I am trying to clean up and repair my Brother-in-laws laptop. I started deleting programs\toolbar and running antivirus\spy bot and others just to clean CRAP off aparently he said he tried online virus scans and such wich who know what they put in his system on top of what he already had. but anyways i did a windows update as well as tried a windows IE update and soon after on one of the reboots I got an error message (explorer.exe 0xc000022) click ok to terminate). when I clicked on any of the of in profiles. ofter hitting ok everything went black but my mouse. I can CNT ALT DEL to task manager and shutdown. I currently am able to run in safe mode with no problems.

here is the DDS file

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_30
Run by Ryan at 13:33:32 on 2012-02-09
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3191 [GMT -6:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Ryan\Desktop\HijackThis.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
mSearchAssistant =
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: &Crawler Toolbar Helper: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {90B49673-5506-483E-B92B-CA0265BD9CA8} - No File
TB: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - No File
uRun: [avgsys] regedit /s "C:\ProgramData\de6342b\4455.reg"
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
StartupFolder: C:\Users\Ryan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\Users\Ryan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\wkcalrem.LNK - C:\Program Files (x86)\Microsoft Works\WkCalRem.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2961302D-0820-4732-9602-FF83D5402027} : DhcpNameServer = 209.183.50.151 209.183.50.151
TCP: Interfaces\{3F989BEA-572A-4367-97B7-768ECC652223} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{FB2F24BD-7F6D-4397-9084-EBC202AA3EF3} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
LSA: Notification Packages = scecli DPPWDFLT
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: &Crawler Toolbar Helper: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: &Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~2\Crawler\Toolbar\ctbr.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {90B49673-5506-483E-B92B-CA0265BD9CA8} - No File
TB-X64: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - No File
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IFEO-X64: image file execution options - svchost.exe
IFEO-X64: a.exe - svchost.exe
IFEO-X64: aAvgApi.exe - svchost.exe
IFEO-X64: AAWTray.exe - svchost.exe
IFEO-X64: About.exe - svchost.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2008-1-20 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;C:\Windows\system32\Drivers\ATSwpWDF.sys --> C:\Windows\system32\Drivers\ATSwpWDF.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;C:\Windows\system32\DRIVERS\OA001Ufd.sys --> C:\Windows\system32\DRIVERS\OA001Ufd.sys [?]
S3 OA001Vid;Creative Camera OA001 Function Driver;C:\Windows\system32\DRIVERS\OA001Vid.sys --> C:\Windows\system32\DRIVERS\OA001Vid.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);C:\Windows\system32\DRIVERS\swnc8u80.sys --> C:\Windows\system32\DRIVERS\swnc8u80.sys [?]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);C:\Windows\system32\DRIVERS\swumx80.sys --> C:\Windows\system32\DRIVERS\swumx80.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [?]
S4 ATService;AuthenTec Fingerprint Service;C:\Program Files\Fingerprint Sensor\ATService.exe [2008-12-22 2479864]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-16 89920]
S4 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-22 135664]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-22 135664]
S4 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-1-2 1153368]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-02-09 19:08:52 283200 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2012-02-09 19:08:45 -------- d-----w- C:\Program Files (x86)\DAEMON Tools Lite
2012-02-09 19:08:12 -------- d-----w- C:\Users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08:10 -------- d-----w- C:\ProgramData\DAEMON Tools Lite
2012-02-09 18:58:23 -------- d-----w- C:\Windows\pss
2012-02-07 17:19:23 0 ---ha-w- C:\Users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27:18 8602168 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00:17 -------- d-----w- C:\Users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00:17 -------- d-----w- C:\Users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00:11 -------- d-----w- C:\ProgramData\PC1Data
2012-02-02 03:05:16 -------- d-----w- C:\Users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46:24 -------- d-----w- C:\ProgramData\Uniblue
2012-02-01 22:46:19 -------- d-----w- C:\Users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46:14 -------- d-----w- C:\Program Files (x86)\Uniblue
2012-01-30 21:30:40 -------- d-----w- C:\Windows\SysWow64\vi-VN
2012-01-30 21:30:40 -------- d-----w- C:\Windows\SysWow64\eu-ES
2012-01-30 21:30:40 -------- d-----w- C:\Windows\SysWow64\ca-ES
2012-01-30 21:30:40 -------- d-----w- C:\Windows\System32\vi-VN
2012-01-30 21:30:40 -------- d-----w- C:\Windows\System32\eu-ES
2012-01-30 21:30:40 -------- d-----w- C:\Windows\System32\ca-ES
2012-01-30 20:44:59 -------- d-----w- C:\Windows\System32\EventProviders
2012-01-30 20:42:10 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-01-30 20:36:22 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:31:48 -------- d-----w- C:\RebateInformer
.
==================== Find3M ====================
.
2011-12-07 16:39:10 279096 ----a-w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 13:35:19.79 ===============


Any help would be greatly appreciated to help get this computer back in tip top shape for my Sister and her husband.

Thanks

Hi chiro.j.elliott, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.



Since you can run normally in safe mode please download and run this tool in safe mode. If it asks to reboot allow it but let it boot back into safe mode and allow it to finish. Once the log is produced save it and boot back to normal windows and post the log.

Please note while you are in safe mode you will not be able disable your security programs. That's ok as they will not be running.


Please read through the instructions to familarize youself with what to expect when the tool runs.

Please download ComboFix from Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)or Link 2 (http://www.infospyware.net/antimalware/combofix/) to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".



It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Right click on ComboFix.exe, click Run as Administrator & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3 CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

How's the computer now?

Thanks

Combofix run!!

Tried booting back to normal windows after saving the log. Got to the log in window but when clicked on any of the logons error occurred just as before.
so rebooted to safemode and here I am!!

Here is report.

ComboFix 12-02-11.02 - Ryan 02/11/2012 7:49.1.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3095 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\Uninstall
c:\program files (x86)\FilmFanaticEI
c:\program files (x86)\RegTool
c:\program files (x86)\TelevisionFanaticEI
c:\programdata\de6342b
c:\programdata\de6342b\6738.mof
c:\programdata\de6342b\BackUp\Bluetooth.lnk
c:\programdata\de6342b\BackUp\Dell Dock.lnk
c:\programdata\de6342b\BackUp\LimeWire On Startup.lnk
c:\programdata\de6342b\BackUp\QuickSet.lnk
c:\programdata\de6342b\BackUp\wkcalrem.LNK
c:\programdata\de6342b\CUde63.exe
c:\programdata\de6342b\SMAV.ico
c:\programdata\de6342b\SMAVSys\vd952342.bd
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\cb.tmp
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\cid.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\CLSV.tmp
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\eb.tmp
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\FS.exe
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\hymt.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\hymt.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\ppal.exe
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\ppal.tmp
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\sld.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\sld.sys
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.dll
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
c:\users\Ryan\AppData\Roaming\RegTool
c:\users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-29 20-15-130.log
c:\users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 18-10-380.log
c:\users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 18-35-370.log
c:\users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 19-16-080.log
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\filelist.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-0.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-1.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-10.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-11.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-12.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-13.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-14.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-15.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-16.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-17.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-18.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-19.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-2.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-20.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-21.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-22.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-23.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-24.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-25.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-26.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-27.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-28.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-29.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-3.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-30.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-31.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-32.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-33.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-34.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-35.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-36.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-37.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-38.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-39.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-4.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-40.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-41.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-42.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-43.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-44.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-45.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-46.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-47.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-48.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-49.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-5.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-50.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-51.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-52.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-53.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-54.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-55.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-56.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-57.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-58.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-59.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-6.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-60.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-61.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-62.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-63.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-64.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-65.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-66.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-67.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-68.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-7.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-8.db
c:\users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-9.db
c:\users\Ryan\AppData\Roaming\RegTool\Results\Evidence.db
c:\users\Ryan\AppData\Roaming\RegTool\Results\Junk.db
c:\users\Ryan\AppData\Roaming\RegTool\Results\Registry.db
c:\users\Ryan\AppData\Roaming\RegTool\Results\Update.db
c:\windows\system32\DpPwdFlt.dll
c:\windows\SysWow64\drivers\snetcfg.exe
c:\windows\SysWow64\ndisapi.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-11 13:55 . 2012-02-11 13:59 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-11 13:55 . 2012-02-11 13:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 13:55 . 2012-02-11 13:55 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-11 13:46 . 2012-02-11 13:46 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 13:46 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\windows\LastGood.Tmp
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 16:39 . 2010-01-03 04:55 279096 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgsys"="regedit" [X]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-19 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-11 08:04:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-11 14:04
.
Pre-Run: 218,361,942,016 bytes free
Post-Run: 218,094,288,896 bytes free
.
- - End Of File - - 16E86EA5D9BBD022A7162A5BD1DA48E6

Hi chiro.j.elliott,

You said the problem occurred after one of the updates. These updates have been identified as a possible source of this problem. Try uninstalling them and see if you can boot to normal windows.

KB933566, KB929123, KB931213, KB905866, KB929762 & KB936825.

Hope I did this right! I went to control panel- prog-features - installed updates and then searched for each of those numbers KB905866 was the only one it found so I double clicked it and it supposedly uninstalled. rebooted to normal windows with no change in error so I'm back in safe mode!!

Hi chiro.j.elliott,

This appears to be a permissions issue. How far can you get in normal windows?

In an adminsitrator account are you able to open Task Manager and click on file > New task (run)

In the window type cmd then click browse . You should be now in the C:\Windows\system32 folder. Scroll down and locate cmd.exe right click it and click "Run as Administrator"

Let me know if a black command window opens. We may be able to run a couple of commands to try to restore permissions.

well thats one battle of the war we can win!! I can access task manager with cnt-alt-del and now have the cmd window up and running on the computer!!

Next??

Hi

Type each of these lines, hitting enter after each one.

Note there is a space after CACLS, a space after .dll, a space after /E, a space after /G

CACLS %systemroot%\System32\*.dll /E /G BUILTIN\Users:R

CACLS %systemroot%\System32\*.ocx /E /G BUILTIN\Users:R

Reboot the computer when done.

done with no change on reboot!!

Hi chiro.j.elliott,

Let's make sure combofix removed all of the rogue.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE





Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgsys"=-


In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif



Next

You need to use safe mode with networking so the data base can be updated.

Download and save to your desktop Malwarebytes Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Next

I need you to submit a file for analysis,

To submit a file to virustotal, please click on this link

VirusTotal (www.virustotal.com)

copy and paste the following into the choose file box (you can also use the choose file button to navigate to the file. Note the file path may look like 2 paths bit it is one path.

C:\Qoobox\Quarantine\C\WINDOWS\system32\DpPwdFlt.dll.vir



scroll down a bit and click "Scan it", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.

Please post back with the
combofix log
MBAM log
VirusTotal results

Task 1 completed:
However i noticed when i clicked and dragged file into combofix i was not able select "run as admin" but other than that it ran and said it deleted the file rebooted to safemode to get report here it is!

ComboFix 12-02-11.02 - Ryan 02/12/2012 13:21:39.1.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3361 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DpPwdFlt.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 19:28 . 2012-02-12 19:31 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-12 19:28 . 2012-02-12 19:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-12 19:28 . 2012-02-12 19:28 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-11 13:46 . 2012-02-11 21:22 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 21:22 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 16:39 . 2010-01-03 04:55 279096 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-19 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-12 13:37:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-12 19:37
ComboFix2.txt 2012-02-11 14:04
.
Pre-Run: 217,970,937,856 bytes free
Post-Run: 217,764,872,192 bytes free
.
- - End Of File - - 6CB009C7319ABC98610E80ADFECF89BC





Task #2 completed- dowloaded- run- and rebooted all in safemode!

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.12.05

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.19088
Ryan :: RYAN-PC [administrator]

2/12/2012 1:48:12 PM
mbam-log-2012-02-12 (13-48-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205216
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99b340f7-76e0-44ab-9948-b95a1b475d39} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d09094b3-b426-4f16-a6d9-e211fe222127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\RegTool (Rogue.RegTool) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\Environment|AVAPP (Rogue.PersonalAntiVirus) -> Data: C:\Program Files (x86)\PersonalAV -> Quarantined and deleted successfully.
HKCU\Environment|AVUNINST (Rogue.PersonalAntiVirus) -> Data: C:\Program Files (x86)\Common Files\Uninstall\PersonalAV\Uninstall.lnk -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

TASK #3- unable to perform

Tried to copy file name into site and never would let me past it i couldnt even click in the search box. nor would it let me click on browse!! does it have to do with me being in safemode??? I tryed searching my computer for that file just to see if i could find it and drag it but my computer search didnt find that name!!!

Hope I did everything right and i just want to say thank you sooo much for your help sooo far!!

Chiro

Hichiro.j.elliott,

I'm not sure why safe mode would make any difference. Try submitting it to VirSCAN.org FREE on-line scan service (http://virscan.org/)

If that doesn't work:

The file should be in the combofix quarantine folder. Open windows explorer and navigate to the C:\ drive. Open the Qoobox folder and expand the paths untill you reach the file



C:\Qoobox\Quarantine\C\WINDOWS\system32\DpPwdFlt.dll.vir

If it's not to big try zipping it and attaching it to your reply. I'll submit it.

C:\Qoobox\Quarantine\C\WINDOWS\
is as far as i can get in your chain "SysWOW64" is the only folder in the windows folder. there is no system32 folder there!!!

and virSCAN.org does the same thing to me when I try to input anything into the scan box!! wont let me type anything and brows button wont open any new windows or anything

Hi

Have a look in the "SysWOW64" folder. If it's a 32bit file that's where it would be.

