Paul\Desktop\Attach.zip
[2011/07/07 19:29:03 | 000,001,456 | ---- | C] () -- C:\Users\Paul\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/07/07 13:32:18 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe GIF Format CS5 Prefs
[2011/06/19 14:01:15 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe BMP Format CS5 Prefs
[2011/05/13 14:38:36 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2011/04/20 07:22:21 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/04/20 07:22:19 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/04/09 16:22:55 | 000,000,077 | ---- | C] () -- C:\Windows\Crypkey.ini
[2011/04/09 16:22:49 | 000,031,846 | ---- | C] () -- C:\Windows\SysWow64\Ckldrv.sys
[2011/04/09 16:22:49 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2011/04/09 16:22:49 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2011/04/09 16:22:49 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2011/02/17 20:36:52 | 000,000,268 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2011/02/10 06:32:14 | 000,018,760 | ---- | C] () -- C:\Windows\SysWow64\QQVistaHelper.dll
[2011/02/09 16:37:18 | 000,002,384 | ---- | C] () -- C:\Windows\SysWow64\LOWERP.ini
[2011/02/09 16:37:18 | 000,001,248 | ---- | C] () -- C:\Windows\SysWow64\LPOff.ini
[2011/02/09 06:55:45 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2011/02/02 20:39:43 | 000,000,600 | ---- | C] () -- C:\Users\Paul\AppData\Local\PUTTY.RND
[2011/02/02 15:23:37 | 000,010,752 | ---- | C] () -- C:\Windows\SysWow64\BASSMOD.dll
[2011/02/01 16:12:20 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/02/01 16:00:37 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011/02/01 15:36:03 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblup.dat
[2011/02/01 15:35:40 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/02/01 15:11:20 | 000,768,550 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/14 05:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/07 08:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 08:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2005/10/14 09:56:50 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005/10/14 09:56:50 | 000,921,600 | ---- | C] () -- C:\Windows\SysWow64\VorbisEnc.dll
[2005/10/14 09:56:50 | 000,778,240 | ---- | C] () -- C:\Windows\SysWow64\DivXsm.exe
[2005/10/14 09:56:50 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2005/10/14 09:56:50 | 000,344,064 | ---- | C] () -- C:\Windows\SysWow64\xvid.dll
[2005/10/14 09:56:50 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\OggDS.dll
[2005/10/14 09:56:50 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\vorbis.dll
[2005/10/14 09:56:50 | 000,155,136 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2005/10/14 09:56:50 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\ogg.dll
========== LOP Check ==========
[2011/07/29 19:36:32 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\ADVIZOR Solutions, Inc
[2011/08/18 12:20:13 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Audacity
[2011/07/22 14:59:04 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Blueberry
[2011/06/21 17:55:08 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\CBS Interactive
[2011/07/19 23:50:52 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/02/04 20:01:12 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\com.userlytics.studio.62F3C6489AAEBB5EA6D06458DD51566F7BEEA00A.1
[2011/04/20 06:29:36 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\DAEMON Tools Lite
[2011/04/24 07:23:37 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Easy Macro Recorder
[2011/04/02 12:28:44 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\GetRightToGo
[2011/02/02 15:24:26 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\GlobalSCAPE
[2011/04/03 10:42:16 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\HDRsoft
[2011/06/10 06:15:09 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Leadertech
[2011/03/31 23:03:29 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\LogSys
[2011/08/11 00:06:48 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
[2011/06/20 20:37:25 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\MP3Rocket
[2011/04/29 10:20:17 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\My Games
[2011/07/03 18:53:16 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Notepad++
[2011/02/02 18:20:27 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\OpenOffice.org
[2011/04/20 07:22:16 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\PunkBuster
[2011/07/11 00:22:45 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Research In Motion
[2011/08/18 17:50:03 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\SanDisk
[2011/07/13 09:04:49 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Sick Marketing
[2011/04/02 20:47:52 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\TeamViewer
[2011/02/10 06:34:57 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Tencent
[2011/05/11 17:54:06 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\TS3Client
[2011/09/05 23:14:03 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\TweetAdder3
[2011/12/10 14:59:14 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\uTorrent
[2011/02/01 15:34:53 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Windows Live Writer
[2011/03/20 13:25:01 | 000,000,000 | -HSD | M] -- C:\Users\Paul\AppData\Roaming\wyUpdate AU
[2011/11/10 12:29:02 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
< End of report >
OTL Extras logfile created on: 12/15/2011 9:00:22 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\James\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.87 Gb Total Physical Memory | 2.74 Gb Available Physical Memory | 70.79% Memory free
7.73 Gb Paging File | 6.42 Gb Available in Paging File | 83.01% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 8.58 Gb Free Space | 8.79% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 41.39 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
Drive E: | 270.44 Gb Total Space | 108.46 Gb Free Space | 40.11% Space Free | Partition Type: NTFS
Drive F: | 452.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 100.00 Mb Total Space | 70.07 Mb Free Space | 70.07% Space Free | Partition Type: NTFS
Computer Name: PAUL-PC | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl[@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\SysWow64\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\SysWow64\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\SysWow64\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\SysWow64\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
========== Firewall Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{42738DB0-FC3E-4672-A99B-9372F5696E30}" = Microsoft Security Client
"{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{80A620C1-B22C-4781-A351-B14B8A37BFE3}" = Image Resizer Powertoy Clone for Windows (64 bit)
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8338783A-0968-3B85-AFC7-BAAE0A63DC50}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{925D058B-564A-443A-B4B2-7E90C6432E55}" = Microsoft_VC80_ATL_x86_x64
"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9EA64B79-30A1-F52E-D801-B07CF05FFFAF}" = ccc-utility64
"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64
"{A84DB02B-9C2B-4272-9D2D-A80E00A56513}" = Broadcom Gigabit NetLink Controller
"{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D8DACA27-C2D9-9E8E-A8A5-A10E0C670D01}" = ATI Catalyst Install Manager
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CCleaner" = CCleaner
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.57.1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"PhotomatixPro4.0x64_is1" = Photomatix Pro version 4.0
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"WinRAR archiver" = WinRAR 4.00 beta 5 (64-bit)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{016095EE-5BB3-791C-A558-06412FF78691}" = CCC Help Russian
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{10F4A085-EA81-594B-C0B8-ADF013D26B8E}" = CCC Help Turkish
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{14EC371D-145C-9AC3-B3A8-EA90C6B0325E}" = PX Profile Update
"{15FEDA5F-141C-4127-8D7E-B962D1742728}" = Adobe Photoshop CS5
"{1942E836-414C-4414-672B-93FCC8CC18AB}" = CCC Help Danish
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 26
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{284AE43C-30E4-B57E-A234-05496D05AB68}" = Catalyst Control Center Graphics Previews Vista
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{32354BAB-8BAE-7189-6E3F-922D47292D3D}" = CCC Help Czech
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3CA54984-A14B-42FE-9FF1-7EA90151D725}" = Tencent QQ
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{4E242AB2-86A7-4231-82A9-1E4226D23CA8}" = Catalyst Control Center - Branding
"{5449FB4F-1802-4D5B-A6D8-087DB1142147}" = Realtek HDMI Audio Driver for ATI
"{5735A865-CD31-5788-DA38-AAB06EAED9F4}" = CCC Help Hungarian
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5901E428-EC91-71EE-BA56-9417E40BE182}" = ccc-core-static
"{5F33C9B4-DDCD-4061-874E-E471310AEAAE}" = Scratch Live 2.3.0 (23065)
"{60AA5155-39C7-14AA-FB4B-489B1C8DE9A1}" = CCC Help Chinese Traditional
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{72449E65-4852-2FD9-F603-D77E39DD3CF6}" = CCC Help Finnish
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72AF10B4-52A5-4E94-BBA4-2413264D43DD}" = Tweet Adder 3
"{7703542C-3842-C5EE-2452-B006F441A162}" = CCC Help Polish
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7F529418-344D-3792-F7B6-04EB805F5931}" = CCC Help English
"{82AF3E91-57E1-4754-84D0-40A46E2479AB}" = OpenOffice.org 3.3
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89135274-728D-EFAB-472C-A1691369B21D}" = Market Samurai
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)
"{91F29ED6-6C82-F83D-BF8D-3E67D18E7249}" = Catalyst Control Center Localization All
"{91F34319-08DE-457a-99C0-0BCDFAC145B9}" = CuteFTP 8 Professional
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{990EEE1A-4D64-16AF-A944-AD97AE080D26}" = CCC Help German
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A98031B-0A1A-AFDC-87F4-AAFDC1E97B7D}" = CCC Help Portuguese
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AEAA9D8A-A347-0FC4-5CAF-D9F2236FCF49}" = CCC Help French
"{AEB43F42-8F9D-DBD8-0B11-941CC27C174A}" = CCC Help Norwegian
"{AEDBD563-24BB-4EE3-8366-A654DAC2D988}" = Mirror's Edge™
"{C2EE73BE-CD73-6EC9-A5A0-0E080A60A00E}" = CCC Help Chinese Standard
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{CFCF4223-BC7B-110C-4E19-5FF025721C4B}" = CCC Help Spanish
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D6C630BF-8DBB-4042-8562-DC9A52CB6E7E}" = Intel(R) Turbo Boost Technology Driver
"{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}" = Skype™ 5.3
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E17D581A-6949-6A53-7A18-E80C6BDCC800}" = CCC Help Italian
"{E4D15328-8C89-484B-B9AA-F5BE9EA6D01C}" = NVIDIA PhysX v8.10.17
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E96D1A04-B0B4-0788-D70F-0A9BB9C503BD}" = CCC Help Korean
"{EB5E21BC-AC56-A45D-5593-A1C55A380677}" = CCC Help Swedish
"{ECEDC447-3EED-6F90-CB39-0A49BD2D63DE}" = CCC Help Thai
"{EF45FBBD-3CE8-698B-AC44-C693468F53D3}" = CCC Help Greek
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2508213-9989-4E85-A078-72BE483917EF}" = Microsoft Games for Windows - LIVE Redistributable
"{F47BEA79-07F3-5602-76B4-B9B9042269A1}" = Catalyst Control Center InstallProxy
"{F73D3B6A-4E5F-E93D-C7C3-65DE80BEE0E7}" = CCC Help Dutch
"{F9D7691A-E3CD-EF15-DE38-EDF0BB1E345F}" = CCC Help Japanese
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Alarm Clock_is1" = Alarm Clock v1.0
"Audacity 1.3 Beta_is1" = Audacity 1.3.12
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Cool's_Codec_pack_4.12" = Codec Pack - All In 1 6.0.3.0
"DAEMON Tools Lite" = DAEMON Tools Lite
"Easy Macro Recorder_is1" = Easy Macro Recorder 4.0
"Google Chrome" = Google Chrome
"LAME for Audacity_is1" = LAME v3.98.3 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1" = Market Samurai
"MozBackup" = MozBackup 1.5.1
"Mozilla Firefox 7.0.1 (x86 en-US)" = Mozilla Firefox 7.0.1 (x86 en-US)
"Notepad++" = Notepad++
"OnlyWire" = OnlyWire
"PunkBusterSvc" = PunkBuster Services
"SopCast" = SopCast 3.4.0
"Stealth Keyword Competition Analyzer_is1" = Stealth Keyword Competition Analyzer 2.2
"Steam App 240" = Counter-Strike: Source
"Steam App 440" = Team Fortress 2
"TeamViewer 6" = TeamViewer 6
"uTorrent" = µTorrent
"Veetle TV" = Veetle TV 0.9.18
"VLC media player" = VLC media player 1.1.11
"WinLiveSuite" = Windows Live Essentials
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"4086567683.d.seesmic.com" = Seesmic Desktop 2
"CNET TechTracker" = CNET TechTracker
"Sansa Updater" = Sansa Updater
========== Last 10 Event Log Errors ==========
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
< End of report >
Hi chelseafan,
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 18 A0 14 D3 06 3F CC 01
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
[2010/10/29 19:12:14 | 000,002,185 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\facesmoochtb.xml
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
O2 - BHO: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O2 - BHO: (Updater For FaceSmooch Toolbar) - {41069220-f72a-40ea-a8f3-bcd5e1fbc8f0} - C:\Program Files (x86)\facesmoochtb\auxi\facesmoochAu.dll File not found
O3 - HKLM\..\Toolbar: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MP3 Rocket (Minimized).lnk = File not found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2011/12/12 18:21:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{48145C7F-EE2A-4542-8DE2-EB933E2C2562}
[2011/12/06 19:25:59 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{E3B6484C-CC8D-456B-AB9C-0E89D4A6E3B6}
[2011/12/06 19:25:47 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{7FD2D6D9-9EF2-4759-9A5C-C942209B8236}
[2011/11/29 14:12:50 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{3E43F9C9-58FB-4810-A1F5-E0D81AD74A10}
[2011/11/29 14:12:39 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F11BD7AC-FA3C-4B76-A58C-EE0A4119DE80}
[2011/11/27 11:37:13 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{4C410295-EADF-499D-9D6F-CFD5CCA8EF8A}
[2011/11/19 23:42:32 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{090930C6-A55A-4E56-8715-C825D788A9CF}
[2011/11/19 23:42:19 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{0BD7DD2A-D698-4CE1-B0F7-7C3D630C1AF4}
[2011/11/19 10:53:57 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{80D1E28B-63EE-4595-A64D-EA30695E31EF}
[2011/11/19 10:53:45 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F4967D60-9D78-460D-955D-75FCAFEED890}
[2011/02/02 20:39:43 | 000,000,600 | ---- | C] () -- C:\Users\Paul\AppData\Local\PUTTY.RND
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptyjava]
[emptyflash]
[clearallrestorepoints]
[emptytemp]
[start explorer]
[Reboot]
Then click the [b]Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
chelseafan
2011-12-16, 22:34
Every time the computer loads the combofix window opens and flickers, even though i've uninstalled it.
Here's the file.
OTL logfile created on: 12/16/2011 8:25:31 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\James\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.87 Gb Total Physical Memory | 2.72 Gb Available Physical Memory | 70.38% Memory free
7.73 Gb Paging File | 6.41 Gb Available in Paging File | 82.89% Paging File free
Paging file location(s): ?:\pagefile.sys
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 2.49 Gb Free Space | 2.55% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 41.39 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
Drive E: | 270.44 Gb Total Space | 108.46 Gb Free Space | 40.11% Space Free | Partition Type: NTFS
Drive F: | 452.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 100.00 Mb Total Space | 70.07 Mb Free Space | 70.07% Space Free | Partition Type: NTFS
Computer Name: PAUL-PC | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Program Files (x86)\uTorrent\uTorrent.exe (BitTorrent, Inc.)
PRC - C:\Users\James\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Java\jre6\bin\javaw.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\java.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
PRC - C:\Users\James\My Documents\Texter\texter.exe ()
========== Modules (No Company Name) ==========
MOD - C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
MOD - C:\Users\James\My Documents\Texter\texter.exe ()
========== Win32 Services (SafeList) ==========
SRV:[b]64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SRV:64bit: - (NisSrv) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (TeamViewer6) -- C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Crypkey License) -- C:\Windows\SysWow64\Crypserv.exe (CrypKey (Canada) Ltd.)
========== Driver Services (SafeList) ==========
DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SeratoUsb) -- C:\Windows\SysNative\drivers\SeratoUsb.sys (Cristalink Ltd)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (cpuz135) -- C:\Windows\SysNative\drivers\cpuz135_x64.sys (CPUID)
DRV:64bit: - (taphss) -- C:\Windows\SysNative\drivers\taphss.sys (AnchorFree Inc)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (k57nd60a) Broadcom NetLink (TM) -- C:\Windows\SysNative\drivers\k57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (RimUsb) -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys (Research In Motion Limited)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
DRV - (NetworkX) -- C:\Windows\system32\ckldrv.sys ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 18 A0 14 D3 06 3F CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
========== FireFox ==========
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: savedpasswords@adamfranco.com:1.2.3
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.7
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: add-to-searchbox@maltekraus.de:2.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:4.0.0
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.72.0
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.7.2
FF - prefs.js..extensions.enabledItems: pbupload@photobucket.com:1.3.1
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/10/10 20:56:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/10/16 09:58:30 | 000,000,000 | ---D | M]
[2011/02/01 15:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Extensions
[2011/11/27 11:37:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions
[2011/11/27 11:37:12 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2011/11/27 11:37:14 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/02/01 15:16:02 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2011/03/19 10:54:31 | 000,000,000 | ---D | M] (Add to Search Bar) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\add-to-searchbox@maltekraus.de
[2011/11/27 11:37:10 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\foxmarks@kei.com
[2011/09/13 12:04:11 | 000,000,000 | ---D | M] (Awesome screenshot: Capture and Annotate) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack
[2011/05/17 22:31:45 | 000,000,000 | ---D | M] (Saved Passwords Button) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\savedpasswords@adamfranco.com
[2011/11/27 11:37:11 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\support@lastpass.com
[2011/03/19 11:03:06 | 000,002,454 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\google-image-search.xml
[2011/03/23 22:45:21 | 000,001,097 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\mrtzcmp3--3.xml
[2011/03/19 10:59:26 | 000,001,060 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-internet-movie-database-imdb.xml
[2010/11/07 07:14:56 | 000,001,597 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-pirate-bay.xml
[2010/05/27 14:39:22 | 000,002,057 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\youtube-video-search.xml
[2011/07/22 18:02:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/06/29 08:42:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/04 20:25:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/24 18:30:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/22 18:02:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/06/12 04:20:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{02450954-CDD9-410F-B1DA-DB804E18C671}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{DDC359D1-844A-42A7-9AA1-88A850A938A8}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\PBUPLOAD@PHOTOBUCKET.COM.XPI
[2011/10/10 20:56:04 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/10/10 20:56:02 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2010/10/29 19:12:14 | 000,002,185 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\facesmoochtb.xml
========== Chrome ==========
CHR - default_search_provider: The Internet Movie Database (IMDb) (Enabled)
CHR - default_search_provider: search_url = http://www.imdb.com/find?s=all&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U20 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.14_0\
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.16_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_1\
O1 HOSTS File: ([2011/12/15 19:24:19 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
O2 - BHO: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O2 - BHO: (Updater For FaceSmooch Toolbar) - {41069220-f72a-40ea-a8f3-bcd5e1fbc8f0} - C:\Program Files (x86)\facesmoochtb\auxi\facesmoochAu.dll File not found
O3 - HKLM\..\Toolbar: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF17639.3XE (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF17639.3XE (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MP3 Rocket (Minimized).lnk = File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Texter.lnk = C:\Program Files (x86)\Texter\texter.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O1364bit: - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: NameServer = 8.8.8.8,208.67.220.220
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/12/16 19:58:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/12/16 19:58:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2011/12/15 20:15:06 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/15 20:15:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\temp
[2011/12/15 19:58:18 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/12/15 19:13:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/15 19:13:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/15 19:13:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/15 19:13:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/15 19:13:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/14 21:12:49 | 000,702,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2011/12/14 21:12:49 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2011/12/14 21:12:49 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2011/12/14 21:12:48 | 000,134,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2011/12/14 21:12:48 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2011/12/14 21:12:48 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/12/14 21:12:48 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/12/14 20:36:11 | 000,723,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/12/14 20:36:10 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/12/14 20:11:40 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2011/12/12 18:21:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{48145C7F-EE2A-4542-8DE2-EB933E2C2562}
[2011/12/06 19:25:59 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{E3B6484C-CC8D-456B-AB9C-0E89D4A6E3B6}
[2011/12/06 19:25:47 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{7FD2D6D9-9EF2-4759-9A5C-C942209B8236}
[2011/11/29 14:12:50 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{3E43F9C9-58FB-4810-A1F5-E0D81AD74A10}
[2011/11/29 14:12:39 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F11BD7AC-FA3C-4B76-A58C-EE0A4119DE80}
[2011/11/27 11:37:13 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{4C410295-EADF-499D-9D6F-CFD5CCA8EF8A}
[2011/11/19 23:42:32 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{090930C6-A55A-4E56-8715-C825D788A9CF}
[2011/11/19 23:42:19 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{0BD7DD2A-D698-4CE1-B0F7-7C3D630C1AF4}
[2011/11/19 10:53:57 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{80D1E28B-63EE-4595-A64D-EA30695E31EF}
[2011/11/19 10:53:45 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F4967D60-9D78-460D-955D-75FCAFEED890}
========== Files - Modified Within 30 Days ==========
[2011/12/16 20:30:33 | 000,782,638 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/12/16 20:30:33 | 000,667,092 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/12/16 20:30:33 | 000,126,696 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/12/16 20:24:41 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/16 20:24:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/16 20:24:08 | 3113,295,872 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/16 20:19:14 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/16 20:19:14 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/16 19:58:42 | 000,001,108 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/16 19:58:28 | 000,000,928 | ---- | M] () -- C:\Users\Paul\Desktop\NTREGOPT.lnk
[2011/12/16 19:58:28 | 000,000,909 | ---- | M] () -- C:\Users\Paul\Desktop\ERUNT.lnk
[2011/12/16 19:33:14 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/15 19:24:19 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/12/15 03:21:04 | 004,853,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/12/12 18:19:55 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:38 | 000,000,168 | ---- | M] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,971 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/12/10 14:59:13 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | M] () -- C:\Users\Paul\Desktop\Attach.zip
[2011/11/19 10:54:38 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
========== Files Created - No Company Name ==========
[2011/12/16 19:58:42 | 000,001,108 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/16 19:58:28 | 000,000,928 | ---- | C] () -- C:\Users\Paul\Desktop\NTREGOPT.lnk
[2011/12/16 19:58:28 | 000,000,909 | ---- | C] () -- C:\Users\Paul\Desktop\ERUNT.lnk
[2011/12/15 19:13:09 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/15 19:13:09 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/15 19:13:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/15 19:13:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/15 19:13:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/12 18:19:55 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:37 | 000,000,168 | ---- | C] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,947 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | C] () -- C:\Users\Paul\Desktop\Attach.zip
[2011/07/07 19:29:03 | 000,001,456 | ---- | C] () -- C:\Users\Paul\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/07/07 13:32:18 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe GIF Format CS5 Prefs
[2011/06/19 14:01:15 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe BMP Format CS5 Prefs
[2011/05/13 14:38:36 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2011/04/20 07:22:21 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/04/20 07:22:19 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/04/09 16:22:55 | 000,000,077 | ---- | C] () -- C:\Windows\Crypkey.ini
[2011/04/09 16:22:49 | 000,031,846 | ---- | C] () -- C:\Windows\SysWow64\Ckldrv.sys
[2011/04/09 16:22:49 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2011/04/09 16:22:49 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2011/04/09 16:22:49 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2011/02/17 20:36:52 | 000,000,268 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2011/02/10 06:32:14 | 000,018,760 | ---- | C] () -- C:\Windows\SysWow64\QQVistaHelper.dll
[2011/02/09 16:37:18 | 000,002,384 | ---- | C] () -- C:\Windows\SysWow64\LOWERP.ini
[2011/02/09 16:37:18 | 000,001,248 | ---- | C] () -- C:\Windows\SysWow64\LPOff.ini
[2011/02/09 06:55:45 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2011/02/02 20:39:43 | 000,000,600 | ---- | C] () -- C:\Users\Paul\AppData\Local\PUTTY.RND
[2011/02/02 15:23:37 | 000,010,752 | ---- | C] () -- C:\Windows\SysWow64\BASSMOD.dll
[2011/02/01 16:12:20 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/02/01 16:00:37 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011/02/01 15:36:03 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblup.dat
[2011/02/01 15:35:40 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/02/01 15:11:20 | 000,768,550 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/14 05:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/07 08:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 08:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2005/10/14 09:56:50 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005/10/14 09:56:50 | 000,921,600 | ---- | C] () -- C:\Windows\SysWow64\VorbisEnc.dll
[2005/10/14 09:56:50 | 000,778,240 | ---- | C] () -- C:\Windows\SysWow64\DivXsm.exe
[2005/10/14 09:56:50 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2005/10/14 09:56:50 | 000,344,064 | ---- | C] () -- C:\Windows\SysWow64\xvid.dll
[2005/10/14 09:56:50 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\OggDS.dll
[2005/10/14 09:56:50 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\vorbis.dll
[2005/10/14 09:56:50 | 000,155,136 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2005/10/14 09:56:50 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\ogg.dll
< End of report >
Hi,
It looks like something happened with the fix. Please run the last set of instructions that I gave you again. :)
chelseafan
2011-12-16, 23:57
OTL logfile created on: 12/16/2011 9:51:00 PM - Run 5
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\James\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.87 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 68.59% Memory free
7.73 Gb Paging File | 6.31 Gb Available in Paging File | 81.68% Paging File free
Paging file location(s): ?:\pagefile.sys
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 2.32 Gb Free Space | 2.38% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 41.39 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
Drive E: | 270.44 Gb Total Space | 108.46 Gb Free Space | 40.11% Space Free | Partition Type: NTFS
Drive F: | 452.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 100.00 Mb Total Space | 70.07 Mb Free Space | 70.07% Space Free | Partition Type: NTFS
Computer Name: PAUL-PC | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Program Files (x86)\uTorrent\uTorrent.exe (BitTorrent, Inc.)
PRC - C:\Users\James\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Java\jre6\bin\javaw.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\java.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
PRC - C:\Users\James\My Documents\Texter\texter.exe ()
========== Modules (No Company Name) ==========
MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
MOD - C:\Users\James\My Documents\Texter\texter.exe ()
========== Win32 Services (SafeList) ==========
SRV:[b]64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SRV:64bit: - (NisSrv) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (TeamViewer6) -- C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Crypkey License) -- C:\Windows\SysWow64\Crypserv.exe (CrypKey (Canada) Ltd.)
========== Driver Services (SafeList) ==========
DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SeratoUsb) -- C:\Windows\SysNative\drivers\SeratoUsb.sys (Cristalink Ltd)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (cpuz135) -- C:\Windows\SysNative\drivers\cpuz135_x64.sys (CPUID)
DRV:64bit: - (taphss) -- C:\Windows\SysNative\drivers\taphss.sys (AnchorFree Inc)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (k57nd60a) Broadcom NetLink (TM) -- C:\Windows\SysNative\drivers\k57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (RimUsb) -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys (Research In Motion Limited)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
DRV - (NetworkX) -- C:\Windows\system32\ckldrv.sys ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 18 A0 14 D3 06 3F CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
========== FireFox ==========
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: savedpasswords@adamfranco.com:1.2.3
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.7
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: add-to-searchbox@maltekraus.de:2.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:4.0.0
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.72.0
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.7.2
FF - prefs.js..extensions.enabledItems: pbupload@photobucket.com:1.3.1
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/10/10 20:56:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/10/16 09:58:30 | 000,000,000 | ---D | M]
[2011/02/01 15:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Extensions
[2011/11/27 11:37:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions
[2011/11/27 11:37:12 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2011/11/27 11:37:14 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/02/01 15:16:02 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2011/03/19 10:54:31 | 000,000,000 | ---D | M] (Add to Search Bar) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\add-to-searchbox@maltekraus.de
[2011/11/27 11:37:10 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\foxmarks@kei.com
[2011/09/13 12:04:11 | 000,000,000 | ---D | M] (Awesome screenshot: Capture and Annotate) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack
[2011/05/17 22:31:45 | 000,000,000 | ---D | M] (Saved Passwords Button) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\savedpasswords@adamfranco.com
[2011/11/27 11:37:11 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\support@lastpass.com
[2011/03/19 11:03:06 | 000,002,454 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\google-image-search.xml
[2011/03/23 22:45:21 | 000,001,097 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\mrtzcmp3--3.xml
[2011/03/19 10:59:26 | 000,001,060 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-internet-movie-database-imdb.xml
[2010/11/07 07:14:56 | 000,001,597 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-pirate-bay.xml
[2010/05/27 14:39:22 | 000,002,057 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\youtube-video-search.xml
[2011/07/22 18:02:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/06/29 08:42:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/04 20:25:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/24 18:30:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/22 18:02:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/06/12 04:20:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{02450954-CDD9-410F-B1DA-DB804E18C671}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{DDC359D1-844A-42A7-9AA1-88A850A938A8}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\PBUPLOAD@PHOTOBUCKET.COM.XPI
[2011/10/10 20:56:04 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/10/10 20:56:02 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2010/10/29 19:12:14 | 000,002,185 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\facesmoochtb.xml
========== Chrome ==========
CHR - default_search_provider: The Internet Movie Database (IMDb) (Enabled)
CHR - default_search_provider: search_url = http://www.imdb.com/find?s=all&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U20 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.14_0\
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.16_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_1\
O1 HOSTS File: ([2011/12/15 19:24:19 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
O2 - BHO: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O2 - BHO: (Updater For FaceSmooch Toolbar) - {41069220-f72a-40ea-a8f3-bcd5e1fbc8f0} - C:\Program Files (x86)\facesmoochtb\auxi\facesmoochAu.dll File not found
O3 - HKLM\..\Toolbar: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF17639.3XE (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF17639.3XE (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MP3 Rocket (Minimized).lnk = File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Texter.lnk = C:\Program Files (x86)\Texter\texter.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O1364bit: - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: NameServer = 8.8.8.8,208.67.220.220
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/12/16 19:58:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/12/16 19:58:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2011/12/15 20:15:06 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/15 20:15:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\temp
[2011/12/15 19:58:18 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/12/15 19:13:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/15 19:13:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/15 19:13:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/15 19:13:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/15 19:13:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/14 21:12:49 | 000,702,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2011/12/14 21:12:49 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2011/12/14 21:12:49 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2011/12/14 21:12:48 | 000,134,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2011/12/14 21:12:48 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2011/12/14 21:12:48 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/12/14 21:12:48 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/12/14 20:36:11 | 000,723,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/12/14 20:36:10 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/12/14 20:11:40 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2011/12/12 18:21:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{48145C7F-EE2A-4542-8DE2-EB933E2C2562}
[2011/12/06 19:25:59 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{E3B6484C-CC8D-456B-AB9C-0E89D4A6E3B6}
[2011/12/06 19:25:47 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{7FD2D6D9-9EF2-4759-9A5C-C942209B8236}
[2011/11/29 14:12:50 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{3E43F9C9-58FB-4810-A1F5-E0D81AD74A10}
[2011/11/29 14:12:39 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F11BD7AC-FA3C-4B76-A58C-EE0A4119DE80}
[2011/11/27 11:37:13 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{4C410295-EADF-499D-9D6F-CFD5CCA8EF8A}
[2011/11/19 23:42:32 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{090930C6-A55A-4E56-8715-C825D788A9CF}
[2011/11/19 23:42:19 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{0BD7DD2A-D698-4CE1-B0F7-7C3D630C1AF4}
[2011/11/19 10:53:57 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{80D1E28B-63EE-4595-A64D-EA30695E31EF}
[2011/11/19 10:53:45 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F4967D60-9D78-460D-955D-75FCAFEED890}
========== Files - Modified Within 30 Days ==========
[2011/12/16 21:55:46 | 000,782,638 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/12/16 21:55:46 | 000,667,092 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/12/16 21:55:46 | 000,126,696 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/12/16 21:50:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/16 21:49:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/16 21:49:22 | 3113,295,872 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/16 21:33:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/16 20:32:43 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/16 20:32:43 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/16 19:58:42 | 000,001,108 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/16 19:58:28 | 000,000,928 | ---- | M] () -- C:\Users\Paul\Desktop\NTREGOPT.lnk
[2011/12/16 19:58:28 | 000,000,909 | ---- | M] () -- C:\Users\Paul\Desktop\ERUNT.lnk
[2011/12/15 19:24:19 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/12/15 03:21:04 | 004,853,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/12/12 18:19:55 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:38 | 000,000,168 | ---- | M] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,971 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/12/10 14:59:13 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | M] () -- C:\Users\Paul\Desktop\Attach.zip
[2011/11/19 10:54:38 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
========== Files Created - No Company Name ==========
[2011/12/16 19:58:42 | 000,001,108 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/16 19:58:28 | 000,000,928 | ---- | C] () -- C:\Users\Paul\Desktop\NTREGOPT.lnk
[2011/12/16 19:58:28 | 000,000,909 | ---- | C] () -- C:\Users\Paul\Desktop\ERUNT.lnk
[2011/12/15 19:13:09 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/15 19:13:09 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/15 19:13:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/15 19:13:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/15 19:13:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/12 18:19:55 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:37 | 000,000,168 | ---- | C] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,947 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | C] () -- C:\Users\Paul\Desktop\Attach.zip
[2011/07/07 19:29:03 | 000,001,456 | ---- | C] () -- C:\Users\Paul\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/07/07 13:32:18 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe GIF Format CS5 Prefs
[2011/06/19 14:01:15 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe BMP Format CS5 Prefs
[2011/05/13 14:38:36 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2011/04/20 07:22:21 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/04/20 07:22:19 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/04/09 16:22:55 | 000,000,077 | ---- | C] () -- C:\Windows\Crypkey.ini
[2011/04/09 16:22:49 | 000,031,846 | ---- | C] () -- C:\Windows\SysWow64\Ckldrv.sys
[2011/04/09 16:22:49 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2011/04/09 16:22:49 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2011/04/09 16:22:49 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2011/02/17 20:36:52 | 000,000,268 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2011/02/10 06:32:14 | 000,018,760 | ---- | C] () -- C:\Windows\SysWow64\QQVistaHelper.dll
[2011/02/09 16:37:18 | 000,002,384 | ---- | C] () -- C:\Windows\SysWow64\LOWERP.ini
[2011/02/09 16:37:18 | 000,001,248 | ---- | C] () -- C:\Windows\SysWow64\LPOff.ini
[2011/02/09 06:55:45 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2011/02/02 20:39:43 | 000,000,600 | ---- | C] () -- C:\Users\Paul\AppData\Local\PUTTY.RND
[2011/02/02 15:23:37 | 000,010,752 | ---- | C] () -- C:\Windows\SysWow64\BASSMOD.dll
[2011/02/01 16:12:20 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/02/01 16:00:37 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011/02/01 15:36:03 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblup.dat
[2011/02/01 15:35:40 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/02/01 15:11:20 | 000,768,550 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/14 05:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/07 08:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 08:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2005/10/14 09:56:50 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005/10/14 09:56:50 | 000,921,600 | ---- | C] () -- C:\Windows\SysWow64\VorbisEnc.dll
[2005/10/14 09:56:50 | 000,778,240 | ---- | C] () -- C:\Windows\SysWow64\DivXsm.exe
[2005/10/14 09:56:50 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2005/10/14 09:56:50 | 000,344,064 | ---- | C] () -- C:\Windows\SysWow64\xvid.dll
[2005/10/14 09:56:50 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\OggDS.dll
[2005/10/14 09:56:50 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\vorbis.dll
[2005/10/14 09:56:50 | 000,155,136 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2005/10/14 09:56:50 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\ogg.dll
< End of report >
Hi Chelseafan,
Reboot Your System in Safe Mode
How to use the F8 method to Start Your Computer in Safe Mode
Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe mode with Networking menu item
Press Enter.