Antivirus Result Update
nProtect - 20120212
CAT-QuickHeal - 20120212
McAfee - 20120212
K7AntiVirus - 20120211
TheHacker - 20120212
VirusBuster - 20120212
NOD32 - 20120213
F-Prot - 20120213
Symantec - 20120213
Norman - 20120212
ByteHero - 20120211
TrendMicro-HouseCall - 20120213
Avast - 20120212
eSafe Win32.TrojanHorse 20120212
ClamAV - 20120212
Kaspersky - 20120213
BitDefender - 20120212
SUPERAntiSpyware - 20120206
Sophos - 20120212
Comodo - 20120212
F-Secure - 20120212
DrWeb - 20120213
VIPRE - 20120212
AntiVir - 20120212
TrendMicro - 20120212
McAfee-GW-Edition - 20120212
Emsisoft - 20120213
eTrust-Vet - 20120211
Jiangmin - 20120212
Antiy-AVL - 20120211
Microsoft - 20120212
ViRobot - 20120212
Prevx - 20120213
GData - 20120212
Commtouch - 20120213
AhnLab-V3 - 20120212
VBA32 - 20120210
PCTools - 20120207
Rising - 20120210
Ikarus - 20120212
Fortinet - 20120213
AVG - 20120213
Panda - 20120

dont know what all this is but it was under additional info. if you have any questions ill do my best to explain!!



ssdeep
768:eQlw1kB2Q553vAREHe+TMVGUcyIxz7BnNgIdloCo3Zj:eh1HQ55IavTmBIxH1CIXo3Zj
TrID
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEiD packer identifier
Armadillo v1.xx - v2.xx
ExifTool

CodeSize.................: 28672
FileDescription..........: ndisapi
Comments.................: NDISRD IOCTL wrapper DLL
InitializedDataSize......: 32768
ImageVersion.............: 0.0
ProductName..............: Windows Packet Filter Kit
FileVersionNumber........: 3.0.5.1
LanguageCode.............: Neutral
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: ndisapi.dll
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 3, 0, 5, 1
TimeStamp................: 2009:05:14 10:58:01+01:00
FileType.................: Win32 DLL
PEType...................: PE32
InternalName.............: ndisapi
SubsystemVersion.........: 4.0
ProductVersion...........: 3, 0, 5, 1
UninitializedDataSize....: 0
OSVersion................: 4.0
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright NT Kernel Resources 2000-2009
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: NT Kernel Resources
LegalTrademarks..........: WinpkFilter
FileSubtype..............: 0
ProductVersionNumber.....: 3.0.5.1
EntryPoint...............: 0x3957
ObjectFileType...........: Dynamic link library

Sigcheck

publisher................: NT Kernel Resources
product..................: Windows Packet Filter Kit
internal name............: ndisapi
copyright................: Copyright (c) NT Kernel Resources 2000-2009
original name............: ndisapi.dll
comments.................: NDISRD IOCTL wrapper DLL
file version.............: 3, 0, 5, 1
description..............: ndisapi

Portable Executable structural information

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 25546 28672 6.11 db375aa2e42d98e9e02228409aa678ac
.rdata 32768 6416 8192 4.83 492b2072f94cf3a8ae72ad4c4eb1ad3e
.data 40960 13196 12288 1.13 d7a59ed881b25743a8a59683569758ea
.rsrc 57344 1016 4096 1.06 8758de4a8955c8ed01cca3d3d59b817f
.reloc 61440 3502 4096 3.47 5aa43948033a15270f67e9bca1ff39e1

PE Imports....................:

ADVAPI32.dll
RegEnumKeyExA, RegQueryValueExA, RegCreateKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyExA

KERNEL32.dll
DeviceIoControl, FreeLibrary, LoadLibraryA, CloseHandle, GetLastError, ResetEvent, CreateFileA, CreateEventA, GetVersionExA, GetModuleHandleA, GetProcAddress, WaitForSingleObject, GetCurrentProcess, HeapFree, HeapAlloc, GetCommandLineA, GetVersion, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, RtlUnwind, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, GetCPInfo, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetACP, GetOEMCP, GetStringTypeA, GetStringTypeW


PE Exports....................:

_, _, 0, C, N, d, i, s, A, p, i, @, @, Q, A, E, @, A, B, V, 0, @, @, Z, ,, , _, _, 0, C, N, d, i, s, A, p, i, @, @, Q, A, E, @, P, B, D, @, Z, ,, , _, _, 1, C, N, d, i, s, A, p, i, @, @, U, A, E, @, X, Z, ,, , _, _, 4, C, N, d, i, s, A, p, i, @, @, Q, A, E, A, A, V, 0, @, A, B, V, 0, @, @, Z, ,, , _, _, _, 7, C, N, d, i, s, A, p, i, @, @, 6, B, @, ,, , _, _, _, C, @, _, 0, 6, N, K, H, A, @, N, D, I, S, R, D, _, $, A, A, @, ,, , _, _, _, F, C, N, d, i, s, A, p, i, @, @, Q, A, E, X, X, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, 2, 0, 0, 0, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, 9, x, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, C, o, n, v, e, r, t, W, i, n, d, o, w, s, N, T, A, d, a, p, t, e, r, N, a, m, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, P, B, D, P, A, D, K, @, Z, ,, , _, D, e, v, i, c, e, I, o, C, o, n, t, r, o, l, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, K, P, A, X, H, 0, H, P, A, K, P, A, U, _, O, V, E, R, L, A, P, P, E, D, @, @, @, Z, ,, , _, F, l, u, s, h, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, A, D, A, P, T, E, R, _, M, O, D, E, @, @, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, S, i, z, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, K, @, Z, ,, , _, G, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, S, A, K, X, Z, ,, , _, G, e, t, B, y, t, e, s, R, e, t, u, r, n, e, d, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, K, X, Z, ,, , _, G, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, K, @, Z, ,, , _, G, e, t, M, T, U, D, e, c, r, e, m, e, n, t, @, C, N, d, i, s, A, p, i, @, @, S, A, K, X, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, R, e, s, e, t, S, t, a, t, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, S, i, z, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, K, @, Z, ,, , _, G, e, t, R, a, s, L, i, n, k, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, P, A, U, _, R, A, S, _, L, I, N, K, S, @, @, @, Z, ,, , _, G, e, t, T, c, p, i, p, B, o, u, n, d, A, d, a, p, t, e, r, s, I, n, f, o, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, T, C, P, _, A, d, a, p, t, e, r, L, i, s, t, @, @, @, Z, ,, , _, G, e, t, V, e, r, s, i, o, n, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, K, X, Z, ,, , _, I, s, D, r, i, v, e, r, L, o, a, d, e, d, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, X, Z, ,, , _, N, d, i, s, r, d, R, e, q, u, e, s, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, P, A, C, K, E, T, _, O, I, D, _, D, A, T, A, @, @, H, @, Z, ,, , _, R, e, a, d, P, a, c, k, e, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, R, e, a, d, P, a, c, k, e, t, s, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, R, e, s, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, X, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, T, o, A, d, a, p, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, T, o, M, s, t, c, p, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, s, T, o, A, d, a, p, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, n, d, P, a, c, k, e, t, s, T, o, M, s, t, c, p, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, E, T, H, _, M, _, R, E, Q, U, E, S, T, @, @, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, L, i, s, t, C, h, a, n, g, e, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, A, D, A, P, T, E, R, _, M, O, D, E, @, @, @, Z, ,, , _, S, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, @, C, N, d, i, s, A, p, i, @, @, S, A, H, K, @, Z, ,, , _, S, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, K, @, Z, ,, , _, S, e, t, M, T, U, D, e, c, r, e, m, e, n, t, @, C, N, d, i, s, A, p, i, @, @, S, A, H, K, @, Z, ,, , _, S, e, t, P, a, c, k, e, t, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, 0, @, Z, ,, , _, S, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, U, _, S, T, A, T, I, C, _, F, I, L, T, E, R, _, T, A, B, L, E, @, @, @, Z, ,, , _, S, e, t, W, A, N, E, v, e, n, t, @, C, N, d, i, s, A, p, i, @, @, Q, A, E, H, P, A, X, @, Z, ,, , C, l, o, s, e, F, i, l, t, e, r, D, r, i, v, e, r, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, 2, 0, 0, 0, A, d, a, p, t, e, r, N, a, m, e, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, 9, x, A, d, a, p, t, e, r, N, a, m, e, ,, , C, o, n, v, e, r, t, W, i, n, d, o, w, s, N, T, A, d, a, p, t, e, r, N, a, m, e, ,, , F, l, u, s, h, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, ,, , G, e, t, A, d, a, p, t, e, r, M, o, d, e, ,, , G, e, t, A, d, a, p, t, e, r, P, a, c, k, e, t, Q, u, e, u, e, S, i, z, e, ,, , G, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, ,, , G, e, t, B, y, t, e, s, R, e, t, u, r, n, e, d, ,, , G, e, t, D, r, i, v, e, r, V, e, r, s, i, o, n, ,, , G, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, ,, , G, e, t, M, T, U, D, e, c, r, e, m, e, n, t, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, R, e, s, e, t, S, t, a, t, s, ,, , G, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, S, i, z, e, ,, , G, e, t, R, a, s, L, i, n, k, s, ,, , G, e, t, T, c, p, i, p, B, o, u, n, d, A, d, a, p, t, e, r, s, I, n, f, o, ,, , I, s, D, r, i, v, e, r, L, o, a, d, e, d, ,, , N, d, i, s, r, d, R, e, q, u, e, s, t, ,, , O, p, e, n, F, i, l, t, e, r, D, r, i, v, e, r, ,, , R, e, a, d, P, a, c, k, e, t, ,, , R, e, a, d, P, a, c, k, e, t, s, ,, , R, e, s, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , S, e, n, d, P, a, c, k, e, t, T, o, A, d, a, p, t, e, r, ,, , S, e, n, d, P, a, c, k, e, t, T, o, M, s, t, c, p, ,, , S, e, n, d, P, a, c, k, e, t, s, T, o, A, d, a, p, t, e, r, ,, , S, e, n, d, P, a, c, k, e, t, s, T, o, M, s, t, c, p, ,, , S, e, t, A, d, a, p, t, e, r, L, i, s, t, C, h, a, n, g, e, E, v, e, n, t, ,, , S, e, t, A, d, a, p, t, e, r, M, o, d, e, ,, , S, e, t, A, d, a, p, t, e, r, s, S, t, a, r, t, u, p, M, o, d, e, ,, , S, e, t, H, w, P, a, c, k, e, t, F, i, l, t, e, r, ,, , S, e, t, M, T, U, D, e, c, r, e, m, e, n, t, ,, , S, e, t, P, a, c, k, e, t, E, v, e, n, t, ,, , S, e, t, P, a, c, k, e, t, F, i, l, t, e, r, T, a, b, l, e, ,, , S, e, t, W, A, N, E, v, e, n, t

First seen by VirusTotal
2009-06-05 12:08:22 UTC ( 2 years, 8 months ago )
Last seen by VirusTotal
2012-02-13 01:45:53 UTC ( 6 minutes ago )
File names (max. 25)

ndisapi.dll.vir
FE4C4F2696C7EF01FB5FC87B3E71D639
ndisapi.dll

Hi chiro.j.elliott,

How did you manage to get the file scanned?

Looks like a false positive so we'll restore the file.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE




DEQUARANTINE::
C:\Qoobox\Quarantine\C\WINDOWS\SysWOW64\DpPwdFlt.dll.vir

QUIT::



In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

A notepad will open called DeQuarantine.txt. Please post it's contents.

The file was in the syswow64 folder so i just clicked and drag to the scan bar on the website.

here is the latest Log!!

ComboFix 12-02-11.02 - Ryan 02/13/2012 11:31:40.1.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3393 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DpPwdFlt.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))
.
.
2012-02-13 17:38 . 2012-02-13 17:50 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-13 17:38 . 2012-02-13 17:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-13 17:38 . 2012-02-13 17:38 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-12 19:47 . 2012-02-12 19:47 -------- d-----w- c:\users\Ryan\AppData\Roaming\Malwarebytes
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\programdata\Malwarebytes
2012-02-12 19:46 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 13:46 . 2012-02-11 21:22 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 21:22 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 18:27 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D93E9C8-597A-48DE-8268-1691E5413699}\mpengine.dll
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 16:39 . 2010-01-03 04:55 279096 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-01-13 1081416]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-19 04:32]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-13 11:55:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-13 17:55
ComboFix2.txt 2012-02-12 19:37
ComboFix3.txt 2012-02-11 14:04
.
Pre-Run: 217,579,298,816 bytes free
Post-Run: 217,559,085,056 bytes free
.
- - End Of File - - 655FE6BC24362D8248B22853071E5EE0

Hi chiro.j.elliott,

Combofix should not have ran a full run with that CFScript.

Please post the contents of this file

C:\Qoobox\ComboFix-quarantined-files.txt

2012-02-12 19:21:21 . 2012-02-13 17:31:22 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2012-02-11 14:03:47 . 2012-02-13 17:54:43 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8}.reg.dat
2012-02-11 14:03:47 . 2012-02-13 17:54:43 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D}.reg.dat
2012-02-11 13:53:56 . 2012-02-13 17:36:48 8,898 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-02-11 13:48:14 . 2012-02-13 17:29:50 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-06-13 00:57:56 . 2010-06-13 00:57:56 74 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\CLSV.tmp.vir
2010-06-13 00:47:33 . 2010-06-13 00:47:33 55 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\ppal.exe.vir
2010-06-12 13:57:42 . 2010-06-12 13:57:42 78 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\cid.drv.vir
2010-06-12 13:57:42 . 2010-06-12 13:57:42 33 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv.vir
2010-06-12 02:39:42 . 2010-06-12 02:39:42 71 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\cb.tmp.vir
2010-06-12 02:28:57 . 2010-06-12 02:28:57 18 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.dll.vir
2010-06-12 02:18:33 . 2010-06-12 02:18:33 9 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\FS.sys.vir
2010-06-12 01:58:53 . 2010-06-12 01:58:53 4 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\ppal.tmp.vir
2010-06-12 01:58:53 . 2010-06-12 01:58:53 53 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\energy.dll.vir
2010-06-12 01:58:52 . 2010-06-12 01:58:53 17 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\hymt.drv.vir
2010-06-12 01:58:52 . 2010-06-12 01:58:52 63 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys.vir
2010-06-12 01:58:52 . 2010-06-12 01:58:52 46 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\eb.tmp.vir
2010-06-12 01:58:52 . 2010-06-12 01:58:52 11 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\FS.exe.vir
2010-06-12 01:58:52 . 2010-06-12 23:45:04 73 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\PE.drv.vir
2010-06-12 01:58:48 . 2010-06-12 01:58:48 45 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\sld.drv.vir
2010-06-12 01:58:47 . 2010-06-12 01:58:47 49 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\eb.sys.vir
2010-06-12 01:58:47 . 2010-06-12 01:58:47 2 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\sld.sys.vir
2010-06-12 01:58:47 . 2010-06-12 01:58:47 31 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\hymt.dll.vir
2010-06-12 01:58:39 . 2010-06-12 01:58:39 14 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll.vir
2010-06-12 01:58:36 . 2010-06-12 13:57:42 45 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\PE.dll.vir
2010-06-12 01:58:36 . 2010-06-12 01:58:36 63 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.dll.vir
2010-06-12 01:58:23 . 2010-06-12 01:58:23 50 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe.vir
2010-06-12 01:58:12 . 2010-06-12 01:58:12 4,286 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\SMAV.ico.vir
2010-06-12 01:58:11 . 2010-06-12 01:58:11 334 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\6738.mof.vir
2010-06-12 01:58:10 . 2009-01-14 09:14:07 1,929 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\BackUp\QuickSet.lnk.vir
2010-06-12 01:58:10 . 2009-01-14 09:16:01 743 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\BackUp\Bluetooth.lnk.vir
2010-06-12 01:58:10 . 2009-04-11 17:25:54 881 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\BackUp\wkcalrem.LNK.vir
2010-06-12 01:58:10 . 2010-02-08 19:59:27 1,702 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\BackUp\LimeWire On Startup.lnk.vir
2010-06-12 01:58:10 . 2009-02-24 00:00:32 1,815 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\BackUp\Dell Dock.lnk.vir
2010-06-12 01:58:04 . 2010-06-12 01:58:04 12,252 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\SMAVSys\vd952342.bd.vir
2010-03-26 17:06:12 . 2010-03-26 17:06:50 2,709,504 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\de6342b\CUde63.exe.vir
2009-07-04 16:21:42 . 2009-05-14 09:58:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\ndisapi.dll.vir
2009-07-04 16:21:42 . 2009-06-22 14:58:22 13,312 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\drivers\snetcfg.exe.vir
2009-05-31 00:16:08 . 2009-05-31 00:20:10 835 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 19-16-080.log.vir
2009-05-30 23:35:37 . 2009-05-30 23:37:13 835 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 18-35-370.log.vir
2009-05-30 23:10:38 . 2009-05-30 23:12:07 835 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-30 18-10-380.log.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 228 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-68.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 196 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-67.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 180 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-66.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 176 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-65.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 252 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-64.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 248 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-63.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 200 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-62.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 236 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-61.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 200 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-60.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 168 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-59.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 156 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-58.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 168 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-57.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 248 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-56.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 116 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-55.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 232 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-54.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 176 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-53.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 208 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-52.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 196 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-51.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 188 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-50.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 196 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-49.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 196 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-48.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 188 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-47.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 180 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-46.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 180 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-45.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 220 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-44.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 196 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-43.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 188 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-42.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 164 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-41.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 160 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-40.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 256 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-39.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 116 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-38.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 204 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-37.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 320 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-36.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 316 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-35.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 160 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-34.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 176 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-33.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 364 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-32.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 156 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-31.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 172 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-30.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 336 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-29.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 196 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-28.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 332 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-27.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 192 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-26.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 208 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-25.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 396 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-24.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 188 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-23.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 204 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-22.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 368 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-21.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 272 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-20.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 308 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-19.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 160 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-18.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 156 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-17.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 144 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-16.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 236 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-15.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 140 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-14.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 232 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-13.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 164 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-12.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 168 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-11.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 164 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-10.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 148 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-9.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 176 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-8.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 156 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-7.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 156 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-6.db.vir
2009-05-30 01:17:01 . 2009-05-30 01:17:01 212 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-5.db.vir
2009-05-30 01:17:00 . 2009-05-30 01:17:01 144 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-4.db.vir
2009-05-30 01:17:00 . 2009-05-30 01:17:00 148 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-3.db.vir
2009-05-30 01:17:00 . 2009-05-30 01:17:00 240 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-2.db.vir
2009-05-30 01:17:00 . 2009-05-30 01:17:00 240 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-1.db.vir
2009-05-30 01:17:00 . 2009-05-30 01:17:00 232 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\regb-0.db.vir
2009-05-30 01:17:00 . 2009-05-30 01:17:01 4 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\QuarantineW\2009-05-29 20-17-000\filelist.db.vir
2009-05-30 01:15:27 . 2009-05-30 01:16:57 3,150 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\Results\Update.db.vir
2009-05-30 01:15:27 . 2009-05-30 01:16:57 2,009,788 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\Results\Evidence.db.vir
2009-05-30 01:15:27 . 2009-05-30 01:16:57 7,612 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\Results\Junk.db.vir
2009-05-30 01:15:27 . 2009-05-30 01:16:57 75,670 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\Results\Registry.db.vir
2009-05-30 01:15:13 . 2009-05-30 01:17:01 64,906 ----a-w- C:\Qoobox\Quarantine\C\Users\Ryan\AppData\Roaming\RegTool\Logs\2009-05-29 20-15-130.log.vir