Once in Safe Mode please run the OTL fix again as it isn't taking in Normal Mode.
--------
Now delete the copy of ComboFix that you have on your Desktop and then download a fresh copy and run a scan with that.
--------
In your next reply please let me know any problems you have with the instructions and post the logs made by OTL and ComboFix. :)
chelseafan
2011-12-18, 01:34
I'm having the same problem with combofix, every time the computer starts, the combofix window opens and flickers constantly.
Here's the OTL file.
:Services
:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 18 A0 14 D3 06 3F CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
[2010/10/29 19:12:14 | 000,002,185 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\facesmoochtb.xml
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
O2 - BHO: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O2 - BHO: (Updater For FaceSmooch Toolbar) - {41069220-f72a-40ea-a8f3-bcd5e1fbc8f0} - C:\Program Files (x86)\facesmoochtb\auxi\facesmoochAu.dll File not found
O3 - HKLM\..\Toolbar: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MP3 Rocket (Minimized).lnk = File not found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2011/12/12 18:21:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{48145C7F-EE2A-4542-8DE2-EB933E2C2562}
[2011/12/06 19:25:59 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{E3B6484C-CC8D-456B-AB9C-0E89D4A6E3B6}
[2011/12/06 19:25:47 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{7FD2D6D9-9EF2-4759-9A5C-C942209B8236}
[2011/11/29 14:12:50 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{3E43F9C9-58FB-4810-A1F5-E0D81AD74A10}
[2011/11/29 14:12:39 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F11BD7AC-FA3C-4B76-A58C-EE0A4119DE80}
[2011/11/27 11:37:13 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{4C410295-EADF-499D-9D6F-CFD5CCA8EF8A}
[2011/11/19 23:42:32 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{090930C6-A55A-4E56-8715-C825D788A9CF}
[2011/11/19 23:42:19 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{0BD7DD2A-D698-4CE1-B0F7-7C3D630C1AF4}
[2011/11/19 10:53:57 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{80D1E28B-63EE-4595-A64D-EA30695E31EF}
[2011/11/19 10:53:45 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F4967D60-9D78-460D-955D-75FCAFEED890}
[2011/02/02 20:39:43 | 000,000,600 | ---- | C] () -- C:\Users\Paul\AppData\Local\PUTTY.RND
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptyjava]
[emptyflash]
[clearallrestorepoints]
[emptytemp]
[start explorer]
[Reboot]
Hi,
I wonder if there has been some miscommunication with OTL.
The part that you copied into your last reply
:Services
:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 18 A0 14 D3 06 3F CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
[2010/10/29 19:12:14 | 000,002,185 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\facesmoochtb.xml
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
O2 - BHO: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O2 - BHO: (Updater For FaceSmooch Toolbar) - {41069220-f72a-40ea-a8f3-bcd5e1fbc8f0} - C:\Program Files (x86)\facesmoochtb\auxi\facesmoochAu.dll File not found
O3 - HKLM\..\Toolbar: (FaceSmooch Toolbar) - {3c490bf5-4244-4310-b4a7-3361f288dac5} - C:\Program Files (x86)\facesmoochtb\facesmoochDx.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MP3 Rocket (Minimized).lnk = File not found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2011/12/12 18:21:06 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{48145C7F-EE2A-4542-8DE2-EB933E2C2562}
[2011/12/06 19:25:59 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{E3B6484C-CC8D-456B-AB9C-0E89D4A6E3B6}
[2011/12/06 19:25:47 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{7FD2D6D9-9EF2-4759-9A5C-C942209B8236}
[2011/11/29 14:12:50 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{3E43F9C9-58FB-4810-A1F5-E0D81AD74A10}
[2011/11/29 14:12:39 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F11BD7AC-FA3C-4B76-A58C-EE0A4119DE80}
[2011/11/27 11:37:13 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{4C410295-EADF-499D-9D6F-CFD5CCA8EF8A}
[2011/11/19 23:42:32 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{090930C6-A55A-4E56-8715-C825D788A9CF}
[2011/11/19 23:42:19 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{0BD7DD2A-D698-4CE1-B0F7-7C3D630C1AF4}
[2011/11/19 10:53:57 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{80D1E28B-63EE-4595-A64D-EA30695E31EF}
[2011/11/19 10:53:45 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{F4967D60-9D78-460D-955D-75FCAFEED890}
[2011/02/02 20:39:43 | 000,000,600 | ---- | C] () -- C:\Users\Paul\AppData\Local\PUTTY.RND
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptyjava]
[emptyflash]
[clearallrestorepoints]
[emptytemp]
[start explorer]
[Reboot]
I have wanted you to open OTL and then paste that into the Custom Scan box. Then select Run Fix. Have you been doing that?
chelseafan
2011-12-18, 13:57
Yes i have. The combofix malfunction could be interfering with it....
Hi chelseafan,
Please run RKill using the following instructions and then try the OTL fix again.
Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
Do not reboot your computer after running rkill as the malware programs will start again.
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)
Do not reboot your computer after running rkill as the malware programs will start again.
--------
Now please attempt the OTL fix again. :)
chelseafan
2011-12-19, 18:47
I tried that but it didn't work. I don't have a problem downloading, the problem is the ComboFix malfunction appears every time i reboot, which must be interfering.
Hi chelseafan,
You will need a USB drive for this next part.
Please delete your copy of ComboFix and then download a fresh copy of ComboFix to your USB drive. When you download it to your USB drive please name it svchost.com and then transfer it to the infected computer and place it in your C:\ folder.
If you have problems let me know. :bigthumb:
Hi,
Do you still need help? :)
chelseafan
2011-12-23, 18:31
I did it, ran combofix and the same problem remains. The combofix window constantly flickers after reboot.
Hi chelseafan,
When ComboFix runs and then flickers is there any error message or anything that is displayed? Is there a log in the C:\Combofix folder by chance? If there is please post that so we can take a look. :bigthumb:
chelseafan
2011-12-27, 02:09
No and no, just the blue window.
Ok thanks. I am looking that problem over. :bigthumb:
Hi Chelseafan,
Please go to C:\Qoobox and look inside and see if you can find ComboFix.txt. If it is in there please post that into your next reply.
Hi,
Are you still with us? :)
Due to lack of feedback, this topic will now be closed.
If you are the original poster and you still require help, please start a new thread.
Hi chelseafan,
Good to see that you returned. Be sure to subscribe to the topic. :)
----------
What symptoms are you experiencing with your system still. Since it has been a couple of days I would like a little update.
---------
Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
O4 - HKLM..\RunOnce: [combofix]
O4 - HKLM..\Run: [combofix]
:commands
[reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
I would also like for you to delete your copy of aswMBR.exe using right-click >> delete and then download a new copy from here (http://public.avast.com/~gmerek/aswMBR.exe). Please run a new scan with aswMBR.
----------
In your next reply please post the OTL logs and the log created by aswMBR.exe.
chelseafan
2012-01-08, 03:36
OTL logfile created on: 1/8/2012 1:08:40 AM - Run 7
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\James\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.87 Gb Total Physical Memory | 2.73 Gb Available Physical Memory | 70.69% Memory free
7.73 Gb Paging File | 6.43 Gb Available in Paging File | 83.16% Paging File free
Paging file location(s): ?:\pagefile.sys
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 1.91 Gb Free Space | 1.95% Space Free | Partition Type: NTFS
Drive D: | 97.66 Gb Total Space | 41.39 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
Drive E: | 270.44 Gb Total Space | 108.46 Gb Free Space | 40.11% Space Free | Partition Type: NTFS
Drive F: | 452.34 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 100.00 Mb Total Space | 70.07 Mb Free Space | 70.07% Space Free | Partition Type: NTFS
Computer Name: PAUL-PC | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\James\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Java\jre6\bin\javaw.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\java.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
PRC - C:\Users\James\My Documents\Texter\texter.exe ()
========== Modules (No Company Name) ==========
MOD - C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe ()
MOD - C:\Users\James\My Documents\Texter\texter.exe ()
========== Win32 Services (SafeList) ==========
SRV:[b]64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SRV:64bit: - (NisSrv) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (TeamViewer6) -- C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Crypkey License) -- C:\Windows\SysWow64\Crypserv.exe (CrypKey (Canada) Ltd.)
========== Driver Services (SafeList) ==========
DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SeratoUsb) -- C:\Windows\SysNative\drivers\SeratoUsb.sys (Cristalink Ltd)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys (DT Soft Ltd)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (cpuz135) -- C:\Windows\SysNative\drivers\cpuz135_x64.sys (CPUID)
DRV:64bit: - (taphss) -- C:\Windows\SysNative\drivers\taphss.sys (AnchorFree Inc)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (k57nd60a) Broadcom NetLink (TM) -- C:\Windows\SysNative\drivers\k57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (RimUsb) -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys (Research In Motion Limited)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
DRV - (NetworkX) -- C:\Windows\system32\ckldrv.sys ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.useDBForOrder: ""
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: savedpasswords@adamfranco.com:1.2.3
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.7
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: add-to-searchbox@maltekraus.de:2.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:4.0.0
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.72.0
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.7.2
FF - prefs.js..extensions.enabledItems: pbupload@photobucket.com:1.3.1
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/12/28 15:42:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/10/16 09:58:30 | 000,000,000 | ---D | M]
[2011/02/01 15:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Extensions
[2011/12/22 21:00:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions
[2011/11/27 11:37:12 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2011/11/27 11:37:14 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/02/01 15:16:02 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2011/03/19 10:54:31 | 000,000,000 | ---D | M] (Add to Search Bar) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\add-to-searchbox@maltekraus.de
[2011/11/27 11:37:10 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\foxmarks@kei.com
[2011/09/13 12:04:11 | 000,000,000 | ---D | M] (Awesome screenshot: Capture and Annotate) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack
[2011/05/17 22:31:45 | 000,000,000 | ---D | M] (Saved Passwords Button) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\savedpasswords@adamfranco.com
[2011/12/22 21:00:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\staged
[2011/11/27 11:37:11 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\extensions\support@lastpass.com
[2011/03/19 11:03:06 | 000,002,454 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\google-image-search.xml
[2011/03/23 22:45:21 | 000,001,097 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\mrtzcmp3--3.xml
[2011/03/19 10:59:26 | 000,001,060 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-internet-movie-database-imdb.xml
[2010/11/07 07:14:56 | 000,001,597 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\the-pirate-bay.xml
[2010/05/27 14:39:22 | 000,002,057 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\searchplugins\youtube-video-search.xml
[2011/12/28 15:43:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/06/12 04:20:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{02450954-CDD9-410F-B1DA-DB804E18C671}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\{DDC359D1-844A-42A7-9AA1-88A850A938A8}.XPI
() (No name found) -- C:\USERS\PAUL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8B6EQX2G.DEFAULT\EXTENSIONS\PBUPLOAD@PHOTOBUCKET.COM.XPI
[2011/12/21 07:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/12/21 04:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/12/21 04:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
========== Chrome ==========
CHR - default_search_provider: The Internet Movie Database (IMDb) (Enabled)
CHR - default_search_provider: search_url = http://www.imdb.com/find?s=all&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\13.0.782.112\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U20 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.14_0\
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.16_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_0\
CHR - Extension: Readable by Evernote = C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\halondangdgpjbcemokdmjlpjmndpljd\1.3313.163.470_1\
O1 HOSTS File: ([2011/12/20 19:57:19 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4:64bit: - HKLM..\RunOnce: [*WerKernelReporting] C:\Windows\SysNative\WerFault.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Texter.lnk = C:\Program Files (x86)\Texter\texter.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O1364bit: - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: NameServer = 8.8.8.8,208.67.220.220
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/12/26 18:26:52 | 000,000,000 | --SD | C] -- C:\svhost.com
[2011/12/23 16:25:33 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/23 16:14:05 | 004,350,311 | R--- | C] (Swearware) -- C:\svhost.com.exe
[2011/12/20 19:57:23 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2011/12/17 23:25:53 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\temp
[2011/12/17 22:56:45 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/16 19:58:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/12/16 19:58:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2011/12/15 19:13:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/15 19:13:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/15 19:13:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/15 19:13:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/15 19:13:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/14 21:12:49 | 000,702,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2011/12/14 21:12:49 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2011/12/14 21:12:49 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2011/12/14 21:12:48 | 000,134,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2011/12/14 21:12:48 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2011/12/14 21:12:48 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/12/14 21:12:48 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/12/14 20:36:11 | 000,723,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/12/14 20:36:10 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/12/14 20:11:40 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
========== Files - Modified Within 30 Days ==========
[2012/01/08 01:07:19 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/08 01:06:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/08 01:06:46 | 3113,295,872 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/08 01:05:22 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/08 01:05:22 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/08 00:33:14 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/28 15:42:21 | 000,002,056 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/12/28 15:42:21 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/12/27 15:23:18 | 417,591,496 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/23 16:13:52 | 004,350,311 | R--- | M] (Swearware) -- C:\svhost.com.exe
[2011/12/20 21:10:38 | 000,782,638 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/12/20 21:10:38 | 000,667,092 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/12/20 21:10:38 | 000,126,696 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/12/20 19:57:19 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/12/16 19:58:42 | 000,001,108 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/16 19:58:28 | 000,000,928 | ---- | M] () -- C:\Users\Paul\Desktop\NTREGOPT.lnk
[2011/12/16 19:58:28 | 000,000,909 | ---- | M] () -- C:\Users\Paul\Desktop\ERUNT.lnk
[2011/12/15 03:21:04 | 004,853,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/12/12 18:19:55 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | M] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:38 | 000,000,168 | ---- | M] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,971 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/12/10 14:59:13 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | M] () -- C:\Users\Paul\Desktop\Attach.zip
========== Files Created - No Company Name ==========
[2011/12/28 15:42:21 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/12/27 15:23:18 | 417,591,496 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/12/16 19:58:42 | 000,001,108 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/16 19:58:28 | 000,000,928 | ---- | C] () -- C:\Users\Paul\Desktop\NTREGOPT.lnk
[2011/12/16 19:58:28 | 000,000,909 | ---- | C] () -- C:\Users\Paul\Desktop\ERUNT.lnk
[2011/12/15 19:13:09 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/15 19:13:09 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/15 19:13:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/15 19:13:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/15 19:13:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/12 18:19:55 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Documents\MBR.dat
[2011/12/12 18:18:49 | 000,000,512 | ---- | C] () -- C:\Users\Paul\Desktop\MBR.dat
[2011/12/12 18:17:37 | 000,000,168 | ---- | C] () -- C:\Users\Paul\defogger_reenable
[2011/12/10 14:59:13 | 000,000,947 | ---- | C] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2011/12/09 14:40:30 | 000,003,974 | ---- | C] () -- C:\Users\Paul\Desktop\Attach.zip
[2011/07/07 19:29:03 | 000,001,456 | ---- | C] () -- C:\Users\Paul\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/07/07 13:32:18 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe GIF Format CS5 Prefs
[2011/06/19 14:01:15 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe BMP Format CS5 Prefs
[2011/05/13 14:38:36 | 000,000,132 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2011/04/20 07:22:21 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/04/20 07:22:19 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/04/09 16:22:55 | 000,000,077 | ---- | C] () -- C:\Windows\Crypkey.ini
[2011/04/09 16:22:49 | 000,031,846 | ---- | C] () -- C:\Windows\SysWow64\Ckldrv.sys
[2011/04/09 16:22:49 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2011/04/09 16:22:49 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2011/04/09 16:22:49 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2011/02/17 20:36:52 | 000,000,268 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2011/02/10 06:32:14 | 000,018,760 | ---- | C] () -- C:\Windows\SysWow64\QQVistaHelper.dll
[2011/02/09 16:37:18 | 000,002,384 | ---- | C] () -- C:\Windows\SysWow64\LOWERP.ini
[2011/02/09 16:37:18 | 000,001,248 | ---- | C] () -- C:\Windows\SysWow64\LPOff.ini
[2011/02/09 06:55:45 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2011/02/02 15:23:37 | 000,010,752 | ---- | C] () -- C:\Windows\SysWow64\BASSMOD.dll
[2011/02/01 16:12:20 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/02/01 16:00:37 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011/02/01 15:36:03 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblup.dat
[2011/02/01 15:35:40 | 000,002,137 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/02/01 15:11:20 | 000,768,550 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/14 05:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 02:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/14 02:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/14 00:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 21:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2008/10/07 08:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008/10/07 08:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2005/10/14 09:56:50 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005/10/14 09:56:50 | 000,921,600 | ---- | C] () -- C:\Windows\SysWow64\VorbisEnc.dll
[2005/10/14 09:56:50 | 000,778,240 | ---- | C] () -- C:\Windows\SysWow64\DivXsm.exe
[2005/10/14 09:56:50 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2005/10/14 09:56:50 | 000,344,064 | ---- | C] () -- C:\Windows\SysWow64\xvid.dll
[2005/10/14 09:56:50 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\OggDS.dll
[2005/10/14 09:56:50 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\vorbis.dll
[2005/10/14 09:56:50 | 000,155,136 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2005/10/14 09:56:50 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\ogg.dll
< End of report >
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-12 18:18:18
-----------------------------
18:18:18.539 OS Version: Windows x64 6.1.7601 Service Pack 1
18:18:18.539 Number of processors: 4 586 0x2502
18:18:18.540 ComputerName: PAUL-PC UserName: Paul
18:18:19.228 Initialize success
18:18:33.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:18:33.753 Disk 0 Vendor: WDC_WD5000BEVT-22A0RT0 01.01A01 Size: 476940MB BusType: 3
18:18:35.770 Disk 0 MBR read successfully
18:18:35.776 Disk 0 MBR scan
18:18:35.779 Disk 0 Windows 7 default MBR code
18:18:35.784 Service scanning
18:18:36.610 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
18:18:37.268 Modules scanning
18:18:37.274 Disk 0 trace - called modules:
18:18:37.326 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:18:37.332 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800527e060]
18:18:37.338 3 CLASSPNP.SYS[fffff8800197143f] -> nt!IofCallDriver -> [0xfffffa8004fe3580]
18:18:37.344 5 ACPI.sys[fffff88000f8a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004fd1060]
18:18:37.351 Scan finished successfully
18:18:49.769 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Desktop\MBR.dat"
18:18:49.800 The log file has been saved successfully to "C:\Users\Paul\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 01:15:15
-----------------------------
01:15:15.100 OS Version: Windows x64 6.1.7601 Service Pack 1
01:15:15.100 Number of processors: 4 586 0x2502
01:15:15.101 ComputerName: PAUL-PC UserName: Paul
01:15:15.814 Initialize success
01:16:48.605 AVAST engine defs: 12010701
01:17:28.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
01:17:28.644 Disk 0 Vendor: WDC_WD5000BEVT-22A0RT0 01.01A01 Size: 476940MB BusType: 3
01:17:28.659 Disk 0 MBR read successfully
01:17:28.663 Disk 0 MBR scan
01:17:28.670 Disk 0 Windows 7 default MBR code
01:17:28.674 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
01:17:28.728 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 99900 MB offset 206848
01:17:28.774 Disk 0 Partition 3 00 06 FAT16 NTFS 100000 MB offset 204802048
01:17:28.780 Disk 0 Partition - 00 0F Extended LBA 276932 MB offset 409609305
01:17:28.794 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 276932 MB offset 409609368
01:17:28.801 Service scanning
01:17:30.834 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
01:17:31.418 Modules scanning
01:17:31.756 Disk 0 trace - called modules:
01:17:31.803 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
01:17:31.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800527f060]
01:17:31.821 3 CLASSPNP.SYS[fffff8800197143f] -> nt!IofCallDriver -> [0xfffffa8004fc3290]
01:17:31.829 5 ACPI.sys[fffff88000f537a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004fd6060]
01:17:32.562 AVAST engine scan C:\Windows
01:17:36.595 AVAST engine scan C:\Windows\system32
01:20:05.620 AVAST engine scan C:\Windows\system32\drivers
01:20:17.964 AVAST engine scan C:\Users\Paul
01:31:57.277 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Documents\MBR.dat"
01:31:57.340 The log file has been saved successfully to "C:\Users\Paul\Documents\aswMBR.txt"
01:33:40.298 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Desktop\MBR.dat"
01:33:40.303 The log file has been saved successfully to "C:\Users\Paul\Desktop\aswMBR.txt"
Hi chelseafan,
That OTL fix seemed to remove those odd ComboFix entries that I was looking at.
Please delete your copy of ComboFix and then download a fresh copy. Once you have the fresh copy please attempt to run ComboFix and then post the log into your next reply. :)
chelseafan
2012-01-09, 02:38
The same thing happened as before.
Now i've been infected with a new virus because I forgot to turn on Microsoft Security after following your prompts, an adobe update popped up so I typed in my password and the virus appeared.
The virus is 'Win 7 Antispyware 2012'.
Hi chelseafan,
Ok...lets start fresh.
Run DDS and post both of the logs that are created into your next reply.
chelseafan
2012-01-09, 14:23
May I also add that the virus has taken away the taskbar. All I see is a blank blue screen with the windows icon in the centre and the virus opens up libraries.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by Paul at 11:55:30 on 2012-01-09
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3959.2369 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\Explorer.EXE
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\James\AppData\Local\itq.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe
C:\Users\James\AppData\Local\SanctionedMedia\Smad\Smad.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\James\Documents\Texter\texter.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Java\jre6\bin\javaw.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\java.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [combofix] C:\ComboFix\CF27623.3XE /c C:\ComboFix\Combobatch.bat
mRunOnce: [combofix] C:\ComboFix\CF27623.3XE /c C:\ComboFixCombobatch.bat
StartupFolder: C:\Users\Paul\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\Users\Paul\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Texter.lnk - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\OnlyWire.LNK - C:\Program Files (x86)\OnlyWire\OnlyWireWindows.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\044525555475946494 : DhcpNameServer = 10.42.254.10 10.42.254.26
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\2456C6B696E6F5E4F5144435C4F5343313736433 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\35B4952353435333 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\3747164796F6E6F547F677562723 : DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\64C6F6F62753D224 : DhcpNameServer = 10.0.1.1 203.144.207.49
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\75C414E4E45445 : DhcpNameServer = 172.16.0.1
TCP: Interfaces\{3A572524-78C6-4EEA-82EC-40C541C42D1E}\E6F64747F577966696 : DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA} : NameServer = 8.8.8.8,208.67.220.220
TCP: Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA} : DhcpNameServer = 192.168.2.1
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [combofix] C:\ComboFix\CF27623.3XE /c C:\ComboFix\Combobatch.bat
mRunOnce-x64: [combofix] C:\ComboFix\CF27623.3XE /c C:\ComboFixCombobatch.bat
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\8b6eqx2g.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Paul\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-2-17 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-2-17 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2010-6-29 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-2-1 2253688]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-01-09 01:00:44 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{16A69288-E0A5-4A9B-ADFA-BAC371A5619A}\offreg.dll
2012-01-09 00:24:09 -------- d-----we C:\Windows\system64
2012-01-08 21:56:38 -------- d-----w- C:\Users\Paul\AppData\Local\temp
2012-01-08 21:48:37 -------- d-s---w- C:\ComboFix
2012-01-08 12:21:25 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{16A69288-E0A5-4A9B-ADFA-BAC371A5619A}\mpengine.dll
2011-12-28 15:42:18 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-28 15:42:18 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-28 15:42:18 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-28 15:42:18 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2011-12-28 15:42:18 121816 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-12-20 19:57:23 -------- d-----w- C:\$RECYCLE.BIN
2011-12-17 22:56:45 -------- d-----w- C:\_OTL
2011-12-15 19:13:09 98816 ----a-w- C:\Windows\sed.exe
2011-12-15 19:13:09 518144 ----a-w- C:\Windows\SWREG.exe
2011-12-15 19:13:09 256000 ----a-w- C:\Windows\PEV.exe
2011-12-15 19:13:09 208896 ----a-w- C:\Windows\MBR.exe
2011-12-14 20:36:23 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-14 20:36:23 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-14 20:36:11 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-14 20:36:10 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-14 20:34:50 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-14 20:11:40 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
==================== Find3M ====================
.
2011-11-19 10:54:38 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 11:57:26.04 ===============
Hi chelseafan,
Looks like we still have the ZeroAccess Rootkit on your system that I noted in the beginning. Let's take this step by step.
---------
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Right-click and Run as Administrator TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------
Please post the log made by TDSSKiller in your next reply. :)
chelseafan
2012-01-09, 16:07
Nothing was detected.
It has got worse, I can no longer access the internet via desktop as the Library folder no longer opens. I'm using aother PC.
It says 'Internet explorer alert. Visiting this site may pose a security threat..'
Possible reasons include:
bla bla bla
Things you can do:
Get a copy of 'Win 7 Antispyware 2012' to safeguard your PC
Run a spyware scan
Continue surfing without security
chelseafan
2012-01-09, 16:35
It has changed again. The taskbar has reappeared, Microsoft Security Essentials has reappeared and detected 2 trojans..
Trojan:Win32/Alureon.TK
Trojan:Win/64/Sirefoff.J
I tried to remove the trojans and it prompted me to restart but upon restart the same 2 trojans remain.
Hi chelseafan,
Get a copy of 'Win 7 Antispyware 2012' to safeguard your PCDo not do this. It is a rogue antivirus program.
For the time being I would not use the infected computer for anything but coming here so we can attempt to fix it or to go to the sites that I send you for tools. We MAY be dealing with a new variant of the ZeroAccess Rootkit. I am talking with some of my colleagues presently. I will return as quickly as I can.
Hi chelseafan,
Go to start>control panel>folder options>view
Choose to "show hidden files and folders,"
Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
Close the window with ok
----------
I would like for you to run RKill again and then, once RKill is run, immediately open, update and then run Malwarebytes. Be sure to remove any entries found by Malwarebytes. Do not reboot.
----------
I would like for you to go to C:\Combofix and delete that folder.
Now I would like for you to download a fresh copy of ComboFix but rename it svchost.exe before saving it to your Desktop. Once the new ComboFix is is downloaded (renamed svchost.exe) to your Desktop please run a new scan with ComboFix.
----------
In your next reply please post the logs created by Malwarebytes and ComboFix. If you have any problems please let me know. :)
chelseafan
2012-01-10, 02:55
The same problem with ComboFix.
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7206
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
10/01/2012 00:25:46
mbam-log-2012-01-10 (00-25-46).txt
Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 348034
Time elapsed: 47 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi chelseafan,
This infection seems to be dug in. Thanks for your patience. :)
----------
Please download OTH.scr (http://oldtimer.geekstogo.com/OTH.scr) to your desktop
Double click the OTH file and select Kill All Processes, your desktop will go blank
http://oldtimer.geekstogo.com/OTH/OTH_Main.jpg
Then select Start Misc Program and navigate to Malwarebytes. Update and run a Full Scan with Malwarebytes. When it completes save the log to post into your next reply.
Once Malwarebytes has been run press Start Misc Programs again and navigate to your newly named ComboFix on your Desktop (the one named svchost.exe) and attempt to run a scan. If it completes be sure to save the log to your Desktop.
Press the Reboot button. Your system will reboot and now please post the logs that are created by Malwarebytes and hopefully ComboFix. :)
chelseafan
2012-01-10, 16:15
Nothing happened when I clicked Kill All Processes.
I can't check for updates on Malwarebytes but I ran the scan and nothing detected.
The same problem with ComboFix.
Hi chelseafan,
Please download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe) and run it on the computer with the issue.
Make sure "Include All Files" option remains checked.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
chelseafan
2012-01-10, 19:03
There is no 'Include All Files' option...
Hi,
Just go ahead and be sure to check all of the boxes and then press Scan. :)
Once the log is produced be sure to post that into your next reply.
chelseafan
2012-01-10, 20:50
I did that and it says 'Cannot find FSS.txt file'.
Hi chelseafan,
Please try to run Farbar Service Scanner again. Post the log if it is created. :)
chelseafan
2012-01-11, 00:54
Doesn't work.
Hi chelseafan,
What browser are you using to download your files?
chelseafan
2012-01-11, 14:44
Firefox. I'm having no problem downloading the files, when I open the file it doesn't work.
Hi chelseafan,
Firefox. I'm having no problem downloading the files, when I open the file it doesn't work.Oh I know. I wanted to be sure I gave you the correct set of instructions next.
Be sure to read through the following instructions first and then follow the instructions in order. :)
Open Firefox. Go to Tools >> Options >> General tab >> select Always ask me where to save files. This will allow you to properly rename ComboFix prior to downloading it to your system.
----------
We need to be sure hidden extensions are shown:
Go to Start
Click on Control Panel
Click on Folder Options
Click on View Tab
Check:
Show hidden files,folders, or drives
Uncheck the "hide extensions for know file types" boxes.
Press OK
======================================================
Now delete all copies of ComboFix on your system using right-click >> delete. Don't forget about the copy that we renamed svchost.com if it is still there.
-------------
I want for you to download a fresh copy of ComboFix to your Desktop. Before downloading you should be asked by Firefox where you want to save the file. Be sure to save it to your Desktop and rename it svchost.com
After it has downloaded to your Desktop I want you to right-click on the file and select properties. In the General tab I want you to be sure that the file is named svchost.com You can see this at the very top of the General tab next to the icon for the file. Be sure that it only says svchost.com and nothing else.
If that is what it says press ok and then attempt to run the newly named ComboFix and then post the ComboFix log into your next reply.
If it says anything else stop and let me know.
chelseafan
2012-01-11, 18:06
It says svhost.com.exe
Also, AFTER deleting ComboFix, I had to restart the computer for an Adobe update (a genuine one this time), upon restarting the ComboFix malfunction appeared again.
I had to restart the computer for an Adobe update :laugh: I had to do the same today.
---------
Since you have not run the new ComboFix please right-click on the ComboFix icon and select Properties. Where is reads svchost.com.exe delete the .exe and then press OK. Now attempt to run ComboFix again.
If it runs and there is a log created post that into your next reply. If it doesn't let me know what happens.
chelseafan
2012-01-12, 01:05
Same problem...
Hi chelseafan,
We are going to do something different. :)
Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)
http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg
----------
Reboot your system.
----------
Download Combofix from either of the links below, and save it to your desktop. Before downloading it please rename it Iexplorer.com before saving it to your Desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Attempt to run ComboFix and post the log into your next reply. If there are any problems let me know. :)
chelseafan
2012-01-13, 00:52
Same problem.
Hi,
You'll need a CD and a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.
You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.
If you have any problems with these steps please let me know. It may look complicated but it's fairly straight forward and for the most part automated.
Download GETxPUD.exe (http://noahdfear.net/downloads/GETxPUD.exe) to your desktop
Run GETxPUD.exe by double clicking it.
A new folder will appear on the desktop.
Open the GETxPUD folder and click on the get&burn.bat
The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
Click on Start and follow the prompts to burn the image to your CD
Using FireFox, please download and save dumpit (http://noahdfear.net/downloads/dumpit) to your usb device.
You may want to print out this part as you will not be able to view these instructions once booted with the CD you just made.
Leave the usb device attached to the computer
Now boot your computer with the CD you just burned
with the CD in the computer, restart the computer
The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
Once you have the computer set to boot from the CD allow it to boot
A Welcome to xPUD screen will appear
Click on File
Expand mnt
sda1,or sda2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
(you will be able to tell if it the right one as the screen will populate with your files)
Locate the file you downloaded and saved earlier, dumpit
double click it to run it
a black window will open, follow the instructions to close the window when it's finished
a file called MBR.zip should now be placed in the right hand panel
Click the Home icon at top
Remove the CD and click Power off
Click restart
Once the computer has rebooted open the usb device and attach the MBR.zip file to your next reply.
Are you still with me? :)
chelseafan
2012-01-16, 02:46
Hello, I didn't receive an email for that post. I'll follow your instructions tomorrow, it's late here.
chelseafan
2012-01-16, 17:01
I can't boot from CD. The xPUD screen appears with a list of languages to select. I select English, the screen goes black and says 'fatal error' etc. There is no 'file' to click on.
Hi chelseafan,
Ok sometimes that will happen. We will try another program.
--------
We'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.
Save these files to your Desktop
Download Latest Puppy Linux ISO (http://distro.ibiblio.org/pub/linux/distributions/puppylinux/puppy-5.2.8/lupu-528.iso) (i.e.: lupu-528.iso)
Download BurnCDCC ISO Burning Software (http://api.viglink.com/api/click?format=go&key=bf4adfcbb328b51c165afd7f95bfc060&loc=http%3A%2F%2Fwww.geekstogo.com%2Fforum%2Ftopic%2F274691-use-puppy-linux-live-cd-to-recover-your-data%2F&v=1&libid=1320722667197&out=http%3A%2F%2Fwww.terabyteunlimited.com)
Open BurnCDCC and Extract All files to to it's own folder
Double Click BurnCDCC
Click Browse and navigate to the Puppy Linux ISO file you just downloaded
click on it and click Open
IMPORTANT: Adjust the speed bar to CD: 4x DVD: 1x
Click Start
Your CD Burner Tray will open automatically
Insert a blank CD and close the tray
Click OK
The CD should eject when finished.
Download and save pldumpit.exe (http://noahdfear.net/downloads/pldumpit.exe) to your USB device.
To use the CD
Leave the usb device attached to the computer
Insert the CD and restart the computer
When the computer first starts please press the key indicated on the screen to enter the bios or setup.
Make the necessary changes to make the CD first in the boot order
Save the changes and exit the bios/setup
Your computer will restart and boot from the Puppy Linux Live CD
You can save these instructions to a notepad on your usb device. Once you have mounted the drives you should be able view them by clicking on them.
Set your language, time. etc preferences and continue
Click the Mount Icon located at the top left of your desktop (should be 3rd from the left top row)
A Window will open, click mount for each drive listed
if you have a USB Flash Drive connected it's usually automatically mounted upon boot, but click the "usbdrv" tab and make sure it is mounted.
In the lower left you will see some icons with a green light on them. Click on the one that represents your usb device.
locate pldumpit.exe
right click it and select rename
please remove only the .exe from the file path
click rename
click on pldumpit
a window will open please hit enter when told to to close the window
there should now be a file named mbr.zip in the list of files
close all windows
click menu
highlight shutdown
click reboot
use the arrow key to select Do not save
hit enter
remove the CD before the computer restarts and allow the computer to boot
Please attach MBR.zip to your next reply.
chelseafan
2012-01-17, 05:04
I attached the file but just to let you know, I had a problem towards the end. After highlighting shutdown and reboot, there was no 'Do not save' option. I removed the CD, the screen loaded and it said 'Invalid or corrupt kernel image
Boot:'
Hi chelseafan,
I have not forgotten you. I am talking with colleagues about your system and what they are seeing. I appreciate you patience. I assure you I am working as quickly as I can on this. :thanks:
Hi,
Please download Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
chelseafan
2012-01-24, 03:32
Still here, I'll do it tomorrow.
chelseafan
2012-01-24, 04:23
I decided to do it tonight.