Hi chiro.j.elliott,

Let's see if we can get a peek at what is loading or trying to load at startup. This will also show us how much you can do in normal windows. If you don't have another computer which you can view these instructions, please print them out.

In safe mode

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) and save it to C:\

Next

Boot to normal windows.

In normal windows

Open Task Manager with ctrl,alt,del as you have been doing.
In Task Manager, click the Options button
check mark Allways on Top
This will keep Taskmanager from disappearing when you click on anything else.

In Task Manager
click file
click New Task(Run...)
type the following line into the open: field
iexplore
click ok


Internet Explorer should open. Browse to this topic and continue.

Using your left mouse button, click on the top blue portion of Task Manager and slide it down to the lower part of your screen so these instructions are visible.

Next
Holding down your left mouse button, highlight all the text in the codebox below.
Do not copy the word CODE ,
right click the highlighted text and choose copy




HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDISRD /s
HKEY_CURRENT_USER\Control Panel\Desktop|foregroundlocktimeout /rs
/md5start
DpPwdFlt.*
snetcfg.*
NetFilter.*
ndisrd.*
/md5stop


In Task Manager
click file
click New Task(Run...)
type the following line into the open: field
C:\OTL.exe
click ok
OTL should open.

Right click anywhere in the white field under Custom Scans and Fixes and choose paste.
the text you copied earlier should appear
Click the Run Scan button
A log named OTL.txt should open please copy and paste it's contents in your next reply.

Another log named Extra.txt will be saved at C:\ (OTL.txt can also be found there). Please post it also. you may even be able to attach the logs.

I am posting this from normal windows!!



OTL logfile created on: 2/14/2012 2:33:15 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 2.31 Gb Available Physical Memory | 58.37% Memory free
8.09 Gb Paging File | 6.38 Gb Available in Paging File | 78.89% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 288.01 Gb Total Space | 202.76 Gb Free Space | 70.40% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 3.25 Gb Free Space | 32.49% Space Free | Partition Type: NTFS
Drive E: | 557.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/14 14:14:53 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\OTL.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV:[b]64bit: - [2008/12/22 23:55:34 | 002,479,864 | ---- | M] (AuthenTec, Inc.) [Disabled | Stopped] -- C:\Program Files\Fingerprint Sensor\ATService.exe -- (ATService)
SRV:64bit: - [2008/11/20 04:21:12 | 000,031,744 | ---- | M] () [Disabled | Stopped] -- C:\Windows\SysNative\WLTRYSVC.EXE -- (wltrysvc)
SRV:64bit: - [2008/09/23 22:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) [Disabled | Stopped] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV:64bit: - [2008/08/25 04:31:36 | 000,251,904 | ---- | M] (IDT, Inc.) [Disabled | Stopped] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_a2af78c4\STacSV64.exe -- (STacSV)
SRV:64bit: - [2008/08/25 04:31:22 | 000,086,016 | ---- | M] (Andrea Electronics Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2008/01/20 20:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/08/04 08:54:56 | 003,542,616 | ---- | M] () [Auto | Stopped] -- c:\Program Files (x86)\Common Files\Akamai\netsession_win_2da1ebd.dll -- (Akamai)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/03/29 22:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Disabled | Stopped] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/06/09 12:47:36 | 000,322,624 | ---- | M] (DigitalPersona, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe -- (DpHost)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/02/09 13:08:52 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2010/08/25 19:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/03/08 10:03:36 | 000,067,104 | ---- | M] (ITE Tech. Inc. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\itecir.sys -- (itecir)
DRV:64bit: - [2009/04/10 23:03:32 | 000,111,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
DRV:64bit: - [2008/12/23 00:54:58 | 000,548,864 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV:64bit: - [2008/11/20 04:20:52 | 000,022,520 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BCM42RLY.sys -- (BCM42RLY)
DRV:64bit: - [2008/11/14 17:25:42 | 000,029,184 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\motmodem.sys -- (motmodem)
DRV:64bit: - [2008/10/27 05:21:50 | 001,374,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\bcmwl664.sys -- (BCM43XX)
DRV:64bit: - [2008/10/27 00:25:30 | 000,315,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\OA001Vid.sys -- (OA001Vid)
DRV:64bit: - [2008/10/27 00:25:30 | 000,168,864 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\OA001Ufd.sys -- (OA001Ufd)
DRV:64bit: - [2008/09/03 05:59:18 | 000,126,464 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV:64bit: - [2008/08/25 05:26:08 | 000,199,728 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2008/08/25 04:31:46 | 000,458,752 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\stwrt64.sys -- (STHDA)
DRV:64bit: - [2008/08/22 11:05:40 | 000,030,088 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\swmsflt.sys -- (swmsflt)
DRV:64bit: - [2008/08/20 12:41:52 | 000,191,872 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\swumx80.sys -- (SWUMX80) Sierra Wireless USB MUX Driver (UMTS80)
DRV:64bit: - [2008/08/20 12:40:48 | 000,200,192 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\swnc8u80.sys -- (SWNC8U80) Sierra Wireless MUX NDIS Driver (UMTS80)
DRV:64bit: - [2008/07/17 04:59:12 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rixdpx64.sys -- (rismxdp)
DRV:64bit: - [2008/07/17 04:59:10 | 000,062,976 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rimmpx64.sys -- (rimmptsk)
DRV:64bit: - [2008/07/17 04:59:08 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rimspx64.sys -- (rimsptsk)
DRV:64bit: - [2008/07/16 05:50:42 | 000,239,104 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\k57nd60a.sys -- (k57nd60a) Broadcom NetLink (TM)
DRV:64bit: - [2008/06/16 03:25:20 | 000,019,880 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\btwrchid.sys -- (btwrchid)
DRV:64bit: - [2008/06/16 03:25:14 | 000,036,392 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\btwl2cap.sys -- (btwl2cap)
DRV:64bit: - [2008/06/16 03:25:12 | 000,120,872 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
DRV:64bit: - [2008/06/16 03:25:10 | 000,092,200 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwaudio.sys -- (btwaudio)
DRV:64bit: - [2008/01/20 20:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express) Intel(R)
DRV:64bit: - [2007/11/14 03:00:00 | 000,053,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2006/11/02 01:48:50 | 002,488,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (R300)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\otis@digitalpersona.com: C:\Program Files (x86)\DigitalPersona\Bin\FirefoxExt\ [2009/01/14 03:26:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/02/11 15:22:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\otis@digitalpersona.com: C:\Program Files (x86)\DigitalPersona\Bin\firefoxext [2009/01/14 03:26:01 | 000,000,000 | ---D | M]

[2010/02/08 13:59:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions
[2010/02/08 13:59:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2012/02/01 14:06:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\extensions
[2012/02/11 07:46:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/02/11 15:22:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\distribution\extensions
() (No name found) -- C:\USERS\RYAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\R5A2VP3K.DEFAULT\EXTENSIONS\TESTPILOT@LABS.MOZILLA.COM.XPI
[2012/02/11 15:22:07 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/01/24 05:21:10 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/01/24 05:21:10 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/13 11:49:57 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (&Crawler Toolbar Helper) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll (Malwarebytes Corporation)
O4 - Startup: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK = C:\Program Files (x86)\Microsoft Works\WkCalRem.exe (Microsoft® Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 2
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9:64bit: - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} http://www.worldwinner.com/games/v57/wof/wof.cab (WoF Control)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2961302D-0820-4732-9602-FF83D5402027}: DhcpNameServer = 209.183.50.151 209.183.50.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3F989BEA-572A-4367-97B7-768ECC652223}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FB2F24BD-7F6D-4397-9084-EBC202AA3EF3}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\tbr - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\tbr {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/04 06:00:00 | 000,000,110 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/14 14:14:45 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\OTL.exe
[2012/02/13 11:55:49 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/02/13 11:55:49 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\temp
[2012/02/13 11:50:10 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/02/12 13:47:03 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Malwarebytes
[2012/02/12 13:46:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/12 13:46:57 | 000,023,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/02/12 13:46:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/02/12 13:46:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/02/12 13:43:57 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Ryan\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/11 07:48:17 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/02/11 07:48:17 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/02/11 07:48:17 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/02/11 07:48:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/11 07:46:06 | 004,401,300 | R--- | C] (Swearware) -- C:\Users\Ryan\Desktop\ComboFix.exe
[2012/02/09 13:31:53 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/02/09 13:31:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/02/09 13:31:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2012/02/09 13:21:11 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HijackThis.exe
[2012/02/09 13:17:50 | 002,405,576 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher64.exe
[2012/02/09 13:09:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
[2012/02/09 13:08:52 | 000,283,200 | ---- | C] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2012/02/09 13:08:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DAEMON Tools Lite
[2012/02/09 13:08:12 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\DAEMON Tools Lite
[2012/02/09 13:08:10 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2012/02/09 13:06:50 | 002,002,320 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher.exe
[2012/02/09 13:05:04 | 014,190,784 | ---- | C] (DT Soft Ltd.) -- C:\Users\Ryan\Desktop\DTLite4452-0287.exe
[2012/02/09 13:03:24 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Roxio
[2012/02/09 12:58:23 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/02/02 10:00:17 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\PCPro
[2012/02/02 10:00:17 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\PC Cleaners
[2012/02/02 10:00:11 | 000,000,000 | ---D | C] -- C:\ProgramData\PC1Data
[2012/02/01 21:05:16 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\ElevatedDiagnostics
[2012/02/01 16:46:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Uniblue
[2012/02/01 16:46:19 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Uniblue
[2012/02/01 16:46:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Uniblue
[2012/01/30 15:30:40 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\vi-VN
[2012/01/30 15:30:40 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\vi-VN
[2012/01/30 15:30:40 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\eu-ES
[2012/01/30 15:30:40 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\eu-ES
[2012/01/30 15:30:40 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\ca-ES
[2012/01/30 15:30:40 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\ca-ES
[2012/01/30 14:44:59 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2012/01/30 14:42:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2012/01/30 14:42:10 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2012/01/30 14:42:10 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/01/30 14:42:10 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/01/30 14:42:10 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/01/30 14:36:22 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/01/29 22:52:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video&sound
[2012/01/29 22:16:28 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\Mozilla
[2012/01/29 19:31:48 | 000,000,000 | ---D | C] -- C:\RebateInformer
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Users\Ryan\AppData\Local\*.tmp files -> C:\Users\Ryan\AppData\Local\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/14 14:34:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/14 14:34:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/14 14:32:19 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/02/14 14:32:19 | 000,604,502 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/02/14 14:32:19 | 000,104,170 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/02/14 14:24:23 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/14 14:24:23 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/14 14:24:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/14 14:14:53 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
[2012/02/13 11:49:57 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/02/13 11:48:05 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/02/12 13:46:58 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/12 13:46:04 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Ryan\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/11 07:46:16 | 004,401,300 | R--- | M] (Swearware) -- C:\Users\Ryan\Desktop\ComboFix.exe
[2012/02/09 15:22:27 | 000,009,019 | ---- | M] () -- C:\Users\Ryan\Desktop\attach.zip
[2012/02/09 13:31:29 | 000,000,945 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/09 13:31:19 | 000,000,765 | ---- | M] () -- C:\Users\Ryan\Desktop\NTREGOPT.lnk
[2012/02/09 13:31:19 | 000,000,746 | ---- | M] () -- C:\Users\Ryan\Desktop\ERUNT.lnk
[2012/02/09 13:26:01 | 000,692,831 | ---- | M] () -- C:\Users\Ryan\AppData\Local\census.cache
[2012/02/09 13:25:52 | 000,151,775 | ---- | M] () -- C:\Users\Ryan\AppData\Local\ars.cache
[2012/02/09 13:21:11 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HijackThis.exe
[2012/02/09 13:17:53 | 002,405,576 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher64.exe
[2012/02/09 13:14:12 | 000,001,356 | ---- | M] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2012/02/09 13:13:49 | 002,002,320 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher.exe
[2012/02/09 13:11:00 | 000,000,036 | ---- | M] () -- C:\Users\Ryan\AppData\Local\housecall.guid.cache
[2012/02/09 13:08:52 | 000,283,200 | ---- | M] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2012/02/09 13:05:53 | 001,402,880 | ---- | M] () -- C:\Users\Ryan\Desktop\HiJackThis.msi
[2012/02/09 13:05:19 | 014,190,784 | ---- | M] (DT Soft Ltd.) -- C:\Users\Ryan\Desktop\DTLite4452-0287.exe
[2012/02/09 12:43:33 | 060,979,200 | ---- | M] () -- C:\Users\Ryan\Desktop\PCRegedit.iso
[2012/02/01 22:27:00 | 000,000,176 | ---- | M] () -- C:\MSsupport.htm
[2012/02/01 14:05:56 | 000,000,732 | ---- | M] () -- C:\Users\Ryan\AppData\Local\d3d9caps64.dat
[2012/01/30 15:35:10 | 000,280,704 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/01/30 14:36:22 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/01/29 23:02:28 | 000,000,998 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\wklnhst.dat
[2012/01/29 22:28:23 | 000,000,121 | ---- | M] () -- C:\Windows\wininit.ini
[2012/01/29 22:16:21 | 000,000,890 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/01/29 21:45:36 | 000,441,257 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120129-223201.backup
[2012/01/29 21:38:42 | 000,441,257 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120129-214536.backup
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Users\Ryan\AppData\Local\*.tmp files -> C:\Users\Ryan\AppData\Local\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/12 13:46:58 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/11 07:48:17 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/02/11 07:48:17 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/02/11 07:48:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/02/11 07:48:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/02/11 07:48:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/02/09 15:22:27 | 000,009,019 | ---- | C] () -- C:\Users\Ryan\Desktop\attach.zip
[2012/02/09 13:31:29 | 000,000,945 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/09 13:31:19 | 000,000,765 | ---- | C] () -- C:\Users\Ryan\Desktop\NTREGOPT.lnk
[2012/02/09 13:31:19 | 000,000,746 | ---- | C] () -- C:\Users\Ryan\Desktop\ERUNT.lnk
[2012/02/09 13:26:01 | 000,692,831 | ---- | C] () -- C:\Users\Ryan\AppData\Local\census.cache
[2012/02/09 13:25:52 | 000,151,775 | ---- | C] () -- C:\Users\Ryan\AppData\Local\ars.cache
[2012/02/09 13:11:00 | 000,000,036 | ---- | C] () -- C:\Users\Ryan\AppData\Local\housecall.guid.cache
[2012/02/09 13:05:53 | 001,402,880 | ---- | C] () -- C:\Users\Ryan\Desktop\HiJackThis.msi
[2012/02/09 12:42:06 | 060,979,200 | ---- | C] () -- C:\Users\Ryan\Desktop\PCRegedit.iso
[2012/02/01 22:27:00 | 000,000,176 | ---- | C] () -- C:\MSsupport.htm
[2012/02/01 13:57:56 | 000,000,732 | ---- | C] () -- C:\Users\Ryan\AppData\Local\d3d9caps64.dat
[2012/01/30 10:52:23 | 000,280,704 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/01/29 22:28:23 | 000,000,121 | ---- | C] () -- C:\Windows\wininit.ini
[2012/01/29 22:16:21 | 000,000,902 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/01/29 22:16:21 | 000,000,890 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/08/25 19:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/08/25 19:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/08/25 19:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2010/02/22 22:03:05 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/09/16 14:45:18 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/09/16 14:44:22 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2009/09/16 14:43:29 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/07/04 10:21:42 | 000,028,672 | ---- | C] () -- C:\Windows\SysWow64\NFUninstall.exe
[2009/04/11 11:12:25 | 000,001,356 | ---- | C] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2009/02/24 14:16:35 | 000,000,998 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\wklnhst.dat
[2009/02/24 13:58:15 | 000,009,728 | ---- | C] () -- C:\Users\Ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/14 04:40:02 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2009/01/14 04:12:33 | 000,147,172 | ---- | C] () -- C:\Windows\SysWow64\igfcg550.bin
[2009/01/14 03:17:49 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2008/01/20 20:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2006/11/02 09:37:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 06:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 06:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 06:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 03:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