Scan result of Farbar Recovery Tool (FRST written by farbar) Version: 17-01-2012 00
Ran by SYSTEM at 2012-01-24 02:16:41
Running from H:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1436736 2011-06-15] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10920552 2010-06-22] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-05-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKU\Paul\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5495680 2011-11-19] (SUPERAntiSpyware.com)
HKU\Paul\...\Run: [SansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2011-08-18] (SanDisk Corporation)
HKU\Paul\...\Policies\system: [disableregistrytools] 0
HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{5FBA79C8-743B-45CB-B3F6-4EC3856F55EA}: [NameServer]8.8.8.8,208.67.220.220
==================== Services (Whitelisted) ======
2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-17] (SUPERAntiSpyware.com)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [12784 2011-04-27] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [288272 2011-04-27] (Microsoft Corporation)
2 Crypkey License; crypserv.exe [x]
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [x]
========================== Drivers (Whitelisted) =============
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
2 cpuz135; \??\C:\Windows\system32\drivers\cpuz135_x64.sys [21992 2010-11-09] (CPUID)
1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [254528 2011-04-19] (DT Soft Ltd)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-08-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-08-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SeratoUsb; C:\Windows\System32\Drivers\SeratoUsb.sys [50808 2011-06-21] (Cristalink Ltd)
3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [37888 2010-09-22] (AnchorFree Inc)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
1 NetworkX; C:\Windows\System32\ckldrv.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-01-24 02:16 - 2012-01-24 02:17 - 0000000 ____D C:\FRST
2012-01-23 09:13 - 2012-01-23 09:13 - 75469761 ____A C:\Users\James\Desktop\18627-Dublin 2012 Promo Mix 2.mp3
2012-01-23 07:35 - 2012-01-23 08:36 - 185463856 ____A C:\Users\James\Desktop\01-fabio_-_bbc_radio1-sat-01-23-2012-talion.mp3
2012-01-22 19:51 - 2012-01-22 19:51 - 14962880 ____A C:\Users\James\Desktop\kidcudisopa.mp3
2012-01-22 05:09 - 2012-01-22 05:13 - 82640808 ____A C:\Users\James\Desktop\Joey Beltram - Obsession - Quickening - Colliseum NYE '93.m4a
2012-01-19 05:58 - 2012-01-19 06:21 - 259202368 ____A C:\Users\James\Desktop\Bailey_1Xtra D&B_2012_01_18_qrip.mp3
2012-01-17 08:55 - 2012-01-17 08:58 - 25816232 ____A C:\Users\James\Desktop\Fabio and Grooverider_BBC Radio1_2012_01_16_qrip.mp3
2012-01-16 18:04 - 2012-01-16 18:04 - 0000000 ____D C:\Users\James\Desktop\burncdcc
2012-01-16 18:03 - 2012-01-16 18:03 - 0070397 ____A C:\Users\James\Desktop\burncdcc.zip
2012-01-16 18:00 - 2012-01-16 18:35 - 135467008 ____A C:\Users\James\Desktop\lupu-528.iso
2012-01-16 05:39 - 2012-01-16 05:50 - 0000000 ____D C:\Users\James\Desktop\GETxPUD
2012-01-12 05:47 - 2012-01-12 05:47 - 0057560 ____A C:\Users\James\Desktop\guitar.jpg
2012-01-11 05:40 - 2012-01-11 05:55 - 174062080 ____A C:\Users\James\Downloads\Bryan G_Ministry of Sound_D&B_V Recordings_2012_01_10_qrip.mp3
2012-01-10 14:53 - 2012-01-10 14:53 - 0334125 ____A C:\Users\James\Downloads\FSS(2).exe
2012-01-10 13:59 - 2011-11-19 06:58 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\packager.dll
2012-01-10 13:59 - 2011-11-19 06:01 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2012-01-10 13:59 - 2011-11-16 22:41 - 1731920 ____A (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2012-01-10 13:59 - 2011-11-16 21:38 - 1292080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2012-01-10 13:59 - 2011-10-25 21:25 - 1572864 ____A (Microsoft Corporation) C:\Windows\System32\quartz.dll
2012-01-10 13:59 - 2011-10-25 21:25 - 0366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-01-10 13:59 - 2011-10-25 20:32 - 1328128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2012-01-10 13:59 - 2011-10-25 20:32 - 0514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-01-10 13:59 - 2011-10-13 21:31 - 0918528 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-01-10 13:59 - 2011-10-13 20:24 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-01-10 10:49 - 2012-01-10 10:49 - 0334125 ____A C:\Users\James\Downloads\FSS(1).exe
2012-01-10 08:59 - 2012-01-10 08:59 - 0334125 ____A C:\Users\James\Downloads\FSS.exe
2012-01-10 04:57 - 2012-01-10 04:57 - 0258560 ____A (OldTimer Tools) C:\Users\James\Downloads\OTH.scr
2012-01-09 15:29 - 2012-01-09 15:29 - 0001131 ____A C:\Users\James\Desktop\Malwarebytes' Anti-Malware.lnk
2012-01-09 05:18 - 2012-01-09 05:21 - 0154518 ____A C:\TDSSKiller.2.6.25.0_09.01.2012_13.18.39_log.txt
2012-01-09 05:15 - 2012-01-09 05:15 - 1558406 ____A C:\Users\James\Downloads\tdsskiller.zip
2012-01-09 05:11 - 2012-01-09 23:25 - 0000000 ____D C:\Users\James\AppData\Roaming\Ohriva
2012-01-09 05:11 - 2012-01-09 11:40 - 0000000 ____D C:\Users\James\AppData\Roaming\Ukyso
2012-01-09 04:01 - 2012-01-09 11:41 - 0000000 ____D C:\Users\James\AppData\Roaming\Iteq
2012-01-08 16:24 - 2012-01-08 16:24 - 0000000 ____D C:\Windows\system64
2012-01-08 16:23 - 2012-01-09 05:28 - 0012404 __ASH C:\Users\James\AppData\Local\488o5v2e4050
2012-01-08 16:23 - 2012-01-09 05:28 - 0012404 __ASH C:\Users\All Users\488o5v2e4050
2012-01-08 16:23 - 2012-01-09 05:28 - 0012404 __ASH C:\ProgramData\488o5v2e4050
2012-01-08 15:51 - 2012-01-08 15:51 - 0000000 ____D C:\Users\James\AppData\Local\{E8AD9742-C88A-4EDB-8243-FD4C046DEB15}
2012-01-08 15:51 - 2012-01-08 15:51 - 0000000 ____D C:\Users\James\AppData\Local\{5E011144-F750-4358-B499-E1F06E908626}
2012-01-07 17:14 - 2012-01-07 17:15 - 4713472 ____A (AVAST Software) C:\Users\James\Downloads\aswMBR.exe
2012-01-07 16:49 - 2012-01-07 16:49 - 0584192 ____A (OldTimer Tools) C:\Users\James\Downloads\OTL(1).exe
2012-01-06 07:32 - 2012-01-06 07:53 - 259202368 ____A C:\Users\James\Downloads\Bailey_1Xtra D&B_2012_01_04_qrip.mp3
2012-01-05 06:36 - 2012-01-05 06:57 - 259202368 ____A C:\Users\James\Downloads\Crissy Criss_1Xtra D&B M1X_2012_01_05_qrip.mp3
2012-01-04 06:05 - 2012-01-04 06:34 - 174280384 ____A C:\Users\James\Downloads\Shogun Audio_Ministry of Sound D&B_2012_01_03_qrip.mp3
2011-12-28 07:42 - 2011-12-28 07:42 - 0001142 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2011-12-28 07:24 - 2011-12-28 07:30 - 240976355 ____A C:\Users\James\Downloads\20111226-bitm-vol-12-calibre-fava-12-jahre-baesse-ba.mp3
2011-12-28 06:54 - 2011-12-28 06:54 - 15292208 ____A (Mozilla) C:\Users\James\Downloads\Firefox Setup 9.0.1.exe
2011-12-27 07:23 - 2011-12-27 07:23 - 417591496 ____A C:\Windows\MEMORY.DMP
2011-12-27 07:23 - 2011-12-27 07:23 - 0373024 ____A C:\Windows\Minidump\122711-22370-01.dmp
2011-12-26 15:00 - 2011-12-26 15:07 - 136105462 ____A C:\Users\James\Downloads\DJ_Vapour-Dec_2011_3_Deck_Studio_Mix-www.36hertz.com.zip
2011-12-25 16:07 - 2011-12-25 16:07 - 0000000 ____D C:\Users\James\AppData\Local\{93BF89B5-58A4-49B8-8490-CD7E70BDA65F}
2011-12-25 16:07 - 2011-12-25 16:07 - 0000000 ____D C:\Users\James\AppData\Local\{896784B4-C401-459B-BEE4-05106EFBAA3E}
2011-12-25 04:06 - 2011-12-25 04:07 - 0000000 ____D C:\Users\James\AppData\Local\{37C0F7C8-BB64-475C-AF8F-32127CC2467E}
2011-12-25 04:06 - 2011-12-25 04:06 - 0000000 ____D C:\Users\James\AppData\Local\{3E09E124-29AF-401E-A450-7977E55E7F01}
============ 3 Months Modified Files and Folders =============
2012-01-24 02:17 - 2012-01-24 02:16 - 0000000 ____D C:\FRST
2012-01-23 18:08 - 2011-06-28 04:29 - 0000000 ____D C:\Program Files (x86)\OnlyWire
2012-01-23 18:08 - 2011-02-01 21:28 - 1370093 ____A C:\Windows\WindowsUpdate.log
2012-01-23 18:08 - 2009-07-13 20:45 - 0014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-01-23 18:08 - 2009-07-13 20:45 - 0014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-01-23 17:59 - 2011-02-01 07:59 - 0000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-01-23 17:58 - 2011-02-15 01:25 - 0130708 ____A C:\Windows\setupact.log
2012-01-23 17:58 - 2010-11-05 08:24 - 3113295872 __ASH C:\hiberfil.sys
2012-01-23 17:58 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-01-23 17:33 - 2011-02-01 07:59 - 0000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-01-23 12:22 - 2011-02-01 06:51 - 0000000 ____D C:\users\Paul
2012-01-23 09:13 - 2012-01-23 09:13 - 75469761 ____A C:\Users\James\Desktop\18627-Dublin 2012 Promo Mix 2.mp3
2012-01-23 08:36 - 2012-01-23 07:35 - 185463856 ____A C:\Users\James\Desktop\01-fabio_-_bbc_radio1-sat-01-23-2012-talion.mp3
2012-01-22 19:51 - 2012-01-22 19:51 - 14962880 ____A C:\Users\James\Desktop\kidcudisopa.mp3
2012-01-22 05:13 - 2012-01-22 05:09 - 82640808 ____A C:\Users\James\Desktop\Joey Beltram - Obsession - Quickening - Colliseum NYE '93.m4a
2012-01-19 06:21 - 2012-01-19 05:58 - 259202368 ____A C:\Users\James\Desktop\Bailey_1Xtra D&B_2012_01_18_qrip.mp3
2012-01-18 12:23 - 2011-12-10 06:58 - 0000000 ____D C:\Users\James\AppData\Roaming\uTorrent
2012-01-17 11:56 - 2011-09-19 11:12 - 0000600 ____A C:\Users\James\AppData\Local\PUTTY.RND
2012-01-17 08:58 - 2012-01-17 08:55 - 25816232 ____A C:\Users\James\Desktop\Fabio and Grooverider_BBC Radio1_2012_01_16_qrip.mp3
2012-01-16 18:35 - 2012-01-16 18:00 - 135467008 ____A C:\Users\James\Desktop\lupu-528.iso
2012-01-16 18:04 - 2012-01-16 18:04 - 0000000 ____D C:\Users\James\Desktop\burncdcc
2012-01-16 18:03 - 2012-01-16 18:03 - 0070397 ____A C:\Users\James\Desktop\burncdcc.zip
2012-01-16 05:50 - 2012-01-16 05:39 - 0000000 ____D C:\Users\James\Desktop\GETxPUD
2012-01-15 03:56 - 2011-12-15 11:13 - 0000000 ____D C:\Windows\ERDNT
2012-01-14 05:50 - 2011-12-19 08:36 - 0001044 ____A C:\Users\James\Desktop\rkill - Shortcut.lnk
2012-01-14 05:50 - 2011-12-14 14:11 - 0002186 ____A C:\Users\James\Desktop\Andy C with Dynamite MC 3 DECK SET - Shortcut.lnk
2012-01-12 14:50 - 2011-05-29 04:45 - 0015162 ____A C:\Windows\PFRO.log
2012-01-12 14:16 - 2011-09-19 10:40 - 0000000 ____D C:\users\James
2012-01-12 10:56 - 2011-09-19 10:40 - 0000000 ____D C:\Users\James\AppData\LocalLow
2012-01-12 05:47 - 2012-01-12 05:47 - 0057560 ____A C:\Users\James\Desktop\guitar.jpg
2012-01-11 05:55 - 2012-01-11 05:40 - 174062080 ____A C:\Users\James\Downloads\Bryan G_Ministry of Sound_D&B_V Recordings_2012_01_10_qrip.mp3
2012-01-10 16:32 - 2009-11-10 12:30 - 54008112 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-01-10 14:53 - 2012-01-10 14:53 - 0334125 ____A C:\Users\James\Downloads\FSS(2).exe
2012-01-10 10:49 - 2012-01-10 10:49 - 0334125 ____A C:\Users\James\Downloads\FSS(1).exe
2012-01-10 08:59 - 2012-01-10 08:59 - 0334125 ____A C:\Users\James\Downloads\FSS.exe
2012-01-10 04:57 - 2012-01-10 04:57 - 0258560 ____A (OldTimer Tools) C:\Users\James\Downloads\OTH.scr
2012-01-10 04:52 - 2009-07-13 21:08 - 0032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-01-09 23:25 - 2012-01-09 05:11 - 0000000 ____D C:\Users\James\AppData\Roaming\Ohriva
2012-01-09 23:25 - 2011-09-19 11:15 - 0000000 ____D C:\Users\James\Documents\Texter
2012-01-09 23:25 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-01-09 23:25 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-01-09 15:37 - 2011-12-19 08:37 - 0000659 ____A C:\rkill.log
2012-01-09 15:36 - 2011-02-01 07:11 - 0768550 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-01-09 15:35 - 2009-07-13 21:13 - 0768550 ____A C:\Windows\System32\PerfStringBackup.INI
2012-01-09 15:29 - 2012-01-09 15:29 - 0001131 ____A C:\Users\James\Desktop\Malwarebytes' Anti-Malware.lnk
2012-01-09 15:26 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-01-09 11:41 - 2012-01-09 04:01 - 0000000 ____D C:\Users\James\AppData\Roaming\Iteq
2012-01-09 11:40 - 2012-01-09 05:11 - 0000000 ____D C:\Users\James\AppData\Roaming\Ukyso
2012-01-09 05:28 - 2012-01-08 16:23 - 0012404 __ASH C:\Users\James\AppData\Local\488o5v2e4050
2012-01-09 05:28 - 2012-01-08 16:23 - 0012404 __ASH C:\Users\All Users\488o5v2e4050
2012-01-09 05:28 - 2012-01-08 16:23 - 0012404 __ASH C:\ProgramData\488o5v2e4050
2012-01-09 05:21 - 2012-01-09 05:18 - 0154518 ____A C:\TDSSKiller.2.6.25.0_09.01.2012_13.18.39_log.txt
2012-01-09 05:15 - 2012-01-09 05:15 - 1558406 ____A C:\Users\James\Downloads\tdsskiller.zip
2012-01-08 16:24 - 2012-01-08 16:24 - 0000000 ____D C:\Windows\system64
2012-01-08 16:23 - 2011-09-19 10:40 - 0000000 ____D C:\Users\James\AppData\Local\VirtualStore
2012-01-08 15:51 - 2012-01-08 15:51 - 0000000 ____D C:\Users\James\AppData\Local\{E8AD9742-C88A-4EDB-8243-FD4C046DEB15}
2012-01-08 15:51 - 2012-01-08 15:51 - 0000000 ____D C:\Users\James\AppData\Local\{5E011144-F750-4358-B499-E1F06E908626}
2012-01-08 15:51 - 2011-09-19 10:52 - 0000000 ____D C:\Users\James\AppData\Local\Windows Live
2012-01-07 17:33 - 2011-12-12 10:18 - 0003845 ____A C:\Users\Paul\Desktop\aswMBR.txt
2012-01-07 17:33 - 2011-12-12 10:18 - 0000512 ____A C:\Users\Paul\Desktop\MBR.dat
2012-01-07 17:31 - 2011-12-12 10:19 - 0003849 ____A C:\Users\Paul\Documents\aswMBR.txt
2012-01-07 17:31 - 2011-12-12 10:19 - 0000512 ____A C:\Users\Paul\Documents\MBR.dat
2012-01-07 17:15 - 2012-01-07 17:14 - 4713472 ____A (AVAST Software) C:\Users\James\Downloads\aswMBR.exe
2012-01-07 17:13 - 2011-12-15 13:03 - 0063216 ____A C:\Users\James\Downloads\OTL.Txt
2012-01-07 16:49 - 2012-01-07 16:49 - 0584192 ____A (OldTimer Tools) C:\Users\James\Downloads\OTL(1).exe
2012-01-06 07:53 - 2012-01-06 07:32 - 259202368 ____A C:\Users\James\Downloads\Bailey_1Xtra D&B_2012_01_04_qrip.mp3
2012-01-05 06:57 - 2012-01-05 06:36 - 259202368 ____A C:\Users\James\Downloads\Crissy Criss_1Xtra D&B M1X_2012_01_05_qrip.mp3
2012-01-04 06:34 - 2012-01-04 06:05 - 174280384 ____A C:\Users\James\Downloads\Shogun Audio_Ministry of Sound D&B_2012_01_03_qrip.mp3
2011-12-28 07:43 - 2011-02-01 07:06 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-12-28 07:42 - 2011-12-28 07:42 - 0001142 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2011-12-28 07:30 - 2011-12-28 07:24 - 240976355 ____A C:\Users\James\Downloads\20111226-bitm-vol-12-calibre-fava-12-jahre-baesse-ba.mp3
2011-12-28 06:54 - 2011-12-28 06:54 - 15292208 ____A (Mozilla) C:\Users\James\Downloads\Firefox Setup 9.0.1.exe
2011-12-27 07:23 - 2011-12-27 07:23 - 417591496 ____A C:\Windows\MEMORY.DMP
2011-12-27 07:23 - 2011-12-27 07:23 - 0373024 ____A C:\Windows\Minidump\122711-22370-01.dmp
2011-12-27 07:23 - 2011-02-08 06:39 - 0000000 ____D C:\Windows\Minidump
2011-12-26 15:07 - 2011-12-26 15:00 - 136105462 ____A C:\Users\James\Downloads\DJ_Vapour-Dec_2011_3_Deck_Studio_Mix-www.36hertz.com.zip
2011-12-25 16:07 - 2011-12-25 16:07 - 0000000 ____D C:\Users\James\AppData\Local\{93BF89B5-58A4-49B8-8490-CD7E70BDA65F}
2011-12-25 16:07 - 2011-12-25 16:07 - 0000000 ____D C:\Users\James\AppData\Local\{896784B4-C401-459B-BEE4-05106EFBAA3E}
2011-12-25 04:07 - 2011-12-25 04:06 - 0000000 ____D C:\Users\James\AppData\Local\{37C0F7C8-BB64-475C-AF8F-32127CC2467E}
2011-12-25 04:06 - 2011-12-25 04:06 - 0000000 ____D C:\Users\James\AppData\Local\{3E09E124-29AF-401E-A450-7977E55E7F01}
2011-12-24 14:32 - 2011-12-24 14:29 - 129935986 ____A C:\Users\James\Downloads\Thumbzo-Jungle Bells-Saturday December 24th 2011(1).mp3
2011-12-24 13:37 - 2011-12-24 13:32 - 129935986 ____A C:\Users\James\Downloads\Thumbzo-Jungle Bells-Saturday December 24th 2011.mp3
2011-12-23 10:31 - 2011-12-23 10:02 - 171986752 ____A C:\Users\James\Downloads\Annie Nightingale_2011_12_23_qrip.mp3
2011-12-23 10:16 - 2011-12-23 10:14 - 29017554 ____A C:\Users\James\Downloads\DJ Hype & IC3 @ Playaz 10 Years Of Fabric Anniversary at fabric.rar
2011-12-23 09:49 - 2011-12-23 09:47 - 44289674 ____A C:\Users\James\Downloads\DJZinc@THEEND ClosingWeekend.mp3
2011-12-22 14:48 - 2011-12-22 14:47 - 0000000 ____D C:\Users\James\AppData\Local\{8F4F8BB8-33F9-4D7C-8C00-073DA8B819DE}
2011-12-22 14:47 - 2011-12-22 14:47 - 0000000 ____D C:\Users\James\AppData\Local\{40903789-650A-4443-98D8-694554FC2292}
2011-12-22 10:31 - 2011-02-01 06:51 - 0000000 ____D C:\Users\Paul\AppData\Local\VirtualStore
2011-12-21 10:08 - 2011-12-21 10:04 - 55111749 ____A C:\Users\James\Downloads\DJ Ollie with Skibadee.mp3
2011-12-21 08:59 - 2011-12-21 08:59 - 0000000 ____D C:\Users\James\AppData\Local\{DAF1C0ED-613E-416A-AA04-B49C8DB1CD04}
2011-12-21 08:59 - 2011-12-21 08:59 - 0000000 ____D C:\Users\James\AppData\Local\{B95DD0E8-BE75-4B41-8946-184B004DC0D1}
2011-12-20 13:17 - 2011-12-20 11:57 - 0000000 ____D C:\$RECYCLE.BIN
2011-12-20 11:57 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2011-12-20 11:57 - 2009-07-13 18:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2011-12-20 11:49 - 2011-12-20 11:49 - 0000000 ____D C:\Users\James\AppData\Local\{16C450A8-1381-4041-B64A-8F9140B2FDD0}
2011-12-20 11:49 - 2011-12-20 11:48 - 0000000 ____D C:\Users\James\AppData\Local\{07CA265C-A8D8-44D1-A283-645BA8EDE0E8}
2011-12-19 19:55 - 2011-10-19 16:37 - 0000000 ____D C:\Users\James\AppData\Roaming\Skype
2011-12-19 08:35 - 2011-12-19 08:35 - 1008141 ____A C:\Users\James\Downloads\rkill.exe
2011-12-19 04:03 - 2011-12-19 04:03 - 0000000 ____D C:\Users\James\AppData\Local\{96EAC13C-37F7-481D-BC83-83894D429BAC}
2011-12-19 04:03 - 2011-12-19 04:03 - 0000000 ____D C:\Users\James\AppData\Local\{81C5D245-F988-4560-AC51-26183A19DD86}
2011-12-18 17:12 - 2011-12-18 17:12 - 0000000 ____A C:\Users\James\AppData\Local\{8E34C5D5-5F94-43F9-B31E-29191073B050}
2011-12-18 14:52 - 2011-12-18 14:52 - 0000000 ____D C:\Users\James\AppData\Local\{A8C660AA-8234-4011-A3FB-64CD62D465FB}
2011-12-18 14:52 - 2011-12-18 14:52 - 0000000 ____D C:\Users\James\AppData\Local\{56C9F0E2-D0CE-4601-8746-B60491C74BAE}
2011-12-17 16:51 - 2011-12-17 16:51 - 0000000 ____D C:\Users\James\AppData\Local\{A0200026-1F9E-40FB-B8FA-FFF755AAF72A}
2011-12-17 16:51 - 2011-12-17 16:51 - 0000000 ____D C:\Users\James\AppData\Local\{47E4D6D4-36AB-4671-ACB5-9FFAE20070A9}
2011-12-17 15:05 - 2011-09-22 10:10 - 1202432 ____A C:\Windows\ntbtlog.txt
2011-12-17 14:56 - 2011-12-17 14:56 - 0000000 ____D C:\_OTL
2011-12-17 14:45 - 2011-12-17 14:45 - 0000000 ____A C:\Users\James\AppData\Local\{ACA8703F-83A7-4BCE-BAC6-B732538C4DDD}
2011-12-17 08:43 - 2011-12-17 08:00 - 259202368 ____A C:\Users\James\Downloads\1xtra D&B Bailey_2011_12_14_qrip.mp3
2011-12-17 04:50 - 2011-12-17 04:50 - 0000000 ____D C:\Users\James\AppData\Local\{7E2953AD-A7D4-4FB5-A5E5-BF014AD87242}
2011-12-17 04:50 - 2011-12-17 04:50 - 0000000 ____D C:\Users\James\AppData\Local\{4139DADB-B414-4AD3-B5FC-7842F790172E}
2011-12-16 11:58 - 2011-12-16 11:58 - 0001108 ____A C:\Users\Paul\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
2011-12-16 11:58 - 2011-12-16 11:58 - 0001108 ____A C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
2011-12-16 11:58 - 2011-12-16 11:58 - 0000928 ____A C:\Users\Paul\Desktop\NTREGOPT.lnk
2011-12-16 11:58 - 2011-12-16 11:58 - 0000928 ____A C:\Users\James\Desktop\NTREGOPT.lnk
2011-12-16 11:58 - 2011-12-16 11:58 - 0000909 ____A C:\Users\Paul\Desktop\ERUNT.lnk
2011-12-16 11:58 - 2011-12-16 11:58 - 0000909 ____A C:\Users\James\Desktop\ERUNT.lnk
2011-12-16 11:58 - 2011-12-16 11:58 - 0000000 ____D C:\Program Files (x86)\ERUNT
2011-12-16 11:57 - 2011-12-16 11:57 - 0791393 ____A (Lars Hederer ) C:\Users\James\Downloads\erunt-setup.exe
2011-12-16 05:16 - 2011-12-16 05:16 - 0000000 ____D C:\Users\James\AppData\Local\{60E61B4E-CBB3-4FEE-AE20-627E94E2CAAD}
2011-12-16 05:16 - 2011-12-16 05:16 - 0000000 ____D C:\Users\James\AppData\Local\{156AD28B-D09B-458C-951A-40B288EF3092}
2011-12-15 17:48 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2011-12-15 17:00 - 2011-12-15 17:00 - 0000000 ____D C:\Users\James\AppData\Local\{B1A4B955-AB67-4329-AF73-1D067DC66067}
2011-12-15 17:00 - 2011-12-15 16:59 - 0000000 ____D C:\Users\James\AppData\Local\{37EDA46E-736E-4D90-9754-B2D9F2BD2A10}
2011-12-15 14:20 - 2011-12-15 14:01 - 0000000 ____D C:\Users\James\Downloads\The.Tourist.2010.TS.XviD.Feel-Free
2011-12-15 14:20 - 2011-12-15 13:58 - 0000000 ____D C:\Users\James\Downloads\The.Mechanic.2011.R5.LiNE.AC3-T0XiC-iNK
2011-12-15 14:03 - 2011-12-15 14:03 - 0000000 ____D C:\Users\James\Downloads\Tracker.2010.PAL.Retail.NL.Subs
2011-12-15 14:03 - 2011-12-15 14:03 - 0000000 ____D C:\Users\James\Downloads\Page.Eight.2011.HDRip.XVID.AC3.HQ.Hive-CM8
2011-12-15 14:03 - 2011-12-15 13:58 - 0000000 ____D C:\Users\James\Downloads\The Way Back (2010) DVDRip XviD-MAXSPEED
2011-12-15 13:04 - 2011-12-15 13:04 - 0039568 ____A C:\Users\James\Downloads\Extras.Txt
2011-12-15 12:59 - 2011-12-15 12:58 - 0001411 ____A C:\Users\James\Desktop\OTL - Shortcut.lnk
2011-12-15 12:50 - 2011-12-15 12:50 - 0584192 ____A (OldTimer Tools) C:\Users\James\Downloads\OTL.exe
2011-12-15 09:57 - 2011-12-10 07:03 - 0000000 ____D C:\Users\James\Downloads\Inception (2010) DVDRip XviD-MAXSPEED
2011-12-15 06:14 - 2011-12-15 06:09 - 48764328 ____A C:\Users\James\Downloads\Nolige - The Drift EP [13.12.11].rar
2011-12-15 04:59 - 2011-12-15 04:59 - 0000000 ____D C:\Users\James\AppData\Local\{47F8C662-0AD8-4000-9370-B4C2B4B789CD}
2011-12-15 04:59 - 2011-12-15 04:58 - 0000000 ____D C:\Users\James\AppData\Local\{69276D1C-6CE8-481C-93F5-93D903430F76}
2011-12-14 19:21 - 2009-07-13 20:45 - 4853768 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-14 15:39 - 2011-12-14 15:30 - 114738180 ____A C:\Users\James\Downloads\Thumbzo-Bah Humbug-December 2011.mp3
2011-12-14 15:38 - 2011-12-14 15:31 - 132833222 ____A C:\Users\James\Downloads\Thumbzo b2b Al Wah-The Spitfire Show-Saturday December 10 th 2011.mp3
2011-12-14 14:08 - 2011-12-14 14:01 - 149270496 ____A C:\Users\James\Downloads\Andy C with Dynamite MC 3 DECK SET.mp3
2011-12-14 13:12 - 2011-12-14 13:07 - 44740339 ____A C:\Users\James\Downloads\DJ_Swift___DJ_Zinc_-_Dream_FM_-_Early_1994.mp3
2011-12-14 06:09 - 2011-12-14 06:09 - 0000000 ____D C:\Users\James\AppData\Local\{E64DCE44-42DC-45AF-9DDA-68E31473158B}
2011-12-14 06:09 - 2011-12-14 06:08 - 0000000 ____D C:\Users\James\AppData\Local\{7D8721F9-5537-4E39-ADEC-5ED4B8F37C8B}
2011-12-13 09:12 - 2011-12-13 09:11 - 0000000 ____D C:\Users\James\AppData\Local\{15AA480F-AC7E-47B4-A6C5-06864CA8D3C1}
2011-12-13 09:11 - 2011-12-13 09:11 - 0000000 ____D C:\Users\James\AppData\Local\{58E71F26-F60D-45AA-9672-7BFE0864B50A}
2011-12-13 09:07 - 2011-12-09 09:01 - 0000000 ____D C:\Users\James\AppData\Roaming\Hypue
2011-12-13 08:44 - 2011-12-09 09:01 - 0000000 ____D C:\Users\James\AppData\Roaming\Lybeig
2011-12-12 10:17 - 2011-12-12 10:17 - 0050477 ____A C:\Users\James\Downloads\Defogger.exe
2011-12-12 10:17 - 2011-12-12 10:17 - 0000168 ____A C:\Users\Paul\defogger_reenable
2011-12-12 08:18 - 2011-12-12 08:18 - 0000000 ____D C:\Users\James\AppData\Local\{D0ACFA85-1953-48E0-8F08-2266AE479152}
2011-12-12 08:18 - 2011-12-12 08:18 - 0000000 ____D C:\Users\James\AppData\Local\{CF754871-2CE2-4A1C-8511-01D15724F679}
2011-12-11 05:06 - 2011-12-11 05:06 - 0877475 ____A C:\Users\James\Desktop\acid-alkaline-food-chart-1.4.pdf
2011-12-11 05:05 - 2011-12-11 05:05 - 0000000 ____D C:\Users\James\AppData\Local\{8CA4EC66-12AE-4F4D-ABDB-C6182FDC6F36}
2011-12-11 05:05 - 2011-12-11 05:05 - 0000000 ____D C:\Users\James\AppData\Local\{568C1D4F-2D9F-489C-AE08-1CC237FBB130}
2011-12-10 16:16 - 2011-12-10 16:16 - 0000000 ____D C:\Users\James\AppData\Local\{B61E5078-1B55-43FD-8290-50D4B7C6D9C2}
2011-12-10 16:16 - 2011-12-10 16:16 - 0000000 ____D C:\Users\James\AppData\Local\{B323090D-76DE-4087-825C-3FE0B387B135}
2011-12-10 10:07 - 2011-12-10 07:01 - 0000000 ____D C:\Users\James\Downloads\Pirates of the Caribbean On Stranger Tides (2011) DVDRip XviD-MAXSPEED
2011-12-10 06:59 - 2011-12-10 06:59 - 0000947 ____A C:\Users\Public\Desktop\µTorrent.lnk
2011-12-10 06:59 - 2011-02-01 07:51 - 0000000 ____D C:\Users\Paul\AppData\Roaming\uTorrent
2011-12-10 06:59 - 2011-02-01 07:51 - 0000000 ____D C:\Program Files (x86)\uTorrent
2011-12-10 06:58 - 2011-12-10 06:58 - 0736120 ____A (BitTorrent, Inc.) C:\Users\James\Downloads\utorrent.exe
2011-12-10 04:05 - 2011-12-10 04:05 - 0000000 ____D C:\Users\James\AppData\Local\{98CE8C50-6224-487C-8CF0-F1C6A744B912}
2011-12-10 04:05 - 2011-12-10 04:04 - 0000000 ____D C:\Users\James\AppData\Local\{2C734C0E-0BAE-4AA5-BA7F-FAD7C4237043}
2011-12-09 06:45 - 2011-12-09 06:45 - 0017962 ____A C:\Attach.txt
2011-12-09 06:45 - 2011-12-09 06:32 - 0017962 ____A C:\Users\Paul\Desktop\Attach.txt
2011-12-09 06:40 - 2011-12-09 06:40 - 0003974 ____A C:\Users\Paul\Desktop\Attach.zip
2011-12-09 05:36 - 2011-12-09 05:36 - 0000000 ____D C:\Users\James\AppData\Local\{60C3F0A7-DAA4-48C7-86C7-5FDF1F23518E}
2011-12-09 05:36 - 2011-12-09 05:36 - 0000000 ____D C:\Users\James\AppData\Local\{5A913F98-5870-4280-8C01-63515E02D613}
2011-12-08 17:36 - 2011-12-08 17:35 - 0000000 ____D C:\Users\James\AppData\Local\{D6FD4C29-58CC-4999-8F7D-C09A48287488}
2011-12-08 17:35 - 2011-12-08 17:35 - 0000000 ____D C:\Users\James\AppData\Local\{DE210A3C-1083-414F-9F8A-E7ACBB721CCF}
2011-12-08 14:08 - 2011-12-08 14:08 - 0607260 ___RA (Swearware) C:\Users\James\Downloads\dds.scr
2011-12-08 10:11 - 2011-12-08 10:11 - 0000000 ____D C:\Users\James\AppData\Roaming\Malwarebytes
2011-12-08 09:58 - 2011-12-08 09:58 - 0000184 ____A C:\Users\All Users\REGSVR32.EXE-x.txt