========== Custom Scans ==========


< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDISRD /s >
"FN" = @yOaTVCNRyG@O_JpSwW\e!!
"FNU" = HjoQL<CqT>wpJLG@>vwQL
"ApiDll" = =eSNVBs_N`KlVvw`r!

< HKEY_CURRENT_USER\Control Panel\Desktop|foregroundlocktimeout /rs >
HKEY_CURRENT_USER\Control Panel\Desktop\\ForegroundLockTimeout: 0


< MD5 for: DPPWDFLT.DLL >
[2008/06/09 12:47:36 | 000,150,592 | ---- | M] (DigitalPersona, Inc.) MD5=BD6AFDFA9482A97A47FEF17ADE5AFFC8 -- C:\Windows\SysWOW64\DpPwdFlt.dll

< MD5 for: SNETCFG.EXE.VIR >
[2009/06/22 08:58:22 | 000,013,312 | ---- | M] (Windows (R) Server 2003 DDK provider) MD5=70DC35386A3061A16C3C22389C3EBF2B -- C:\Qoobox\Quarantine\C\Windows\SysWOW64\drivers\snetcfg.exe.vir

< End of report >

extras report is attached!!!

Hi chiro.j.elliott,

I take it you are in normal windows but are running things from task manager?

This is looking promising. I need to have a look at a couple of more items.







Next
Holding down your left mouse button, highlight all the text in the codebox below.
Do not copy the word CODE ,
right click the highlighted text and choose copy




HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS /s
/md5start
ndis.sys.*
ndisapi.*
/md5stop


In Task Manager
click file
click New Task(Run...)
type the following line into the open: field
C:\OTL.exe
click ok
OTL should open.

Click the None button (it may look greyed out) this will make for a shorter log.

Right click anywhere in the white field under Custom Scans and Fixes and choose paste.
the text you copied earlier should appear
Click the Run Scan button
A log named OTL.txt should open please copy and paste it's contents in your next reply. There will be no Extra.txt this time.

OTL logfile created on: 2/15/2012 10:25:39 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19190)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 2.61 Gb Available Physical Memory | 65.99% Memory free
8.09 Gb Paging File | 6.69 Gb Available in Paging File | 82.73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 288.01 Gb Total Space | 197.72 Gb Free Space | 68.65% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 3.25 Gb Free Space | 32.49% Space Free | Partition Type: NTFS
Drive E: | 557.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS /s >
"DisplayName" = NDIS System Driver
"Group" = NDIS Wrapper
"ImagePath" = system32\drivers\ndis.sys
"Description" = NDIS System Driver
"ErrorControl" = 3
"Start" = 0
"Type" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\IfTypes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\IfTypes\1]
"IfType" = 1
"IfUsedNetLuidIndices" = 01 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\IfTypes\131]
"IfType" = 131
"IfUsedNetLuidIndices" = FF FB BF 03 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\IfTypes\23]
"IfType" = 23
"IfUsedNetLuidIndices" = 03 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\IfTypes\24]
"IfType" = 24
"IfUsedNetLuidIndices" = 01 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\IfTypes\6]
"IfType" = 6
"IfUsedNetLuidIndices" = A9 03 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\IfTypes\71]
"IfType" = 71
"IfUsedNetLuidIndices" = 01 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\IfTypes\71\1]
"PortAuthReceiveAuthorizationState" = 2
"PortAuthReceiveControlState" = 2
"PortAuthSendAuthorizationState" = 2
"PortAuthSendControlState" = 2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\Parameters]
"PortAuthReceiveAuthorizationState" = 2
"PortAuthReceiveControlState" = 2
"PortAuthSendAuthorizationState" = 2
"PortAuthSendControlState" = 2
"ProcessorAffinityMask" = -1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NDIS\Enum]
"0" = Root\LEGACY_NDIS\0000
"Count" = 1
"NextInstance" = 1


< MD5 for: NDIS.SYS >
[2008/01/20 20:50:38 | 000,739,384 | ---- | M] (Microsoft Corporation) MD5=2A2EE457AF36C5C9A6808C768BD3A12B -- C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_03e5c74ad46c7e4e\ndis.sys
[2008/02/07 22:41:30 | 000,643,640 | ---- | M] (Microsoft Corporation) MD5=37A917C8586225B0D04E407C11639B7E -- C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.0.6000.20768_none_02504837f08cff85\ndis.sys
[2009/04/11 01:15:34 | 000,738,264 | ---- | M] (Microsoft Corporation) MD5=65950E07329FCEE8E6516B17C8D0ABB6 -- C:\Windows\ERDNT\cache64\ndis.sys
[2009/04/11 01:15:34 | 000,738,264 | ---- | M] (Microsoft Corporation) MD5=65950E07329FCEE8E6516B17C8D0ABB6 -- C:\Windows\SysNative\drivers\ndis.sys
[2009/04/11 01:15:34 | 000,738,264 | ---- | M] (Microsoft Corporation) MD5=65950E07329FCEE8E6516B17C8D0ABB6 -- C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_05d14056d18e499a\ndis.sys
[2008/02/08 11:31:28 | 000,739,384 | ---- | M] (Microsoft Corporation) MD5=F9A3AE5C9F047D71A36A99F9ABCA7D02 -- C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.22110_none_04649429ed923a09\ndis.sys

< MD5 for: NDISAPI.DLL.VIR >
[2009/05/14 03:58:00 | 000,061,440 | ---- | M] (NT Kernel Resources) MD5=FE4C4F2696C7EF01FB5FC87B3E71D639 -- C:\Qoobox\Quarantine\C\Windows\SysWOW64\ndisapi.dll.vir

< End of report >

Hi chiro.j.elliott,

Sorry for the delay.

Let's take a run at this with combofix in normal windows. If possible let it finish up in normal windows.

It may take out the bit of malware that I see and may also find more, might even fix or identify the problem.

In Task Manager
click file
click New Task(Run...)
copy and paste the following line into the open: field
c:\users\Ryan\Desktop\ComboFix.exe
click ok
Combofix should start running.

Please post the log. Any change in the computer?

ran combofix it said something about expired and running in limited mode but it ran and report is posted am going to try rebooting to reg mode (normal) now !!!


ComboFix 12-02-11.02 - Ryan 02/16/2012 13:43:12.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.2466 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-16 19:45 . 2012-02-16 19:46 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-16 19:45 . 2012-02-16 19:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-16 19:45 . 2012-02-16 19:45 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-15 16:50 . 2011-03-12 22:52 1653760 ----a-w- c:\windows\system32\XpsPrint.dll
2012-02-15 16:50 . 2011-03-12 21:55 876032 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2012-02-15 09:58 . 2012-02-15 09:58 -------- d-----w- c:\windows\SysWow64\spool
2012-02-15 09:58 . 2012-02-15 09:58 -------- d-----w- c:\program files\Windows Portable Devices
2012-02-15 09:58 . 2012-02-15 09:58 -------- d-----w- c:\program files (x86)\Windows Portable Devices
2012-02-15 09:39 . 2009-10-01 01:02 30208 ----a-w- c:\windows\SysWow64\WPDShextAutoplay.exe
2012-02-15 09:04 . 2009-09-10 02:05 103424 ----a-w- c:\windows\system32\UIAnimation.dll
2012-02-15 09:04 . 2009-09-10 02:00 92672 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2012-02-15 09:04 . 2009-09-10 02:07 3815424 ----a-w- c:\windows\system32\UIRibbon.dll
2012-02-15 09:04 . 2009-09-10 02:06 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2012-02-15 09:04 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\SysWow64\UIRibbon.dll
2012-02-15 09:04 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\SysWow64\UIRibbonRes.dll
2012-02-14 23:54 . 2011-12-15 06:42 77312 ----a-w- c:\windows\system32\iesetup.dll
2012-02-14 23:53 . 2011-07-29 16:08 375808 ----a-w- c:\windows\system32\psisdecd.dll
2012-02-14 23:53 . 2011-07-29 16:08 289792 ----a-w- c:\windows\system32\psisrndr.ax
2012-02-14 23:53 . 2011-07-29 16:06 73216 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-02-14 23:53 . 2011-07-29 16:06 100352 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-02-14 23:53 . 2011-07-29 16:01 293376 ----a-w- c:\windows\SysWow64\psisdecd.dll
2012-02-14 23:53 . 2011-07-29 16:01 217088 ----a-w- c:\windows\SysWow64\psisrndr.ax
2012-02-14 23:53 . 2011-07-29 16:00 57856 ----a-w- c:\windows\SysWow64\MSDvbNP.ax
2012-02-14 23:53 . 2011-07-29 16:00 69632 ----a-w- c:\windows\SysWow64\Mpeg2Data.ax
2012-02-14 23:53 . 2011-12-20 10:56 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2012-02-14 23:53 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-14 23:53 . 2011-09-20 21:06 1426304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-02-14 23:52 . 2011-02-22 14:47 479744 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2012-02-14 23:52 . 2011-02-22 14:13 288768 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2012-02-14 23:52 . 2011-02-22 13:53 1555968 ----a-w- c:\windows\system32\DWrite.dll
2012-02-14 23:52 . 2011-02-22 13:53 1149440 ----a-w- c:\windows\system32\FntCache.dll
2012-02-14 23:52 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-14 23:51 . 2011-10-25 16:13 1570816 ----a-w- c:\windows\system32\quartz.dll
2012-02-14 23:51 . 2011-10-25 16:13 352256 ----a-w- c:\windows\system32\qdvd.dll
2012-02-14 23:51 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\SysWow64\quartz.dll
2012-02-14 23:51 . 2011-10-25 15:58 497152 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-02-14 23:51 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
2012-02-14 23:51 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-02-14 23:49 . 2011-11-17 06:53 515968 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-14 23:48 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2012-02-14 23:48 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2012-02-14 23:48 . 2011-04-21 14:17 695296 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-02-14 23:48 . 2009-06-17 10:37 35328 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2012-02-14 23:47 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DCCE0D40-3C03-441B-8DA9-95011F36DEB9}\mpengine.dll
2012-02-14 23:47 . 2011-11-25 16:25 451072 ----a-w- c:\windows\system32\winsrv.dll
2012-02-14 23:47 . 2011-06-20 08:45 4699536 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-14 23:40 . 2011-11-18 18:07 76800 ----a-w- c:\windows\system32\packager.dll
2012-02-14 23:40 . 2011-11-18 17:47 66560 ----a-w- c:\windows\SysWow64\packager.dll
2012-02-14 20:14 . 2012-02-14 20:14 584192 ----a-w- C:\OTL.exe
2012-02-12 19:47 . 2012-02-12 19:47 -------- d-----w- c:\users\Ryan\AppData\Roaming\Malwarebytes
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\programdata\Malwarebytes
2012-02-12 19:46 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 13:46 . 2012-02-11 21:22 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-11 21:22 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 11:10 . 2010-01-03 04:55 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-01-13 1081416]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2012-02-14 04:44]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-16 13:51:42
ComboFix-quarantined-files.txt 2012-02-16 19:51
ComboFix2.txt 2012-02-13 17:55
ComboFix3.txt 2012-02-12 19:37
ComboFix4.txt 2012-02-11 14:04
.
Pre-Run: 212,997,038,080 bytes free
Post-Run: 212,986,986,496 bytes free
.
- - End Of File - - B1556404B3A11119BA4C36CF67763E17

No Change in windows loading area!! still having to run everything from task manager!! Here is sequence of boot

windowns loads fine to login screen-- click on login name and i get 00xc000022 error saying explorer.exe has failed to initializes- hit close windows loads blank screen nothing running-- error message apperers saying Microsoft mobile PC presentation adaptability client stopped working-- must hit close button--- second message windows explore has stopped working-- must hit close button-- from there i have a blank screen but can CTRL-ALT- DEL to task manager

hope something helps!!

Hi chiro.j.elliott,

I'm looking at another possible solution but in the meantime we'll remove the traces.

Lets give combofix a run in safemode. Boot to safe mode with networking.