2011-12-08 09:58 - 2011-12-08 09:58 - 0000184 ____A C:\ProgramData\REGSVR32.EXE-x.txt
2011-12-08 05:35 - 2011-12-08 05:35 - 0000000 ____D C:\Users\James\AppData\Local\{CCC71CF9-CA68-41B6-B0AA-688C2131BC01}
2011-12-08 05:35 - 2011-12-08 05:34 - 0000000 ____D C:\Users\James\AppData\Local\{1A26401D-A8F7-47BD-9071-E76879B01458}
2011-12-08 05:24 - 2011-12-08 05:23 - 0000000 ____D C:\Users\James\AppData\Local\{35130E36-370D-41CF-9F81-032908534239}
2011-12-08 05:23 - 2011-12-08 05:23 - 0000000 ____D C:\Users\James\AppData\Local\{CD5DACCC-F8CD-4BC0-B1A9-53708DC3CA8C}
2011-12-07 04:33 - 2011-12-07 04:33 - 0000000 ____D C:\Users\James\AppData\Local\{CEED576A-B45A-4325-8D9F-1C9172235590}
2011-12-07 04:33 - 2011-12-07 04:33 - 0000000 ____D C:\Users\James\AppData\Local\{897C00C9-2F3A-4F0E-9F54-D96C11C1129B}
2011-12-06 16:28 - 2011-12-06 16:28 - 0000000 ____D C:\Users\James\AppData\Local\{F854CB91-5C38-4AF5-912E-E68D06B46A50}
2011-12-06 16:28 - 2011-12-06 16:28 - 0000000 ____D C:\Users\James\AppData\Local\{E17F448F-6FEB-4EAF-A3CC-27571534F80C}
2011-12-06 11:26 - 2011-02-01 07:03 - 0000000 ____D C:\Users\Paul\AppData\Local\Windows Live
2011-12-06 04:24 - 2011-12-06 04:24 - 0000000 ____D C:\Users\James\AppData\Local\{E2B1F99E-B4B5-4488-920D-F0F669FB5485}
2011-12-06 04:24 - 2011-12-06 04:24 - 0000000 ____D C:\Users\James\AppData\Local\{A1401646-3494-4933-97AE-90908D393FB7}
2011-12-05 12:07 - 2011-12-05 12:07 - 1869704 ____A C:\Users\James\Desktop\acid-alkaline-food-chart-1.3.pdf
2011-12-05 05:18 - 2011-12-05 05:17 - 0000000 ____D C:\Users\James\AppData\Local\{23953D72-F47C-4E08-AFA5-2F4BB6EB68B2}
2011-12-05 05:17 - 2011-12-05 05:17 - 0000000 ____D C:\Users\James\AppData\Local\{BF54BFC9-87AF-410F-8FEC-0830051C22E4}
2011-12-04 10:17 - 2011-12-04 10:17 - 0000000 ____D C:\Users\James\AppData\Local\{FFDE7C7E-5648-4801-B879-C12B88BF5A48}
2011-12-04 10:17 - 2011-12-04 10:17 - 0000000 ____D C:\Users\James\AppData\Local\{B14B1AF0-8E19-43BE-898E-995A9D163C12}
2011-12-03 17:18 - 2011-12-03 17:18 - 0000000 ____D C:\Users\James\AppData\Local\{9944779F-9575-46AA-9966-97D91F6D75F2}
2011-12-03 17:18 - 2011-12-03 17:18 - 0000000 ____D C:\Users\James\AppData\Local\{13F1E45E-7FC5-4F38-A88E-A022CAD6EAC2}
2011-12-03 04:39 - 2011-12-03 04:39 - 0000000 ____D C:\Users\James\AppData\Local\{7BFE2660-C1D5-4AC8-A8DE-872F5560B9C8}
2011-12-03 04:39 - 2011-12-03 04:39 - 0000000 ____D C:\Users\James\AppData\Local\{672C0BFB-79D1-4B04-B7C6-2ECDD4FF5E2A}
2011-12-02 05:28 - 2011-12-02 05:28 - 0000000 ____D C:\Users\James\AppData\Local\{E8207A99-5462-420C-BC2C-400AC0C1092A}
2011-12-02 05:28 - 2011-12-02 05:28 - 0000000 ____D C:\Users\James\AppData\Local\{C12452F3-744A-4EB3-A488-19822EDA2843}
2011-12-01 17:27 - 2011-12-01 17:27 - 0000000 ____D C:\Users\James\AppData\Local\{FBDC4A20-F1AD-42A5-A946-1E55234F4C89}
2011-12-01 17:27 - 2011-12-01 17:27 - 0000000 ____D C:\Users\James\AppData\Local\{8CBEF71A-E825-4583-86D0-969FA43BF73A}
2011-12-01 11:42 - 2011-12-01 11:42 - 0001472 ____A C:\Users\James\Desktop\french rates.txt
2011-12-01 05:27 - 2011-12-01 05:26 - 0000000 ____D C:\Users\James\AppData\Local\{1BF098BD-6240-4A7F-A01D-DB0E8C15A108}
2011-12-01 05:26 - 2011-12-01 05:26 - 0000000 ____D C:\Users\James\AppData\Local\{BFC623B1-9F9B-47BF-819D-A57367DE6F7F}
2011-11-30 09:35 - 2011-11-30 08:38 - 176105234 ____A C:\Users\James\Downloads\Ministry of Sound_D&B_Metalheadz_DJ Storm_2011_11_29_qrip.mp3
2011-11-30 08:28 - 2011-11-30 08:22 - 112085921 ____A C:\Users\James\Downloads\DJ Break@Bass Heavy(1).mp3
2011-11-30 08:08 - 2011-11-30 08:02 - 112085921 ____A C:\Users\James\Downloads\DJ Break@Bass Heavy.mp3
2011-11-30 05:29 - 2011-11-30 05:29 - 0000000 ____D C:\Users\James\AppData\Local\{BDDB3379-1B60-444C-9BBE-2B8B18A4D2E3}
2011-11-30 05:29 - 2011-11-30 05:29 - 0000000 ____D C:\Users\James\AppData\Local\{5FACCF03-5691-4A77-951F-A885B7E70AFB}
2011-11-29 08:37 - 2011-11-29 08:37 - 0000000 ____D C:\Users\James\AppData\Local\{CFB1E896-C7DF-4B95-A7FF-038FF27C1822}
2011-11-29 08:37 - 2011-11-29 08:37 - 0000000 ____D C:\Users\James\AppData\Local\{BECFFFD4-FC99-4EE2-8204-BBE8CDCCFD32}
2011-11-29 08:37 - 2011-11-29 08:36 - 0000000 ____D C:\Users\James\AppData\Local\{B4919698-7C21-4576-B479-82C50984018C}
2011-11-29 06:12 - 2011-02-01 11:06 - 0000000 ____D C:\Users\Paul\AppData\Roaming\vlc
2011-11-28 16:15 - 2011-11-28 16:15 - 0000000 ____D C:\Users\James\AppData\Local\{4A2C319A-465E-47C1-B23E-A6CAA5025A7F}
2011-11-28 16:15 - 2011-11-28 16:15 - 0000000 ____D C:\Users\James\AppData\Local\{115A429C-7F8F-43AF-B385-D1C7BF5A1377}
2011-11-28 04:14 - 2011-11-28 04:14 - 0000000 ____D C:\Users\James\AppData\Local\{C2F57762-0457-4A5A-9126-8324569F0C8E}
2011-11-28 04:14 - 2011-11-28 04:14 - 0000000 ____D C:\Users\James\AppData\Local\{AA52E2FC-D84C-4696-A877-9771819EFEA4}
2011-11-27 07:17 - 2011-11-27 07:17 - 0000000 ____D C:\Users\James\AppData\Local\{9C51240C-957F-4BEF-9A36-B21AA4CAC770}
2011-11-27 07:17 - 2011-11-27 07:17 - 0000000 ____D C:\Users\James\AppData\Local\{5CCEE712-3B55-4B5A-9A0F-59017EBC6831}
2011-11-26 16:00 - 2011-11-26 16:00 - 0000000 ____D C:\Users\James\AppData\Local\{7ADF72D7-3034-4D6E-B6EF-5F33144CCECD}
2011-11-26 16:00 - 2011-11-26 15:59 - 0000000 ____D C:\Users\James\AppData\Local\{B7712688-D565-4E96-B8B3-3B2893547253}
2011-11-26 03:50 - 2011-11-26 03:50 - 0000000 ____D C:\Users\James\AppData\Local\{C8E899BE-201F-4C55-8394-6778D3DA0A30}
2011-11-26 03:49 - 2011-11-26 03:49 - 0000000 ____D C:\Users\James\AppData\Local\{C50AC2A8-773D-4558-B239-94CE1911CACA}
2011-11-25 04:20 - 2011-11-25 04:19 - 0000000 ____D C:\Users\James\AppData\Local\{A5632211-0554-4B36-9166-7834199014D6}
2011-11-25 04:19 - 2011-11-25 04:19 - 0000000 ____D C:\Users\James\AppData\Local\{53C35F6B-96AA-4C79-88F1-993C00CD1641}
2011-11-24 07:37 - 2011-11-24 06:13 - 259202368 ____A C:\Users\James\Downloads\1Xtra D&B Bailey_2011_11_23_qrip.mp3
2011-11-24 05:13 - 2011-11-24 05:13 - 0000000 ____D C:\Users\James\AppData\Local\{EC2D24A1-394E-4A17-9259-37DF8AC1C28B}
2011-11-24 05:13 - 2011-11-24 05:13 - 0000000 ____D C:\Users\James\AppData\Local\{B72E4C0D-25A3-4268-BF01-671224C3CF4C}
2011-11-23 20:52 - 2011-12-14 12:34 - 3145216 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-11-23 08:42 - 2011-11-23 08:41 - 9675369 ____A C:\Users\James\Downloads\Underworld - dark and long (dark train).mp3
2011-11-23 08:41 - 2011-11-23 08:40 - 5605282 ____A C:\Users\James\Downloads\Phaze 1 - Natural.mp3
2011-11-23 05:45 - 2011-11-23 05:45 - 0000000 ____D C:\Users\James\AppData\Local\{54A1BC70-7FB8-448A-9184-610C35531B37}
2011-11-23 05:45 - 2011-11-23 05:45 - 0000000 ____D C:\Users\James\AppData\Local\{50A19F6F-E536-44A8-AAA0-AE32020CF669}
2011-11-23 05:39 - 2011-11-23 05:21 - 93828469 ____A C:\Users\James\Downloads\01-tiesto_-_club_life_242-cable-11-20-2011-talion.mp3
2011-11-22 17:22 - 2011-11-22 17:22 - 0000000 ____D C:\Users\James\AppData\Local\{4D6A5707-0ED9-4B48-A42D-2A055074561C}
2011-11-22 17:22 - 2011-11-22 17:21 - 0000000 ____D C:\Users\James\AppData\Local\{8094BDD8-40FA-4C7D-BE81-DF47FD553B1D}
2011-11-22 05:21 - 2011-11-22 05:21 - 0000000 ____D C:\Users\James\AppData\Local\{76FFCBDA-7913-4ED0-83BA-029EB0D9D9F6}
2011-11-22 05:21 - 2011-11-22 05:21 - 0000000 ____D C:\Users\James\AppData\Local\{3EEC63DB-80B7-4AE6-9C26-92615AF8989F}
2011-11-21 17:20 - 2011-11-21 17:20 - 0000000 ____D C:\Users\James\AppData\Local\{C1327BE3-A642-4C94-968C-6F3059D79BEA}
2011-11-21 17:20 - 2011-11-21 17:20 - 0000000 ____D C:\Users\James\AppData\Local\{BCAC1A38-AE79-45D1-98DB-2CA1AE6D7D78}
2011-11-21 05:20 - 2011-11-21 05:19 - 0000000 ____D C:\Users\James\AppData\Local\{42CCE4E3-8DAF-4A7A-877D-495F7E8E05B1}
2011-11-21 05:19 - 2011-11-21 05:19 - 0000000 ____D C:\Users\James\AppData\Local\{37A3295C-CE89-495A-968C-8A009BF08C58}
2011-11-20 06:42 - 2011-11-20 06:42 - 0000000 ____D C:\Users\James\AppData\Local\{D2AB6D3A-8715-41AB-8BC4-7A8F62E35400}
2011-11-20 06:42 - 2011-11-20 06:42 - 0000000 ____D C:\Users\James\AppData\Local\{04D8F51A-CFED-4F59-8F09-31E9D73993D2}
2011-11-19 18:10 - 2011-11-19 18:10 - 0000000 ____D C:\Users\James\AppData\Local\{92F66B79-D76B-40F4-875C-E22BBE4FB087}
2011-11-19 18:10 - 2011-11-19 18:10 - 0000000 ____D C:\Users\James\AppData\Local\{8E2DAB0F-CE46-4D4D-8AC3-1396F86910D9}
2011-11-19 06:58 - 2012-01-10 13:59 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\packager.dll
2011-11-19 06:01 - 2012-01-10 13:59 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2011-11-19 04:48 - 2011-11-19 04:48 - 0000000 ____D C:\Users\James\AppData\Local\{FDC2E2B5-C368-4181-9E32-B21E0A0BD8DB}
2011-11-19 04:48 - 2011-11-19 04:48 - 0000000 ____D C:\Users\James\AppData\Local\{8F920BD2-3408-4C0F-A0D1-9DCEC17F3CDD}
2011-11-19 02:55 - 2011-02-01 07:27 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
2011-11-19 02:54 - 2011-05-21 22:18 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2011-11-18 16:48 - 2011-11-18 16:47 - 0000000 ____D C:\Users\James\AppData\Local\{A5B3A5F0-FE26-42BC-A21A-B97C4BDC8453}
2011-11-18 16:47 - 2011-11-18 16:47 - 0000000 ____D C:\Users\James\AppData\Local\{F6372E9C-43A9-4587-8FB8-07F74F07734A}
2011-11-18 04:47 - 2011-11-18 04:47 - 0000000 ____D C:\Users\James\AppData\Local\{9021033C-B24C-49B6-B3F8-2CEAFD4A7265}
2011-11-18 04:47 - 2011-11-18 04:46 - 0000000 ____D C:\Users\James\AppData\Local\{CE1C2C9C-DDFE-4DAC-9832-0C6E403CADBC}
2011-11-17 16:46 - 2011-11-17 16:46 - 0000000 ____D C:\Users\James\AppData\Local\{D1CA4A02-3FB9-4099-A060-024931E841E1}
2011-11-17 16:46 - 2011-11-17 16:46 - 0000000 ____D C:\Users\James\AppData\Local\{083FF1AB-ADBE-4722-A306-96A1A25B6BA9}
2011-11-17 04:45 - 2011-11-17 04:45 - 0000000 ____D C:\Users\James\AppData\Local\{ED80359B-F014-4C7E-BF4F-E6CF2C90A9ED}
2011-11-17 04:45 - 2011-11-17 04:45 - 0000000 ____D C:\Users\James\AppData\Local\{2BF554A9-E5BC-4ECD-A091-414E79788920}
2011-11-16 22:41 - 2012-01-10 13:59 - 1731920 ____A (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2011-11-16 21:38 - 2012-01-10 13:59 - 1292080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2011-11-16 16:45 - 2011-11-16 16:45 - 0000000 ____D C:\Users\James\AppData\Local\{45C3582D-DE56-4674-AFE3-41BD339C1006}
2011-11-16 16:45 - 2011-11-16 16:44 - 0000000 ____D C:\Users\James\AppData\Local\{69D578EE-BD4E-451B-B374-F221BFDD1DF6}
2011-11-16 09:13 - 2011-11-16 09:13 - 3365021 ____A C:\Users\James\Downloads\Gorillaz_ 19-2000 (Soulchild Remix).mp3
2011-11-16 08:59 - 2011-11-16 08:59 - 3369201 ____A C:\Users\James\Downloads\Nothing But You By Paul Van Dyk(1).mp3
2011-11-16 08:51 - 2011-11-16 08:51 - 3369201 ____A C:\Users\James\Downloads\Nothing But You By Paul Van Dyk.mp3
2011-11-16 08:42 - 2011-11-16 08:42 - 3838987 ____A C:\Users\James\Downloads\Underworld - Two Months Off.mp3
2011-11-16 04:44 - 2011-11-16 04:44 - 0000000 ____D C:\Users\James\AppData\Local\{7EC8DC4D-B7E5-4E10-8A9F-5A337C7E3592}
2011-11-16 04:44 - 2011-11-16 04:44 - 0000000 ____D C:\Users\James\AppData\Local\{7A06B5C2-F861-426A-BFB4-54F73929C4F9}
2011-11-15 16:29 - 2011-11-15 16:29 - 0000000 ____D C:\Users\James\AppData\Local\{23509D92-11C7-4EEA-8784-BC08004AB976}
2011-11-15 16:29 - 2011-11-15 16:28 - 0000000 ____D C:\Users\James\AppData\Local\{A88B6D07-DBA9-43CE-9EA2-EB5FB27CD119}
2011-11-15 04:28 - 2011-11-15 04:27 - 0000000 ____D C:\Users\James\AppData\Local\{BCDEE1C9-B7C9-462A-A12D-05BDF39F183B}
2011-11-15 04:27 - 2011-11-15 04:27 - 0000000 ____D C:\Users\James\AppData\Local\{3E13FB4E-0AB2-4443-AF30-1E41582E013A}
2011-11-14 07:23 - 2011-11-14 07:22 - 5719385 ____A C:\Users\James\Downloads\Jay Parkes And Tone-E-G - Untitled (ANT 1).mp3
2011-11-14 07:21 - 2011-11-14 07:21 - 4858389 ____A C:\Users\James\Downloads\Doc Scott - Inside Out.mp3
2011-11-14 07:20 - 2011-11-14 07:20 - 6843559 ____A C:\Users\James\Downloads\D4 - Careless.mp3
2011-11-14 07:19 - 2011-11-14 07:18 - 7732276 ____A C:\Users\James\Downloads\Natural Mystic - Privacy.mp3
2011-11-14 07:17 - 2011-11-14 07:17 - 5995238 ____A C:\Users\James\Downloads\Natural Mystic - Lazy Part 2.mp3
2011-11-14 07:15 - 2011-11-14 07:15 - 6055006 ____A C:\Users\James\Downloads\The Fat Controller - In Complete Darkness (Nookie Remix) 1995.mp3
2011-11-14 07:15 - 2011-11-14 07:15 - 5104274 ____A C:\Users\James\Downloads\The Spice - Feel Free.mp3
2011-11-14 07:13 - 2011-11-14 07:13 - 5573935 ____A C:\Users\James\Downloads\Mr Monik - Atmosphere 1996.mp3
2011-11-14 07:03 - 2011-11-14 07:03 - 0000000 ____D C:\Users\James\AppData\Local\{9EBF32D6-A65B-430F-AAC0-FCB9C1B4C1BA}
2011-11-14 07:03 - 2011-11-14 07:03 - 0000000 ____D C:\Users\James\AppData\Local\{8F967826-2BB6-4F14-BED7-0875FEEFD4C0}
2011-11-13 22:23 - 2011-11-13 22:23 - 0000000 ____D C:\Users\James\AppData\Local\{268E3451-2AC6-4E5C-BCD1-09795098D83A}
2011-11-13 04:26 - 2011-11-13 04:26 - 0000000 ____D C:\Users\James\AppData\Local\{922AF4D4-9B6E-42ED-B33A-964C24A290BB}
2011-11-13 04:26 - 2011-11-13 04:25 - 0000000 ____D C:\Users\James\AppData\Local\{21B80A86-BFE0-4987-8B57-12C07D4871EF}
2011-11-12 16:07 - 2011-11-12 16:07 - 0000000 ____D C:\Users\James\AppData\Local\{6E23C8CC-7E07-4B02-A58E-C9DB98346312}
2011-11-12 16:07 - 2011-11-12 16:07 - 0000000 ____D C:\Users\James\AppData\Local\{0886B267-6C84-4077-830F-5003C44FC733}
2011-11-12 03:57 - 2011-11-12 03:57 - 0000000 ____D C:\Users\James\AppData\Local\{9DDBA797-3005-4AB2-A0D5-1DF7FC2EB1A6}
2011-11-12 03:57 - 2011-11-12 03:56 - 0000000 ____D C:\Users\James\AppData\Local\{B96C72BA-4293-483D-BD62-9A371A30881A}
2011-11-11 16:47 - 2011-11-11 06:38 - 0001711 ____A C:\Users\James\Desktop\Cool Runnings - Shortcut.lnk
2011-11-11 08:11 - 2011-11-11 08:11 - 7188225 ____A C:\Users\James\Downloads\Jay Parkes And Tone-E-G - Untitled (ANT 1)-[wwwflvtocom].mp3
2011-11-11 06:36 - 2011-11-11 06:35 - 10871149 ____A C:\Users\James\Downloads\Cool Runnings.mp3
2011-11-11 04:50 - 2011-11-11 04:50 - 0000000 ____D C:\Users\James\AppData\Local\{9EA0B3A2-F4D4-448D-8D68-6C52E20A89B5}
2011-11-11 04:50 - 2011-11-11 04:50 - 0000000 ____D C:\Users\James\AppData\Local\{228E527E-66A5-48FA-A78A-1C8517D08EE0}
2011-11-10 22:49 - 2011-12-14 13:12 - 12261888 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-11-10 22:49 - 2011-12-14 13:12 - 0247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-11-10 21:40 - 2011-12-14 13:12 - 10991104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-11-10 21:40 - 2011-12-14 13:12 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-11-10 16:33 - 2011-11-10 16:32 - 0000000 ____D C:\Users\James\AppData\Local\{AC9E10DB-6E4C-46F5-8905-7A9666C132D3}
2011-11-10 16:32 - 2011-11-10 16:32 - 0000000 ____D C:\Users\James\AppData\Local\{58988858-EED1-4F94-99DA-68CC0969F755}
2011-11-10 07:34 - 2011-11-10 07:34 - 0373016 ____A C:\Windows\Minidump\111011-23556-01.dmp
2011-11-10 05:55 - 2011-11-10 05:45 - 45321302 ____A C:\Users\James\Downloads\Serum - 30 Minute Jungle Mix November 2011.mp3
2011-11-10 04:32 - 2011-11-10 04:31 - 0000000 ____D C:\Users\James\AppData\Local\{BE003898-AC71-4349-BC0E-8C78B2BBD52A}
2011-11-10 04:31 - 2011-11-10 04:31 - 0000000 ____D C:\Users\James\AppData\Local\{A044EAB8-DD1C-4E11-A3CD-221AE99ECC69}
2011-11-10 04:27 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2011-11-09 04:23 - 2011-11-09 04:23 - 0000000 ____D C:\Users\James\AppData\Local\{32AFA41C-833B-4206-AEDA-9B081638A481}
2011-11-09 04:23 - 2011-11-09 04:23 - 0000000 ____D C:\Users\James\AppData\Local\{2084D265-DACC-4C57-86EA-2179074F9CB8}
2011-11-08 16:22 - 2011-11-08 16:22 - 0000000 ____D C:\Users\James\AppData\Local\{ADAA9D40-74C2-4D62-A4C9-2654F771BAEF}
2011-11-08 16:22 - 2011-11-08 16:22 - 0000000 ____D C:\Users\James\AppData\Local\{1EC216E2-F4E0-41C0-8509-B7C6CE63EFB4}
2011-11-08 04:19 - 2011-11-08 04:19 - 0000000 ____D C:\Users\James\AppData\Local\{7C746D26-F599-4325-A4DA-80D53AA24689}
2011-11-08 04:19 - 2011-11-08 04:19 - 0000000 ____D C:\Users\James\AppData\Local\{55B01E3D-5A56-40F2-B9DE-DDCC85EA4F51}
2011-11-07 05:35 - 2011-11-07 05:32 - 12688618 ____A C:\Users\James\Downloads\16281-warpedsound.zip
2011-11-07 05:03 - 2011-11-07 05:03 - 0000000 ____D C:\Users\James\AppData\Local\{691C9050-690D-4957-921B-8A90EA3AB03C}
2011-11-07 05:03 - 2011-11-07 05:03 - 0000000 ____D C:\Users\James\AppData\Local\{1B05FC1B-02A9-4401-80A7-E470C0D2B414}
2011-11-06 17:02 - 2011-11-06 17:02 - 0000000 ____D C:\Users\James\AppData\Local\{A278F8C2-B972-48C8-9C36-2736A90C0555}
2011-11-06 17:02 - 2011-11-06 17:02 - 0000000 ____D C:\Users\James\AppData\Local\{78ECB652-B295-41BB-92C3-9212EED74D63}
2011-11-06 05:02 - 2011-11-06 05:01 - 0000000 ____D C:\Users\James\AppData\Local\{34E33FD8-1CF2-46EC-85CD-434DDED79BD0}
2011-11-06 05:01 - 2011-11-06 05:01 - 0000000 ____D C:\Users\James\AppData\Local\{4E2A6B6A-819D-484F-9FA9-8EB0928BC1A4}
2011-11-05 17:01 - 2011-11-05 17:01 - 0000000 ____D C:\Users\James\AppData\Local\{2687EBA6-33A2-458D-A79C-62EDD4AEC9FE}
2011-11-05 17:01 - 2011-11-05 17:01 - 0000000 ____D C:\Users\James\AppData\Local\{13AB59E6-7477-4711-86F0-00AD5BB13C1E}
2011-11-05 04:21 - 2011-11-05 04:20 - 0000000 ____D C:\Users\James\AppData\Local\{4C6B9291-C4D9-434C-B0CC-40BA55958A75}
2011-11-05 04:20 - 2011-11-05 04:20 - 0000000 ____D C:\Users\James\AppData\Local\{5BD3B327-EFFD-44BD-A3CE-9B82AC9F25C5}
2011-11-04 21:41 - 2011-12-14 13:12 - 1494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-11-04 21:41 - 2011-12-14 13:12 - 1188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-11-04 21:41 - 2011-12-14 13:12 - 0134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-11-04 21:38 - 2011-12-14 13:12 - 9018880 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-11-04 21:38 - 2011-12-14 13:12 - 0702464 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2011-11-04 21:38 - 2011-12-14 13:12 - 0097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-11-04 21:37 - 2011-12-14 13:12 - 2454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-11-04 21:37 - 2011-12-14 13:12 - 0064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-11-04 21:32 - 2011-12-14 12:36 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-11-04 20:35 - 2011-12-14 13:12 - 0981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-11-04 20:34 - 2011-12-14 13:12 - 1231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-11-04 20:34 - 2011-12-14 13:12 - 0132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-11-04 20:31 - 2011-12-14 13:12 - 5997056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-11-04 20:31 - 2011-12-14 13:12 - 0599552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2011-11-04 20:31 - 2011-12-14 13:12 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-11-04 20:30 - 2011-12-14 13:12 - 2073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-11-04 20:30 - 2011-12-14 13:12 - 0048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-11-04 20:26 - 2011-12-14 12:36 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2011-11-04 19:32 - 2011-12-14 13:12 - 1638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-11-04 18:48 - 2011-12-14 13:12 - 1638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-11-04 06:08 - 2011-11-04 06:08 - 0000000 ____D C:\Users\James\AppData\Local\{C73605FE-12AB-40D2-9C8F-505525DF85E5}
2011-11-04 06:08 - 2011-11-04 06:08 - 0000000 ____D C:\Users\James\AppData\Local\{722970EE-5B0F-448E-9003-FCF362FBD01B}
2011-11-04 05:54 - 2011-11-04 05:47 - 172038016 ____A C:\Users\James\Downloads\Ministry_of_Sound_D&B_Metalheadz_DJ_Storm_2011_11_01_qrip.mp3
2011-11-04 05:43 - 2011-11-04 05:15 - 172038016 ____A C:\Users\James\Downloads\Ministry of Sound_D&B_Metalheadz_DJ Storm_2011_11_01_qrip.mp3
2011-11-03 17:55 - 2011-11-03 17:55 - 0000000 ____D C:\Users\James\AppData\Local\{C4C518E8-F680-42CD-892C-B33B89BDFB34}
2011-11-03 17:55 - 2011-11-03 17:55 - 0000000 ____D C:\Users\James\AppData\Local\{748C87B0-4FF5-4C05-AF1E-680572B2C343}
2011-11-03 05:54 - 2011-11-03 05:54 - 0000000 ____D C:\Users\James\AppData\Local\{52073000-2CCB-45E8-9D46-A53392935A4D}
2011-11-03 05:54 - 2011-11-03 05:54 - 0000000 ____D C:\Users\James\AppData\Local\{24E9A9B6-957B-465E-AB52-B559B86B0FEC}
2011-11-02 17:53 - 2011-11-02 17:53 - 0000000 ____D C:\Users\James\AppData\Local\{CBCC131A-DA16-44F7-9B80-AA2EAA6790A3}
2011-11-02 17:53 - 2011-11-02 17:53 - 0000000 ____D C:\Users\James\AppData\Local\{4B430AF0-5206-41A3-AF7A-4B8F584E25F3}
2011-11-02 05:10 - 2011-11-02 05:04 - 88644551 ____A C:\Users\James\Downloads\DJ Hype & MC GQ @ A.W.O.L..mp3
2011-11-02 05:09 - 2011-11-02 05:05 - 55687241 ____A C:\Users\James\Downloads\Mickey Finn & MC GQ - A.W.O.L. 1993.mp3
2011-11-02 05:07 - 2011-11-02 05:03 - 57985064 ____A C:\Users\James\Downloads\Mickey Finn & MC GQ @ A.W.O.L. 'Live In London' Bank Holiday 1993.mp3
2011-11-02 05:07 - 2011-11-02 05:01 - 88132839 ____A C:\Users\James\Downloads\Dr S Gachet @ A.W.O.L. 'Live In London' August Bank Holiday 1993.mp3
2011-11-02 04:11 - 2011-11-02 04:10 - 0000000 ____D C:\Users\James\AppData\Local\{EA694243-9D34-4A9C-ABE1-365C3D1663EB}
2011-11-02 04:10 - 2011-11-02 04:10 - 0000000 ____D C:\Users\James\AppData\Local\{5012DF71-E94B-4CE7-AC0A-C3E8268EF318}
2011-11-01 16:10 - 2011-11-01 16:10 - 0000000 ____D C:\Users\James\AppData\Local\{672FF25B-94DB-4F0E-AD1C-3C91FD53FEC4}
2011-11-01 16:10 - 2011-11-01 16:09 - 0000000 ____D C:\Users\James\AppData\Local\{794018A8-8D63-4508-940B-0A2B695BCC04}
2011-11-01 04:09 - 2011-11-01 04:09 - 0000000 ____D C:\Users\James\AppData\Local\{9DF1829F-29CB-4FF2-8979-8C6AEB71C537}
2011-11-01 04:09 - 2011-11-01 04:08 - 0000000 ____D C:\Users\James\AppData\Local\{0AF9B88E-9DB0-4FFB-80D7-B65BA613197B}
2011-10-31 16:08 - 2011-10-31 16:08 - 0000000 ____D C:\Users\James\AppData\Local\{E570ECAB-132C-49BC-8823-46BFB07D5370}
2011-10-31 16:08 - 2011-10-31 16:08 - 0000000 ____D C:\Users\James\AppData\Local\{797A13DB-D311-4368-AE15-6C39A10317A2}
2011-10-31 03:04 - 2011-10-31 03:04 - 0000000 ____D C:\Users\James\AppData\Local\{FBD28021-0B35-4130-85C4-1513F0D6EE62}
2011-10-31 03:04 - 2011-10-31 03:04 - 0000000 ____D C:\Users\James\AppData\Local\{3609C237-0980-4E5A-9383-DB9286FE1B08}
2011-10-30 14:53 - 2011-10-30 14:53 - 0000000 ____D C:\Users\James\AppData\Local\{5587BECE-F5AD-4B0C-937B-EF7AD748CF11}
2011-10-30 14:53 - 2011-10-30 14:53 - 0000000 ____D C:\Users\James\AppData\Local\{27D481E7-E113-4231-8448-6E24450E9C32}
2011-10-30 02:52 - 2011-10-30 02:52 - 0000000 ____D C:\Users\James\AppData\Local\{78C72257-8051-49EE-8847-8D859EBD3DB2}
2011-10-30 02:52 - 2011-10-30 02:52 - 0000000 ____D C:\Users\James\AppData\Local\{66A224A8-03B0-4DC8-8A53-5C480721BF99}
2011-10-29 13:22 - 2011-10-29 13:22 - 0000000 ____D C:\Users\James\AppData\Local\{7315BB4D-A9F8-427F-923F-32C913CBCB4E}
2011-10-29 13:22 - 2011-10-29 13:21 - 0000000 ____D C:\Users\James\AppData\Local\{923A4781-81DB-419F-83E6-CEE0E9164120}
2011-10-29 01:21 - 2011-10-29 01:21 - 0000000 ____D C:\Users\James\AppData\Local\{CD603A51-C963-42D2-9C21-ADA1281F9DDE}
2011-10-29 01:21 - 2011-10-29 01:21 - 0000000 ____D C:\Users\James\AppData\Local\{9D8BC2DD-DB3C-43FE-BCDF-955FBADFB34C}
2011-10-28 02:36 - 2011-10-28 02:35 - 0000000 ____D C:\Users\James\AppData\Local\{C42A83F7-1D95-400A-9FD2-EFEAEDA51DE3}
2011-10-28 02:35 - 2011-10-28 02:35 - 0000000 ____D C:\Users\James\AppData\Local\{A9A3C9D9-2551-47B3-9FE2-8207F67DEC6E}
2011-10-27 04:34 - 2011-10-27 04:34 - 0000000 ____D C:\Users\James\AppData\Local\{967AB1B5-2020-4B24-8969-05026A14F547}
2011-10-27 04:34 - 2011-10-27 04:33 - 0000000 ____D C:\Users\James\AppData\Local\{6FF5FAFD-E8DA-4172-8E1E-173DD165664C}
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
========================= Memory info ======================
Percentage of memory in use: 14%
Total physical RAM: 3958.76 MB
Available physical RAM: 3371.02 MB
Total Pagefile: 3956.91 MB
Available Pagefile: 3362.68 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:97.56 GB) (Free:3.75 GB) NTFS
2 Drive d: () (Fixed) (Total:270.44 GB) (Free:108.46 GB) NTFS
3 Drive f: () (Fixed) (Total:97.66 GB) (Free:37.52 GB) NTFS
5 Drive h: () (Removable) (Total:14.89 GB) (Free:14.89 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 14 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 97 GB 101 MB
Partition 3 Primary 97 GB 97 GB
Partition 0 Extended 270 GB 195 GB
Partition 4 Logical 270 GB 195 GB
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 97 GB Healthy
Disk: 0
Partition 3
Type : 06
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Partition 97 GB Healthy
Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D NTFS Partition 270 GB Healthy
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 31 KB
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 14 GB Healthy
==========================================================
Last Boot: 2012-01-19 16:45
======================= End Of Log ==========================
Hi chelseafan,
I hope you are still with me.
----------
Do you recognize any of these by chance??
C:\Users\James\AppData\Roaming\Hypue
C:\Users\James\AppData\Roaming\Lybeig
C:\Users\James\AppData\Roaming\Ohriva
C:\Users\James\AppData\Roaming\Ukyso
C:\Users\James\AppData\Roaming\Iteq
----------
chelseafan
2012-02-07, 02:13
Hi, I reformatted so you can close this thread.
Thanks for your help anyway.
Ok...thanks for letting me know. :)
Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.
If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.