Delete the copy of combofix you have from your desktop and download a new one from

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

Save it to your desktop. Do not run it.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE



Driver::
NDISRD

Registry::
[HKEY_CURRENT_USER\Control Panel\Desktop]
"foregroundlocktimeout"=dword:00030d40

In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

ComboFix 12-02-17.02 - Ryan 02/18/2012 13:20:08.2.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4054.3372 [GMT -6:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DpPwdFlt.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NDISRD
.
.
((((((((((((((((((((((((( Files Created from 2012-01-18 to 2012-02-18 )))))))))))))))))))))))))))))))
.
.
2012-02-18 19:26 . 2012-02-18 19:29 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2012-02-18 19:26 . 2012-02-18 19:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-18 19:26 . 2012-02-18 19:26 -------- d-----w- c:\users\Becca\AppData\Local\temp
2012-02-17 10:09 . 2012-01-17 10:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{929D0A21-9A37-4B32-AC5C-AE4396D4B85A}\mpengine.dll
2012-02-15 16:50 . 2011-03-12 22:52 1653760 ----a-w- c:\windows\system32\XpsPrint.dll
2012-02-15 16:50 . 2011-03-12 21:55 876032 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2012-02-15 09:58 . 2012-02-15 09:58 -------- d-----w- c:\windows\SysWow64\spool
2012-02-15 09:58 . 2012-02-15 09:58 -------- d-----w- c:\program files\Windows Portable Devices
2012-02-15 09:58 . 2012-02-15 09:58 -------- d-----w- c:\program files (x86)\Windows Portable Devices
2012-02-15 09:39 . 2009-10-01 01:02 30208 ----a-w- c:\windows\SysWow64\WPDShextAutoplay.exe
2012-02-15 09:04 . 2009-09-10 02:05 103424 ----a-w- c:\windows\system32\UIAnimation.dll
2012-02-15 09:04 . 2009-09-10 02:00 92672 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2012-02-15 09:04 . 2009-09-10 02:07 3815424 ----a-w- c:\windows\system32\UIRibbon.dll
2012-02-15 09:04 . 2009-09-10 02:06 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2012-02-15 09:04 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\SysWow64\UIRibbon.dll
2012-02-15 09:04 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\SysWow64\UIRibbonRes.dll
2012-02-14 23:54 . 2011-12-15 06:42 77312 ----a-w- c:\windows\system32\iesetup.dll
2012-02-14 23:53 . 2011-07-29 16:08 375808 ----a-w- c:\windows\system32\psisdecd.dll
2012-02-14 23:53 . 2011-07-29 16:08 289792 ----a-w- c:\windows\system32\psisrndr.ax
2012-02-14 23:53 . 2011-07-29 16:06 73216 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-02-14 23:53 . 2011-07-29 16:06 100352 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-02-14 23:53 . 2011-07-29 16:01 293376 ----a-w- c:\windows\SysWow64\psisdecd.dll
2012-02-14 23:53 . 2011-07-29 16:01 217088 ----a-w- c:\windows\SysWow64\psisrndr.ax
2012-02-14 23:53 . 2011-07-29 16:00 57856 ----a-w- c:\windows\SysWow64\MSDvbNP.ax
2012-02-14 23:53 . 2011-07-29 16:00 69632 ----a-w- c:\windows\SysWow64\Mpeg2Data.ax
2012-02-14 23:53 . 2011-12-20 10:56 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2012-02-14 23:53 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-14 23:53 . 2011-09-20 21:06 1426304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-02-14 23:52 . 2011-02-22 14:47 479744 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2012-02-14 23:52 . 2011-02-22 14:13 288768 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2012-02-14 23:52 . 2011-02-22 13:53 1555968 ----a-w- c:\windows\system32\DWrite.dll
2012-02-14 23:52 . 2011-02-22 13:53 1149440 ----a-w- c:\windows\system32\FntCache.dll
2012-02-14 23:52 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-14 23:51 . 2011-10-25 16:13 1570816 ----a-w- c:\windows\system32\quartz.dll
2012-02-14 23:51 . 2011-10-25 16:13 352256 ----a-w- c:\windows\system32\qdvd.dll
2012-02-14 23:51 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\SysWow64\quartz.dll
2012-02-14 23:51 . 2011-10-25 15:58 497152 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-02-14 23:51 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
2012-02-14 23:51 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-02-14 23:49 . 2011-11-17 06:53 515968 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-14 23:48 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2012-02-14 23:48 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2012-02-14 23:48 . 2011-04-21 14:17 695296 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-02-14 23:48 . 2009-06-17 10:37 35328 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2012-02-14 23:47 . 2011-11-25 16:25 451072 ----a-w- c:\windows\system32\winsrv.dll
2012-02-14 23:47 . 2011-06-20 08:45 4699536 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-14 23:40 . 2011-11-18 18:07 76800 ----a-w- c:\windows\system32\packager.dll
2012-02-14 23:40 . 2011-11-18 17:47 66560 ----a-w- c:\windows\SysWow64\packager.dll
2012-02-14 20:14 . 2012-02-14 20:14 584192 ----a-w- C:\OTL.exe
2012-02-12 19:47 . 2012-02-12 19:47 -------- d-----w- c:\users\Ryan\AppData\Roaming\Malwarebytes
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-12 19:46 . 2012-02-12 19:46 -------- d-----w- c:\programdata\Malwarebytes
2012-02-12 19:46 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 13:46 . 2012-02-18 19:14 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-02-11 13:46 . 2012-02-18 19:14 43960 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-09 19:31 . 2012-02-09 19:31 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-09 19:08 . 2012-02-09 19:08 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:09 -------- d-----w- c:\users\Ryan\AppData\Roaming\DAEMON Tools Lite
2012-02-09 19:08 . 2012-02-09 19:08 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-02-09 19:03 . 2012-02-09 19:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\Roxio
2012-02-07 17:19 . 2012-02-07 17:19 0 ---ha-w- c:\users\Ryan\AppData\Local\BITD27A.tmp
2012-02-02 16:00 . 2012-02-02 17:29 -------- d-----w- c:\users\Ryan\AppData\Roaming\PCPro
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\users\Ryan\AppData\Roaming\PC Cleaners
2012-02-02 16:00 . 2012-02-02 16:00 -------- d-----w- c:\programdata\PC1Data
2012-02-02 03:05 . 2012-02-02 03:05 -------- d-----w- c:\users\Ryan\AppData\Local\ElevatedDiagnostics
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\programdata\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\users\Ryan\AppData\Roaming\Uniblue
2012-02-01 22:46 . 2012-02-01 22:46 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-30 21:55 . 2012-01-30 21:55 -------- d-----w- c:\users\Becca\AppData\Local\Mozilla
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\SysWow64\ca-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\vi-VN
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\eu-ES
2012-01-30 21:30 . 2012-02-02 18:21 -------- d-----w- c:\windows\system32\ca-ES
2012-01-30 20:44 . 2012-01-30 20:44 -------- d-----w- c:\windows\system32\EventProviders
2012-01-30 20:42 . 2011-11-10 11:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-30 20:36 . 2012-01-30 20:36 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 01:59 . 2012-01-30 01:59 -------- d-----w- c:\users\Becca\AppData\Roaming\Yahoo!
2012-01-30 01:31 . 2012-01-30 01:31 -------- d-----w- C:\RebateInformer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 11:10 . 2010-01-03 04:55 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-16_19.45.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 15:45 . 2012-02-16 20:10 96904 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-23 23:54 . 2012-02-15 16:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-23 23:54 . 2012-02-17 10:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-23 23:54 . 2012-02-15 16:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 23:54 . 2012-02-17 10:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 23:54 . 2012-02-17 10:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-23 23:54 . 2012-02-15 16:47 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-23 23:58 . 2012-02-16 20:10 9604 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-439345834-1935634858-439274127-1000_UserData.bin
- 2009-02-23 23:58 . 2012-02-14 20:29 9604 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-439345834-1935634858-439274127-1000_UserData.bin
- 2012-02-15 10:00 . 2012-02-15 10:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-18 19:28 . 2012-02-18 19:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-15 10:00 . 2012-02-15 10:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-18 19:28 . 2012-02-18 19:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-24 00:41 . 2012-02-18 14:49 522368 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 12:46 . 2012-02-18 19:09 603516 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-02-18 19:09 103586 c:\windows\system32\perfc009.dat
+ 2012-01-31 17:11 . 2012-02-18 19:01 263116 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-01-31 17:11 . 2012-01-31 17:11 263116 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-02-16 20:05 . 2012-02-18 19:02 263884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-439345834-1935634858-439274127-1000-8192.dat
- 2006-11-02 12:33 . 2012-02-15 10:01 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2006-11-02 12:33 . 2012-02-16 20:05 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-19 3477312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-01-13 1081416]
.
c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
wkcalrem.LNK - c:\program files (x86)\Microsoft Works\WkCalRem.exe [2007-11-28 46432]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2012-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 04:03]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
- c:\windows\system32\msfeedssync.exe [2012-02-14 04:44]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-25 272896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~2\Crawler\Toolbar\ctbr.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-18 13:35:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-18 19:35
ComboFix2.txt 2012-02-16 19:51
ComboFix3.txt 2012-02-13 17:55
ComboFix4.txt 2012-02-12 19:37
ComboFix5.txt 2012-02-18 19:18
.
Pre-Run: 212,602,757,120 bytes free
Post-Run: 212,493,230,080 bytes free
.
- - End Of File - - 1DF030B2B19909902F309DB271449142

well just out of curiosity I tried logging into the other personal account (my Sisters) set up on this computer and even is safe mode I get the 00xc000022 error and when I get there I can run nothing in Task Manager!! just thought you might want to know not sure if it means anything!!!

Hi chiro.j.elliott,

When you were installing updates did you install Service Pack 2?

I believe so!!

Hi chiro.j.elliott,

The symptom seem to match a failed SP2 install.

I think we have removed all the malware. I don't know if the infection was present before or after you installed SP2. If it was present before then it's possible it caused the service pack to install incorrectly or the SP just didn't install correctly.

Since we just removed some malware I think the best method to try is uninstalling the SP. Before we go there let's try a bit more troubleshooting as it may be an incompable driver.

In Task Manager
click file
click New Task(Run...)
type the following line into the open: field
msconfig.exe
click ok
System Configuration Utility should open.

1. On the General tab, click to select the option Selective startup
2. click to clear the option Load startup items
3. On the Services tab, click to select the Hide all Microsoft services check box, (make sure this is checked or you could loose all system restore points)
4. then click Disable all
5. click ok then restart

Problem still there?

still the same!!!

Hi chiro.j.elliott,

Well the only option left is to try to uninstall Service Pack2.

Go back into msconfig. On the General tab click the Normal Startup option, and then click OK.

Reboot when prompted.

In Task Manager
click file
click New Task(Run...)
type the following line into the open: field
Appwiz.cpl
click ok
You should now be shown a lists of installed programs. Click View installed updates.
On the Uninstall an update page, click Service Pack for Microsoft Windows (KB948465), and then click Uninstall.
Follow the instructions on your screen.

when I try the Appwiz.cpl comand i get the error message each time same as at start up. (0xc000022)

Hi chiro.j.elliott,

Try booting to safe mode and uninstall it from there.

ok uninstalled no change with reboot to normal mode!!!

Hi chiro.j.elliott,

Sorry I didn't see you had replied.

I'm down to my last 2 suggestions. One having some Windows Tech guys look at this and the other is trying system Restore to the time SP2 was installed.

I'd like to try the Techs first since System Restore may work but may also reintroduce any infections that were present at the time. We just got this clean but if it come down to it we can clean it again.

Go HERE (http://forums.whatthetech.com/index.php?) , there is a link to either register (you will need to register if you aren't all ready) or log in near the top. Once you have registered/logged in Go to the Microsoft Windows™ (http://forums.whatthetech.com/index.php?showforum=119) Forum, Start a new topic explaining the problem. Also post a link to this topic so they can see what we have done/tried.

since the proper procedure for removing some of the tools will remove some system restore points I'll leave the tools on the computer for now. The quarantined items will also remain on the computer. I'll leave this thread open so you can post here any requests the Tech may need in regard to the tools. I'll keep an eye on your new thread, we can continue here once your are finished there.

OK well they have cleaned the error message and i am running in normal mode fine now!! what else do we need to do?? i would like to optimize and clean this system up as best as possible. I also have a question. when I go into the user folders there are a junk load of ntuser.dat files can these be deleted??? just looking around and trying to clean out as much stuff as possible!!

thanks

Hi chiro.j.elliott,

Good stuff.The ntuser.dat files a used by windows to store the registry settings for the profiles. You do not want to remove them.


Before we continue how is the computer running? Any issues?

seems to be running good

Hi chiro.j.elliott,


LimeWire
You have LimeWire, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx (http://www.microsoft.com/windows/ie/community/columns/protection.mspx)

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm (http://www.internetworldstats.com/articles/art053.htm)

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.



You have an old vulnerable version of Java to uninstall
click the Start button
click Control Panel
click Programs
click Programs and Features.
Uninstall Java(TM) 6 Update 7

Do not uninstall Java(TM) 6 Update 30


Next

Go to Start > Control Panel , switch to Classic View if it isn't already.

Locate the Java icon (it looks like a coffee cup)
double click it to open it
click the Update tab
Click update now



Let's see where we're at.


Open OTL
Right click on OTL.exe and click "Run as Administrator" to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
check the box beside scan all users
In the Extra Registry section change it to All
Check the boxes beside LOP Check and Purity Check.
In the window under Custom Scans/Fixes copy and paste the following


netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lîk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop


Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.


Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

OTL.TXT

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lîk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop

Extras.TXT

OTL Extras logfile created on: 2/29/2012 12:31:45 PM - Run 3
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Ryan\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19190)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 1.80 Gb Available Physical Memory | 45.39% Memory free
8.09 Gb Paging File | 6.00 Gb Available in Paging File | 74.20% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 288.01 Gb Total Space | 199.78 Gb Free Space | 69.36% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 3.25 Gb Free Space | 32.49% Space Free | Partition Type: NTFS
Drive E: | 557.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[b]64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm[@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp[@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta[@ = htafile] -- C:\Windows\SysWOW64\mshta.exe (Microsoft Corporation)
.html[@ = htmlfile] -- C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf[@ = inffile] -- C:\Windows\SysNative\NOTEPAD.EXE ()
.ini[@ = inifile] -- C:\Windows\SysNative\NOTEPAD.EXE ()
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe ()
.js[@ = JSFile] -- C:\Windows\SysNative\WScript.exe ()
.jse[@ = JSEFile] -- C:\Windows\SysNative\WScript.exe ()
.reg[@ = regfile] -- C:\Windows\regedit.exe (Microsoft Corporation)
.txt[@ = txtfile] -- C:\Windows\SysNative\NOTEPAD.EXE ()
.vbe[@ = VBEFile] -- C:\Windows\SysNative\WScript.exe ()
.vbs[@ = VBSFile] -- C:\Windows\SysNative\WScript.exe ()
.wsf[@ = WSFFile] -- C:\Windows\SysNative\WScript.exe ()
.wsh[@ = WSHFile] -- C:\Windows\SysNative\WScript.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = ComFile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\Windows\SysWOW64\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\Windows\SysWOW64\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\Windows\SysWOW64\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\Windows\SysWow64\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\Windows\SysWow64\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\Windows\SysWow64\WScript.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-439345834-1935634858-439274127-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 ()
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 ()
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 ()
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 ()
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\SysWOW64\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" ()
http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 ()
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 ()
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 ()
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 ()
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 ()
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l ()
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" ()
jsfile [edit] -- C:\Windows\System32\Notepad.exe %1 ()
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* ()
jsfile [print] -- C:\Windows\System32\Notepad.exe /p %1 ()
jsefile [edit] -- C:\Windows\System32\Notepad.exe %1 ()
jsefile [open] -- C:\Windows\System32\WScript.exe "%1" %* ()
jsefile [print] -- C:\Windows\System32\Notepad.exe /p %1 ()
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" ()
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" ()
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 ()
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 ()
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" ()
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 ()
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* ()
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 ()
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 ()
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* ()
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 ()
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 ()
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* ()
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 ()
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* ()
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\Windows\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\SysWOW64\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- C:\Windows\SysWOW64\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- C:\Windows\SysWOW64\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- C:\Windows\SysWOW64\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- C:\Windows\SysWOW64\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- C:\Windows\SysWOW64\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]
"VistaSp2" = 34 4D 03 20 97 DF CC 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files (x86)\AT&T\Communication Manager\SwiApiMux.exe" = C:\Program Files (x86)\AT&T\Communication Manager\SwiApiMux.exe:*:Enabled:SwiApiMux
"C:\Program Files (x86)\AT&T\Communication Manager\SwiApiMux.exe" = C:\Program Files (x86)\AT&T\Communication Manager\SwiApiMux.exe:*:Enabled:SwiApiMux


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1455A2A8-FD2B-49B8-8126-DA9FC6D3085F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2D06326A-C6F7-4C71-A0B9-C54251853A54}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{3C3E801A-194C-48D0-BD1B-B5C881FF8111}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{4D0B203F-3C1A-4591-9DC9-4551F3E62943}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{6EFD87E5-5A67-4319-98A7-CC3AC0BA1E73}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{7C09CCC8-C88E-422C-B354-B9CEB5A4BA22}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{92F73CAA-3F94-4A8E-9D26-22F2DFC79718}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{A4E54CF0-E093-499C-99EC-FD332A1E4059}" = lport=3702 | protocol=17 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{D37AE390-1100-4930-961B-8076BA15DD75}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{E3EA9013-594D-4095-A4D6-15553B278576}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=%systemroot%\system32\svchost.exe |
"{E862E82C-D0E8-4DE5-8330-F5E8C0B17821}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{FF20B4CD-8369-4BF1-8F9D-2C1AAC72F714}" = rport=3702 | protocol=17 | dir=out | app=%systemroot%\system32\p2phost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{28F191EA-672F-4DB2-8CED-8468B92070BD}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{43CC97A7-BF60-488C-9AEE-7F954E7EC6B2}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{4DEF17ED-405A-48A3-9E52-023F16E76805}" = protocol=17 | dir=in | app=c:\program files (x86)\limewire\limewire.exe |
"{7BBCCEAB-D53A-4F5D-B247-9474229A9643}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"{960F2768-392C-4280-8709-FB83B3E62BAA}" = protocol=6 | dir=in | app=c:\program files (x86)\dell video chat\dellvideochat.exe |
"{A7452BB1-71CC-44D1-B5BA-6A6DB602D4D7}" = protocol=6 | dir=in | app=%systemroot%\system32\p2phost.exe |
"{B593F267-F7F9-4DFF-A125-6128F9EB97AC}" = protocol=6 | dir=in | app=c:\program files (x86)\limewire\limewire.exe |
"{BA90AB0B-7042-40EA-94B9-FFE3788A266B}" = protocol=17 | dir=in | app=c:\program files (x86)\dell video chat\dellvideochat.exe |
"{F5B7BB6B-036C-4AE0-BFC1-5BA03F72BB06}" = protocol=6 | dir=out | app=%systemroot%\system32\p2phost.exe |
"TCP Query User{748A3140-AF11-4071-B0C5-A62F1B0E62E7}C:\program files (x86)\dell video chat\dellvideochat.exe" = protocol=6 | dir=in | app=c:\program files (x86)\dell video chat\dellvideochat.exe |
"UDP Query User{E4D095BD-60B4-4D85-9BB3-680CE997D91C}C:\program files (x86)\dell video chat\dellvideochat.exe" = protocol=17 | dir=in | app=c:\program files (x86)\dell video chat\dellvideochat.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{034062D1-50A4-4AAE-A82D-5264DBC1A32B}" = Macrium Reflect Free Edition
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.1.0.4402
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{2247B69B-C764-41D0-B0DA-812F3E00C268}" = DigitalPersona Personal 3.1.0
"{26A24AE4-039D-4CA4-87B4-2F86416013FF}" = Java(TM) 6 Update 13 (64-bit)
"{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{87CF757E-C1F1-4D22-865C-00C6950B5258}" = Quickset
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F2393654-7D1F-48B3-9E4C-4007D120ABB8}" = AuthenTec Fingerprint Software
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F6CB42B9-F033-4152-8813-FF11DA8E6A78}" = Dell Dock
"2C1C2F29FADF39F533CEEE67B90F07A5306A4BDB" = Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0)
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card Utility
"CCleaner" = CCleaner
"Creative OA001" = Integrated Webcam Driver (1.03.02.0919)
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3963B0-E13B-4FC3-B0FF-506A304BB043}" = Cisco EAP-FAST Module
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{730E03E4-350E-48E5-9D3E-4329903D454D}" = Itibiti RTC
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DAEMON Tools Lite" = DAEMON Tools Lite
"Dell Video Chat" = Dell Video Chat (remove only)
"Dell Webcam Central" = Dell Webcam Central
"ERUNT_is1" = ERUNT 1.1j
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"PhotoCardMaker_is1" = PhotoCardMaker 1.0.3
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"Tweaking.com - Windows Repair (All in One)" = Tweaking.com - Windows Repair (All in One)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/1/2011 10:11:43 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0xc38, application start time
0x01cc37f8cdd09f29.

Error - 7/1/2011 10:12:16 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0x118, application start time
0x01cc37f8e16e78e9.

Error - 7/1/2011 10:12:48 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0xb44, application start time
0x01cc37f8f4b681e9.

Error - 7/1/2011 10:13:21 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0x1104, application start time
0x01cc37f908594d49.

Error - 7/1/2011 10:14:00 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0x166c, application start time
0x01cc37f91fb9ad49.

Error - 7/1/2011 10:14:33 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0x1190, application start time
0x01cc37f93374d309.

Error - 7/1/2011 10:15:07 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0x1748, application start time
0x01cc37f9475d32e9.

Error - 7/1/2011 10:15:40 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0x13d0, application start time
0x01cc37f95b2aaff9.

Error - 7/1/2011 10:16:14 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0x148c, application start time
0x01cc37f96f56a0b9.

Error - 7/1/2011 10:16:48 AM | Computer Name = Ryan-PC | Source = Application Error | ID = 1000
Description = Faulting application CToolbar.exe, version 0.0.0.0, time stamp 0x4d787c0c,
faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1, exception
code 0xc0000005, fault offset 0x0006f1e7, process id 0xe48, application start time
0x01cc37f983a73849.

[ Broadcom Wireless LAN Events ]
Error - 1/31/2012 1:11:13 PM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 11:11:13, Tue, Jan 31, 12 Error - User "" does not have administrative
privileges on this system

Error - 1/31/2012 10:55:11 PM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 20:55:11, Tue, Jan 31, 12 Error - Unable to gain access to user store


Error - 2/2/2012 2:27:39 PM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 12:27:39, Thu, Feb 02, 12 Error - Unable to gain access to user store


Error - 2/21/2012 1:17:33 AM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 23:17:30, Mon, Feb 20, 12 Error - Unable to gain access to user store


Error - 2/22/2012 1:09:21 AM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 23:09:21, Tue, Feb 21, 12 Error - Unable to gain access to user store


Error - 2/23/2012 11:03:25 AM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 09:03:25, Thu, Feb 23, 12 Error - Unable to gain access to user store


Error - 2/27/2012 7:28:09 PM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 17:28:09, Mon, Feb 27, 12 Error - User "" does not have administrative
privileges on this system

Error - 2/27/2012 7:28:10 PM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 17:28:10, Mon, Feb 27, 12 Error - User "" does not have administrative
privileges on this system

Error - 2/29/2012 1:48:44 PM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 11:48:44, Wed, Feb 29, 12 Error - User "" does not have administrative
privileges on this system

Error - 2/29/2012 1:48:44 PM | Computer Name = Ryan-PC | Source = WLAN-Tray | ID = 0
Description = 11:48:44, Wed, Feb 29, 12 Error - User "" does not have administrative
privileges on this system

[ DigitalPersona Pro Events ]
Error - 5/28/2009 3:45:30 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

Error - 5/29/2009 1:01:08 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

Error - 8/3/2009 3:06:36 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827589
Description = DPHost cannot start. Error: 0x8009000f

Error - 2/6/2010 6:13:46 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

Error - 4/10/2010 10:25:14 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

Error - 1/29/2012 9:04:41 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

Error - 1/29/2012 9:04:44 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

Error - 1/29/2012 9:05:09 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

Error - 1/29/2012 9:05:13 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

Error - 1/30/2012 4:49:54 PM | Computer Name = Ryan-PC | Source = DigitalPersona Pro | ID = 17827841
Description = One-to-one fingerprint match failed.

[ System Events ]
Error - 2/26/2012 10:04:22 PM | Computer Name = Ryan-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 2/26/2012 10:04:40 PM | Computer Name = Ryan-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 2/27/2012 10:49:38 AM | Computer Name = Ryan-PC | Source = HTTP | ID = 15016
Description =

Error - 2/27/2012 10:49:46 AM | Computer Name = Ryan-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 2/27/2012 10:49:46 AM | Computer Name = Ryan-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 2/27/2012 7:30:22 PM | Computer Name = Ryan-PC | Source = HTTP | ID = 15016
Description =

Error - 2/27/2012 7:30:54 PM | Computer Name = Ryan-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 2/27/2012 7:30:54 PM | Computer Name = Ryan-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 2/28/2012 10:15:28 AM | Computer Name = Ryan-PC | Source = BTHUSB | ID = 327697
Description = The local Bluetooth adapter has failed in an undetermined manner and
will not be used. The driver has been unloaded.

Error - 2/28/2012 8:27:43 PM | Computer Name = Ryan-PC | Source = BTHUSB | ID = 327697
Description = The local Bluetooth adapter has failed in an undetermined manner and
will not be used. The driver has been unloaded.


< End of report >

Hi chiro.j.elliott,

The first part of your post isn't the OTL.txt. It should be located on your desktop.

opps sorry!!

OTL logfile created on: 2/29/2012 12:31:45 PM - Run 3
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Ryan\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19190)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 1.80 Gb Available Physical Memory | 45.39% Memory free
8.09 Gb Paging File | 6.00 Gb Available in Paging File | 74.20% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 288.01 Gb Total Space | 199.78 Gb Free Space | 69.36% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 3.25 Gb Free Space | 32.49% Space Free | Partition Type: NTFS
Drive E: | 557.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Ryan\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files\Dell\DellDock\DockLogin.exe (Stardock Corporation)
PRC - C:\Program Files (x86)\Dell Video Chat\DellVideoChat.exe (Dell Inc. and SightSpeed Inc.)
PRC - C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe (DigitalPersona, Inc.)
PRC - C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe (DigitalPersona, Inc.)
PRC - C:\Program Files (x86)\Microsoft Works\WkCalRem.exe (Microsoft® Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files (x86)\Dell Video Chat\QtGui4.dll ()
MOD - C:\Program Files (x86)\Dell Video Chat\QtCore4.dll ()
MOD - C:\Program Files (x86)\Dell Video Chat\QtOpenGL4.dll ()
MOD - C:\Program Files (x86)\Dell Video Chat\QtNetwork4.dll ()
MOD - C:\Program Files (x86)\Dell Video Chat\SDL.dll ()


========== Win32 Services (SafeList) ==========

SRV:[b]64bit: - (ReflectService.exe) -- C:\Program Files\Macrium\Reflect\ReflectService.exe ()
SRV:64bit: - (ATService) -- C:\Program Files\Fingerprint Sensor\ATService.exe (AuthenTec, Inc.)
SRV:64bit: - (wltrysvc) -- C:\Windows\SysNative\WLTRYSVC.EXE ()
SRV:64bit: - (DockLoginService) -- C:\Program Files\Dell\DellDock\DockLogin.exe (Stardock Corporation)
SRV:64bit: - (STacSV) -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_a2af78c4\STacSV64.exe ()
SRV:64bit: - (AESTFilters) -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe ()
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (Akamai) -- c:\Program Files (x86)\Common Files\Akamai\netsession_win_2da1ebd.dll ()
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SBSDWSCService) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DpHost) -- C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe (DigitalPersona, Inc.)


========== Driver Services (SafeList) ==========

DRV:64bit: - (dtsoftbus01) -- C:\Windows\SysNative\DRIVERS\dtsoftbus01.sys ()
DRV:64bit: - (igfx) -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys ()
DRV:64bit: - (itecir) -- C:\Windows\SysNative\DRIVERS\itecir.sys ()
DRV:64bit: - (ATSwpWDF) -- C:\Windows\SysNative\Drivers\ATSwpWDF.sys ()
DRV:64bit: - (BCM42RLY) -- C:\Windows\SysNative\drivers\BCM42RLY.sys ()
DRV:64bit: - (motmodem) -- C:\Windows\SysNative\DRIVERS\motmodem.sys ()
DRV:64bit: - (BCM43XX) -- C:\Windows\SysNative\DRIVERS\bcmwl664.sys ()
DRV:64bit: - (OA001Vid) -- C:\Windows\SysNative\DRIVERS\OA001Vid.sys ()
DRV:64bit: - (OA001Ufd) -- C:\Windows\SysNative\DRIVERS\OA001Ufd.sys ()
DRV:64bit: - (IntcHdmiAddService) Intel(R) -- C:\Windows\SysNative\drivers\IntcHdmi.sys ()
DRV:64bit: - (ApfiltrService) -- C:\Windows\SysNative\DRIVERS\Apfiltr.sys ()
DRV:64bit: - (STHDA) -- C:\Windows\SysNative\DRIVERS\stwrt64.sys ()
DRV:64bit: - (swmsflt) -- C:\Windows\SysNative\drivers\swmsflt.sys ()
DRV:64bit: - (SWUMX80) Sierra Wireless USB MUX Driver (UMTS80) -- C:\Windows\SysNative\DRIVERS\swumx80.sys ()
DRV:64bit: - (SWNC8U80) Sierra Wireless MUX NDIS Driver (UMTS80) -- C:\Windows\SysNative\DRIVERS\swnc8u80.sys ()
DRV:64bit: - (rismxdp) -- C:\Windows\SysNative\DRIVERS\rixdpx64.sys ()
DRV:64bit: - (rimmptsk) -- C:\Windows\SysNative\DRIVERS\rimmpx64.sys ()
DRV:64bit: - (rimsptsk) -- C:\Windows\SysNative\DRIVERS\rimspx64.sys ()
DRV:64bit: - (k57nd60a) Broadcom NetLink (TM) -- C:\Windows\SysNative\DRIVERS\k57nd60a.sys ()
DRV:64bit: - (btwrchid) -- C:\Windows\SysNative\DRIVERS\btwrchid.sys ()
DRV:64bit: - (btwl2cap) -- C:\Windows\SysNative\DRIVERS\btwl2cap.sys ()
DRV:64bit: - (btwavdt) -- C:\Windows\SysNative\drivers\btwavdt.sys ()
DRV:64bit: - (btwaudio) -- C:\Windows\SysNative\drivers\btwaudio.sys ()
DRV:64bit: - (e1express) Intel(R) -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys ()
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\DRIVERS\sdbus.sys ()
DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\Drivers\PxHlpa64.sys ()
DRV:64bit: - (R300) -- C:\Windows\SysNative\DRIVERS\atikmdag.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-439345834-1935634858-439274127-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-439345834-1935634858-439274127-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-439345834-1935634858-439274127-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\otis@digitalpersona.com: C:\Program Files (x86)\DigitalPersona\Bin\FirefoxExt\ [2009/01/14 03:26:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/02/26 17:56:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\otis@digitalpersona.com: C:\Program Files (x86)\DigitalPersona\Bin\firefoxext [2009/01/14 03:26:01 | 000,000,000 | ---D | M]

[2010/02/08 13:59:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions
[2010/02/08 13:59:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2012/02/01 14:06:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\r5a2vp3k.default\extensions
[2012/02/27 13:12:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/02/27 13:12:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/02/26 17:56:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\distribution\extensions
() (No name found) -- C:\USERS\RYAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\R5A2VP3K.DEFAULT\EXTENSIONS\TESTPILOT@LABS.MOZILLA.COM.XPI
[2012/02/26 17:56:39 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/01/24 05:21:10 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/01/24 05:21:10 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/26 18:17:46 | 000,000,855 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (&Crawler Toolbar Helper) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O3 - HKU\S-1-5-21-439345834-1935634858-439274127-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-439345834-1935634858-439274127-1000\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O3 - HKU\S-1-5-21-439345834-1935634858-439274127-1000\..\Toolbar\WebBrowser: (&Crawler Toolbar) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\SysNative\WLTRAY.exe ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe ()
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe ()
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe ()
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DpAgent] C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe (DigitalPersona, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" File not found
O4 - HKU\S-1-5-21-439345834-1935634858-439274127-1000..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-439345834-1935634858-439274127-1000..\Run: [SightSpeed] C:\Program Files (x86)\Dell Video Chat\DellVideoChat.exe (Dell Inc. and SightSpeed Inc.)
O4 - HKU\S-1-5-21-439345834-1935634858-439274127-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-439345834-1935634858-439274127-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWow64\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Becca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = File not found
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = File not found
O4 - Startup: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK = C:\Program Files (x86)\Microsoft Works\WkCalRem.exe (Microsoft® Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 2
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-439345834-1935634858-439274127-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-439345834-1935634858-439274127-1000\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-439345834-1935634858-439274127-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9:64bit: - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} http://www.worldwinner.com/games/v57/wof/wof.cab (WoF Control)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2961302D-0820-4732-9602-FF83D5402027}: DhcpNameServer = 209.183.50.151 209.183.50.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3F989BEA-572A-4367-97B7-768ECC652223}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FB2F24BD-7F6D-4397-9084-EBC202AA3EF3}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\tbr - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\tbr {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Program Files (x86)\Crawler\Toolbar\ctbr.dll (Crawler.com)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll ()
O24 - Desktop WallPaper: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Ryan\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/04 06:00:00 | 000,000,110 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/02/29 12:29:20 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
[2012/02/27 13:12:41 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/02/27 13:12:41 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/02/27 13:12:41 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/02/27 12:53:44 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Video&sound
[2012/02/26 20:03:40 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/02/26 18:19:55 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/02/26 17:59:34 | 000,290,304 | ---- | C] (Microsoft Corporation) -- C:\subinacl.exe
[2012/02/26 17:58:04 | 000,000,000 | ---D | C] -- C:\Reg_Backup
[2012/02/26 17:21:16 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/26 17:17:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Tweaking.com
[2012/02/26 16:33:19 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Documents\Reflect
[2012/02/26 12:49:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Macrium
[2012/02/26 12:46:33 | 000,000,000 | ---D | C] -- C:\Program Files\Macrium
[2012/02/20 03:00:23 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2012/02/18 13:35:12 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\temp
[2012/02/18 13:29:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/02/18 13:15:57 | 004,406,994 | R--- | C] (Swearware) -- C:\Users\Ryan\Desktop\ComboFix.exe
[2012/02/14 17:54:58 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ie4uinit.exe
[2012/02/14 17:54:58 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2012/02/14 17:54:57 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/02/14 17:54:57 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2012/02/14 17:54:57 | 000,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2012/02/14 17:54:57 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2012/02/14 17:54:57 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2012/02/14 17:54:56 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/02/14 17:54:56 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/02/14 17:54:56 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll
[2012/02/14 17:54:55 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2012/02/14 17:54:55 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/02/14 17:54:50 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/02/14 17:54:50 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2012/02/14 17:53:49 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\psisdecd.dll
[2012/02/14 17:52:57 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2012/02/14 17:50:44 | 000,979,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MFH264Dec.dll
[2012/02/14 17:50:43 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsRasterService.dll
[2012/02/14 17:50:42 | 001,554,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\xpsservices.dll
[2012/02/14 17:50:42 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsPrint.dll
[2012/02/14 17:50:42 | 000,847,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\OpcServices.dll
[2012/02/14 17:50:42 | 000,357,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MFHEAACdec.dll
[2012/02/14 17:50:42 | 000,302,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfmp4src.dll
[2012/02/14 17:50:42 | 000,261,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfreadwrite.dll
[2012/02/14 17:50:04 | 000,555,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\UIAutomationCore.dll
[2012/02/14 17:50:04 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\oleaccrc.dll
[2012/02/14 17:49:17 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mciseq.dll
[2012/02/14 17:40:55 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\packager.dll
[2012/02/14 17:39:22 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/02/14 14:14:45 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\OTL.exe
[2012/02/12 13:47:03 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Malwarebytes
[2012/02/12 13:46:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/02/12 13:46:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/02/12 13:43:57 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Ryan\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/11 07:48:17 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/02/11 07:48:17 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/02/11 07:48:17 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/02/11 07:48:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/09 13:31:53 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/02/09 13:31:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2012/02/09 13:21:11 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HijackThis.exe
[2012/02/09 13:17:50 | 002,405,576 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher64.exe
[2012/02/09 13:08:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DAEMON Tools Lite
[2012/02/09 13:08:12 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\DAEMON Tools Lite
[2012/02/09 13:08:10 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2012/02/09 13:06:50 | 002,002,320 | ---- | C] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher.exe
[2012/02/09 13:05:04 | 014,190,784 | ---- | C] (DT Soft Ltd.) -- C:\Users\Ryan\Desktop\DTLite4452-0287.exe
[2012/02/09 13:03:24 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Roxio
[2012/02/09 12:58:23 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/02/02 10:00:17 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\PCPro
[2012/02/02 10:00:17 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\PC Cleaners
[2012/02/02 10:00:11 | 000,000,000 | ---D | C] -- C:\ProgramData\PC1Data
[2012/02/01 16:46:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Uniblue
[2012/02/01 16:46:19 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Uniblue
[2012/02/01 16:46:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Uniblue
[2012/01/30 14:44:59 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2012/01/30 14:42:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2012/01/30 14:42:10 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2012/01/30 14:36:22 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Users\Ryan\AppData\Local\*.tmp files -> C:\Users\Ryan\AppData\Local\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/29 12:34:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/29 12:31:32 | 000,000,390 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{848E2E18-4748-41BC-8CD1-0FE55DBF0E82}.job
[2012/02/29 12:29:25 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
[2012/02/29 12:28:38 | 000,003,616 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/29 12:28:38 | 000,003,616 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/29 11:47:21 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/28 18:29:08 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/02/28 18:29:08 | 000,604,502 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/02/28 18:29:08 | 000,104,170 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/02/28 18:27:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/27 17:30:30 | 000,001,024 | ---- | M] () -- C:\.rnd
[2012/02/27 17:30:14 | 000,280,704 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/02/27 13:12:28 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2012/02/27 13:12:28 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/02/27 13:12:28 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/02/27 13:12:28 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/02/27 13:00:12 | 000,001,086 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\wklnhst.dat
[2012/02/26 20:01:48 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/02/26 18:20:28 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/26 18:17:46 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/02/26 18:16:51 | 000,703,388 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/26 17:17:49 | 000,002,104 | ---- | M] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/02/26 17:16:17 | 004,104,666 | ---- | M] () -- C:\Users\Ryan\Desktop\tweaking.com_windows_repair_aio_setup.exe
[2012/02/26 12:46:35 | 000,001,868 | ---- | M] () -- C:\Users\Public\Desktop\Reflect.lnk
[2012/02/25 09:04:46 | 000,011,264 | ---- | M] () -- C:\Users\Ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/25 08:57:53 | 000,001,699 | ---- | M] () -- C:\Users\Ryan\Desktop\Backup and Restore Center.lnk
[2012/02/25 08:56:50 | 000,000,732 | ---- | M] () -- C:\Users\Ryan\AppData\Local\d3d9caps64.dat
[2012/02/20 18:19:26 | 000,013,464 | ---- | M] () -- C:\Windows\SysNative\drivers\PSVolAcc.sys
[2012/02/20 18:19:18 | 000,043,672 | ---- | M] () -- C:\Windows\SysNative\drivers\psmounter.sys
[2012/02/18 13:29:05 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts_bak_890
[2012/02/18 13:15:54 | 004,406,994 | R--- | M] (Swearware) -- C:\Users\Ryan\Desktop\ComboFix.exe
[2012/02/15 03:57:37 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2012/02/14 14:14:53 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
[2012/02/12 13:46:58 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/12 13:46:04 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Ryan\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/09 15:22:27 | 000,009,019 | ---- | M] () -- C:\Users\Ryan\Desktop\attach.zip
[2012/02/09 13:31:29 | 000,000,945 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/09 13:31:19 | 000,000,765 | ---- | M] () -- C:\Users\Ryan\Desktop\NTREGOPT.lnk
[2012/02/09 13:31:19 | 000,000,746 | ---- | M] () -- C:\Users\Ryan\Desktop\ERUNT.lnk
[2012/02/09 13:26:01 | 000,692,831 | ---- | M] () -- C:\Users\Ryan\AppData\Local\census.cache
[2012/02/09 13:25:52 | 000,151,775 | ---- | M] () -- C:\Users\Ryan\AppData\Local\ars.cache
[2012/02/09 13:21:11 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HijackThis.exe
[2012/02/09 13:17:53 | 002,405,576 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher64.exe
[2012/02/09 13:14:12 | 000,001,356 | ---- | M] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2012/02/09 13:13:49 | 002,002,320 | ---- | M] (Trend Micro Inc.) -- C:\Users\Ryan\Desktop\HousecallLauncher.exe
[2012/02/09 13:11:00 | 000,000,036 | ---- | M] () -- C:\Users\Ryan\AppData\Local\housecall.guid.cache
[2012/02/09 13:08:52 | 000,283,200 | ---- | M] () -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2012/02/09 13:05:53 | 001,402,880 | ---- | M] () -- C:\Users\Ryan\Desktop\HiJackThis.msi
[2012/02/09 13:05:19 | 014,190,784 | ---- | M] (DT Soft Ltd.) -- C:\Users\Ryan\Desktop\DTLite4452-0287.exe
[2012/02/09 12:43:33 | 060,979,200 | ---- | M] () -- C:\Users\Ryan\Desktop\PCRegedit.iso
[2012/02/01 22:27:00 | 000,000,176 | ---- | M] () -- C:\MSsupport.htm
[2012/01/30 14:36:22 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Users\Ryan\AppData\Local\*.tmp files -> C:\Users\Ryan\AppData\Local\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/27 17:30:28 | 000,001,024 | ---- | C] () -- C:\.rnd
[2012/02/27 17:29:37 | 000,280,704 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/02/27 13:12:59 | 000,000,390 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{848E2E18-4748-41BC-8CD1-0FE55DBF0E82}.job
[2012/02/26 18:16:32 | 000,703,388 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/26 18:14:10 | 000,303,616 | ---- | C] ( ) -- C:\SetACL.exe
[2012/02/26 17:17:49 | 000,002,104 | ---- | C] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/02/26 17:14:13 | 004,104,666 | ---- | C] () -- C:\Users\Ryan\Desktop\tweaking.com_windows_repair_aio_setup.exe
[2012/02/26 12:46:35 | 000,001,868 | ---- | C] () -- C:\Users\Public\Desktop\Reflect.lnk
[2012/02/25 08:57:53 | 000,001,699 | ---- | C] () -- C:\Users\Ryan\Desktop\Backup and Restore Center.lnk
[2012/02/22 03:00:51 | 000,316,416 | ---- | C] () -- C:\Windows\SysNative\msshsq.dll
[2012/02/20 18:19:26 | 000,013,464 | ---- | C] () -- C:\Windows\SysNative\drivers\PSVolAcc.sys
[2012/02/20 18:19:18 | 000,043,672 | ---- | C] () -- C:\Windows\SysNative\drivers\psmounter.sys
[2012/02/20 13:43:55 | 000,001,815 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
[2012/02/20 13:43:55 | 000,000,945 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/20 13:43:55 | 000,000,881 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK
[2012/02/15 03:57:37 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2012/02/14 17:55:30 | 000,085,504 | ---- | C] () -- C:\Windows\SysNative\csrsrv.dll
[2012/02/14 17:55:26 | 000,180,736 | ---- | C] () -- C:\Windows\SysNative\xmllite.dll
[2012/02/14 17:54:58 | 000,077,312 | ---- | C] () -- C:\Windows\SysNative\iesetup.dll
[2012/02/14 17:54:57 | 001,638,912 | ---- | C] () -- C:\Windows\SysNative\mshtml.tlb
[2012/02/14 17:54:57 | 001,488,384 | ---- | C] () -- C:\Windows\SysNative\urlmon.dll
[2012/02/14 17:54:57 | 000,072,192 | ---- | C] () -- C:\Windows\SysNative\iernonce.dll
[2012/02/14 17:54:57 | 000,071,680 | ---- | C] () -- C:\Windows\SysNative\msfeedsbs.dll
[2012/02/14 17:54:57 | 000,070,656 | ---- | C] () -- C:\Windows\SysNative\ie4uinit.exe
[2012/02/14 17:54:57 | 000,012,288 | ---- | C] () -- C:\Windows\SysNative\msfeedssync.exe
[2012/02/14 17:54:56 | 001,147,392 | ---- | C] () -- C:\Windows\SysNative\wininet.dll
[2012/02/14 17:54:56 | 000,710,656 | ---- | C] () -- C:\Windows\SysNative\msfeeds.dll
[2012/02/14 17:54:56 | 000,459,776 | ---- | C] () -- C:\Windows\SysNative\iedkcs32.dll
[2012/02/14 17:54:56 | 000,243,712 | ---- | C] () -- C:\Windows\SysNative\occache.dll
[2012/02/14 17:54:55 | 002,350,592 | ---- | C] () -- C:\Windows\SysNative\iertutil.dll
[2012/02/14 17:54:55 | 001,538,560 | ---- | C] () -- C:\Windows\SysNative\inetcpl.cpl
[2012/02/14 17:54:55 | 000,479,232 | ---- | C] () -- C:\Windows\SysNative\html.iec
[2012/02/14 17:54:55 | 000,056,832 | ---- | C] () -- C:\Windows\SysNative\licmgr10.dll
[2012/02/14 17:54:54 | 012,477,952 | ---- | C] () -- C:\Windows\SysNative\ieframe.dll
[2012/02/14 17:54:53 | 000,252,416 | ---- | C] () -- C:\Windows\SysNative\iepeers.dll
[2012/02/14 17:54:53 | 000,219,136 | ---- | C] () -- C:\Windows\SysNative\ieui.dll
[2012/02/14 17:54:53 | 000,096,768 | ---- | C] () -- C:\Windows\SysNative\mshtmled.dll
[2012/02/14 17:54:53 | 000,031,744 | ---- | C] () -- C:\Windows\SysNative\jsproxy.dll
[2012/02/14 17:54:52 | 001,062,912 | ---- | C] () -- C:\Windows\SysNative\mstime.dll
[2012/02/14 17:54:51 | 009,292,288 | ---- | C] () -- C:\Windows\SysNative\mshtml.dll
[2012/02/14 17:54:51 | 000,108,032 | ---- | C] () -- C:\Windows\SysNative\url.dll
[2012/02/14 17:54:50 | 000,162,816 | ---- | C] () -- C:\Windows\SysNative\ieUnatt.exe
[2012/02/14 17:54:50 | 000,132,096 | ---- | C] () -- C:\Windows\SysNative\iesysprep.dll
[2012/02/14 17:53:49 | 000,375,808 | ---- | C] () -- C:\Windows\SysNative\psisdecd.dll
[2012/02/14 17:53:49 | 000,289,792 | ---- | C] () -- C:\Windows\SysNative\psisrndr.ax
[2012/02/14 17:52:57 | 001,555,968 | ---- | C] () -- C:\Windows\SysNative\DWrite.dll
[2012/02/14 17:52:57 | 001,149,440 | ---- | C] () -- C:\Windows\SysNative\FntCache.dll
[2012/02/14 17:52:57 | 000,479,744 | ---- | C] () -- C:\Windows\SysNative\XpsGdiConverter.dll
[2012/02/14 17:50:45 | 000,231,936 | ---- | C] () -- C:\Windows\SysNative\XpsRasterService.dll
[2012/02/14 17:50:44 | 003,068,416 | ---- | C] () -- C:\Windows\SysNative\xpsservices.dll
[2012/02/14 17:50:44 | 002,002,944 | ---- | C] () -- C:\Windows\SysNative\d3d10warp.dll
[2012/02/14 17:50:44 | 001,653,760 | ---- | C] () -- C:\Windows\SysNative\XpsPrint.dll
[2012/02/14 17:50:44 | 001,257,984 | ---- | C] () -- C:\Windows\SysNative\MFH264Dec.dll
[2012/02/14 17:50:44 | 000,900,480 | ---- | C] () -- C:\Windows\SysNative\drivers\dxgkrnl.sys
[2012/02/14 17:50:44 | 000,834,048 | ---- | C] () -- C:\Windows\SysNative\d2d1.dll
[2012/02/14 17:50:44 | 000,287,232 | ---- | C] () -- C:\Windows\SysNative\d3d10core.dll
[2012/02/14 17:50:44 | 000,047,104 | ---- | C] () -- C:\Windows\SysNative\cdd.dll
[2012/02/14 17:50:43 | 001,461,760 | ---- | C] () -- C:\Windows\SysNative\OpcServices.dll
[2012/02/14 17:50:43 | 001,268,224 | ---- | C] () -- C:\Windows\SysNative\d3d10.dll
[2012/02/14 17:50:43 | 000,625,152 | ---- | C] () -- C:\Windows\SysNative\dxgi.dll
[2012/02/14 17:50:43 | 000,566,272 | ---- | C] () -- C:\Windows\SysNative\d3d10level9.dll
[2012/02/14 17:50:43 | 000,327,680 | ---- | C] () -- C:\Windows\SysNative\d3d10_1core.dll
[2012/02/14 17:50:43 | 000,196,096 | ---- | C] () -- C:\Windows\SysNative\d3d10_1.dll
[2012/02/14 17:50:42 | 000,428,544 | ---- | C] () -- C:\Windows\SysNative\MFHEAACdec.dll
[2012/02/14 17:50:42 | 000,377,344 | ---- | C] () -- C:\Windows\SysNative\mfmp4src.dll
[2012/02/14 17:50:42 | 000,345,088 | ---- | C] () -- C:\Windows\SysNative\mfreadwrite.dll
[2012/02/14 17:50:04 | 000,735,744 | ---- | C] () -- C:\Windows\SysNative\UIAutomationCore.dll
[2012/02/14 17:50:04 | 000,332,288 | ---- | C] () -- C:\Windows\SysNative\oleacc.dll
[2012/02/14 17:50:04 | 000,004,096 | ---- | C] () -- C:\Windows\SysNative\oleaccrc.dll
[2012/02/14 17:49:18 | 000,028,672 | ---- | C] () -- C:\Windows\SysNative\mciwave.dll
[2012/02/14 17:49:17 | 000,048,128 | ---- | C] () -- C:\Windows\SysNative\mcicda.dll
[2012/02/14 17:49:17 | 000,028,160 | ---- | C] () -- C:\Windows\SysNative\mciseq.dll
[2012/02/14 17:40:55 | 000,076,800 | ---- | C] () -- C:\Windows\SysNative\packager.dll
[2012/02/14 17:39:23 | 000,817,664 | ---- | C] () -- C:\Windows\SysNative\jscript.dll
[2012/02/12 13:46:58 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/12 13:46:57 | 000,023,152 | ---- | C] () -- C:\Windows\SysNative\drivers\mbam.sys
[2012/02/11 07:48:17 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/02/11 07:48:17 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/02/11 07:48:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/02/11 07:48:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/02/11 07:48:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/02/09 15:22:27 | 000,009,019 | ---- | C] () -- C:\Users\Ryan\Desktop\attach.zip
[2012/02/09 13:31:19 | 000,000,765 | ---- | C] () -- C:\Users\Ryan\Desktop\NTREGOPT.lnk
[2012/02/09 13:31:19 | 000,000,746 | ---- | C] () -- C:\Users\Ryan\Desktop\ERUNT.lnk
[2012/02/09 13:26:01 | 000,692,831 | ---- | C] () -- C:\Users\Ryan\AppData\Local\census.cache
[2012/02/09 13:25:52 | 000,151,775 | ---- | C] () -- C:\Users\Ryan\AppData\Local\ars.cache
[2012/02/09 13:11:00 | 000,000,036 | ---- | C] () -- C:\Users\Ryan\AppData\Local\housecall.guid.cache
[2012/02/09 13:08:52 | 000,283,200 | ---- | C] () -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2012/02/09 13:05:53 | 001,402,880 | ---- | C] () -- C:\Users\Ryan\Desktop\HiJackThis.msi
[2012/02/09 12:42:06 | 060,979,200 | ---- | C] () -- C:\Users\Ryan\Desktop\PCRegedit.iso
[2012/02/01 22:27:00 | 000,000,176 | ---- | C] () -- C:\MSsupport.htm
[2012/02/01 13:57:56 | 000,000,732 | ---- | C] () -- C:\Users\Ryan\AppData\Local\d3d9caps64.dat
[2012/01/29 22:28:23 | 000,000,121 | ---- | C] () -- C:\Windows\wininit.ini
[2010/08/25 19:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/08/25 19:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/08/25 19:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll

========== LOP Check ==========

[2009/06/05 13:24:58 | 000,000,000 | ---D | M] -- C:\Users\Becca\AppData\Roaming\Bytemobile
[2009/03/28 22:21:53 | 000,000,000 | ---D | M] -- C:\Users\Becca\AppData\Roaming\DigitalPersona
[2009/10/03 15:52:10 | 000,000,000 | ---D | M] -- C:\Users\Becca\AppData\Roaming\Doblon
[2012/01/30 15:41:01 | 000,000,000 | ---D | M] -- C:\Users\Becca\AppData\Roaming\LimeWire
[2012/01/29 19:39:50 | 000,000,000 | ---D | M] -- C:\Users\Becca\AppData\Roaming\PCPowerSpeed
[2009/06/14 20:57:56 | 000,000,000 | ---D | M] -- C:\Users\Becca\AppData\Roaming\PeerNetworking
[2009/06/05 13:25:04 | 000,000,000 | ---D | M] -- C:\Users\Becca\AppData\Roaming\Sierra Wireless
[2009/06/29 10:18:27 | 000,000,000 | ---D | M] -- C:\Users\Becca\AppData\Roaming\Template
[2009/02/26 15:13:33 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Alawar
[2009/06/04 18:23:35 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Bytemobile
[2012/02/27 12:41:34 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\DAEMON Tools Lite
[2009/02/23 17:59:18 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\DigitalPersona
[2012/02/02 10:00:17 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\PC Cleaners
[2012/02/02 11:29:19 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\PCPro
[2009/06/04 17:38:46 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Sierra Wireless
[2009/02/24 14:17:19 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Template
[2012/02/01 16:46:19 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Uniblue
[2012/02/27 17:28:16 | 000,032,588 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/04/14 02:34:15 | 000,000,418 | ---- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{12ECB99D-00AB-48A8-BD64-67809E5DA21C}.job
[2012/02/29 12:31:32 | 000,000,390 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{848E2E18-4748-41BC-8CD1-0FE55DBF0E82}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2012/02/27 17:30:30 | 000,001,024 | ---- | M] () -- C:\.rnd
[2009/04/11 00:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2012/02/18 13:35:11 | 000,020,338 | ---- | M] () -- C:\ComboFix.txt
[2009/01/14 04:45:43 | 000,005,066 | R--- | M] () -- C:\dell.sdr
[2012/02/14 14:40:35 | 000,047,806 | ---- | M] () -- C:\Extras.Txt
[2006/12/01 23:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
[2012/02/01 22:27:00 | 000,000,176 | ---- | M] () -- C:\MSsupport.htm
[2012/02/14 14:14:53 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
[2012/02/15 10:28:13 | 000,008,978 | ---- | M] () -- C:\OTL.Txt
[2012/02/27 17:29:35 | 270,508,031 | -HS- | M] () -- C:\pagefile.sys
[2008/05/07 23:03:22 | 000,303,616 | ---- | M] ( ) -- C:\SetACL.exe
[2009/01/14 03:29:43 | 000,000,174 | ---- | M] () -- C:\Setup.log
[2012/02/01 22:27:00 | 000,000,050 | ---- | M] () -- C:\SrtLog.txt
[2004/06/11 17:33:28 | 000,290,304 | ---- | M] (Microsoft Corporation) -- C:\subinacl.exe
[1 C:\*.tmp files -> C:\*.tmp -> ]

< %systemroot%\Fonts\*.com >
[2006/11/02 09:06:41 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 09:06:41 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 09:06:41 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2012/02/20 22:50:04 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 15:35:48 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/01/20 21:21:59 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lîk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Deskuop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %temp%\smtmp\*.* /s >

< MD5 for: EXPLORER.EXE >
[2008/10/29 00:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_b5f700fe698beb14\explorer.exe
[2008/10/29 00:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\SysWOW64\explorer.exe
[2008/10/29 00:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_b7eb106e66a7ac19\explorer.exe
[2008/10/29 00:15:50 | 003,087,360 | ---- | M] (Microsoft Corporation) MD5=50514057C28A74BAC2BD04B7B990D615 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_aba256ac352b2919\explorer.exe
[2008/10/29 21:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_b8583e9d7fda0512\explorer.exe
[2009/04/11 01:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\ERDNT\cache86\explorer.exe
[2009/04/11 01:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_afbebba22f3bab41\explorer.exe
[2008/10/27 20:30:12 | 003,086,848 | ---- | M] (Microsoft Corporation) MD5=72B9990E45C25AA3C75C4FB50A9D6CE0 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_ac5266dd4e2b0a41\explorer.exe
[2008/10/29 00:49:22 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\explorer.exe
[2008/10/29 00:49:22 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_ad96661c3246ea1e\explorer.exe
[2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\SoftwareDistribution\Download\fce438afafdfd7622141fad99a8dd451\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_ba1365f4639c6d3c\explorer.exe
[2008/10/29 23:30:07 | 003,081,216 | ---- | M] (Microsoft Corporation) MD5=E404A65EF890140410E9F3D405841C95 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_ae03944b4b794317\explorer.exe
[2008/10/27 20:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_b6a7112f828bcc3c\explorer.exe
[2008/01/20 20:48:44 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=F6D765FB6B457542D954682F50C26E4F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_add342963219dff5\explorer.exe
[2008/01/20 20:49:23 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_b827ece8667aa1f0\explorer.exe

< MD5 for: EXPLORER.EXE 0XC000022 ERROR - PAGE 3 - SAFER-NETWORKING FORUMS.URL >
[2012/02/27 12:59:35 | 000,000,280 | ---- | M] () MD5=1995C8228CEB5A7545D50535FD2F02B6 -- C:\Users\Ryan\Favorites\explorer.exe 0xc000022 error - Page 3 - Safer-Networking Forums.url
[2012/02/27 12:59:35 | 000,000,280 | ---- | M] () MD5=1995C8228CEB5A7545D50535FD2F02B6 -- C:\Users\Ryan\Favorites\Links\explorer.exe 0xc000022 error - Page 3 - Safer-Networking Forums.url

< MD5 for: EXPLORER.EXE.MUI >
[2006/11/02 09:13:38 | 000,036,864 | ---- | M] (Microsoft Corporation) MD5=192DD053B43250E264383CDC3D564A18 -- C:\Windows\SysWOW64\en-US\explorer.exe.mui
[2006/11/02 09:13:38 | 000,036,864 | ---- | M] (Microsoft Corporation) MD5=192DD053B43250E264383CDC3D564A18 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_6a2f0af76374ed51\explorer.exe.mui
[2006/11/02 09:13:32 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=872D519975CA4D7CC596FC93470D49E0 -- C:\Windows\en-US\explorer.exe.mui
[2006/11/02 09:13:32 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=872D519975CA4D7CC596FC93470D49E0 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_5fda60a52f142b56\explorer.exe.mui

< MD5 for: EXPLORER.EXE-D5E97654.PF >
[2012/02/29 11:47:23 | 000,279,514 | ---- | M] () MD5=16F3247BE9C046559BC0B3DB204F4706 -- C:\Windows\Prefetch\EXPLORER.EXE-D5E97654.pf

< MD5 for: IEXPLORE.EXE >
[2009/10/27 07:11:33 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=03EF289E8F82CBC4E492658864C7C51A -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22550_none_9628daa62002d415\iexplore.exe
[2009/07/18 06:51:34 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=065536D14F91DC321FBFAED112B2A747 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21089_none_89d658d9ee8bf1ff\iexplore.exe
[2009/01/14 04:33:26 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=07ED775D6DB4BFA96D7CFB09EB228418 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16681_none_9399882309d61be8\iexplore.exe
[2009/01/14 22:14:36 | 000,634,024 | ---- | M] (Microsoft Corporation) MD5=0844F5B9CB3BB85A917D347EF1565B6C -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16809_none_93f80d9f098e0166\iexplore.exe
[2009/08/27 08:29:23 | 000,711,448 | ---- | M] (Microsoft Corporation) MD5=0EBCCD92E47FDD01B1FC7EBC7FFC26E0 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21116_none_8a1f0955ee55df8a\iexplore.exe
[2009/01/14 04:28:19 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=157F8DE991396C536820D7FA5C8DCF7D -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_93e5397d099d5578\iexplore.exe
[2009/01/14 04:35:15 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=182CAF7403705ACCB51211A761080B8F -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20777_none_9433f69622e637cb\iexplore.exe
[2009/01/14 04:19:39 | 000,633,632 | ---- | M] (Microsoft Corporation) MD5=19403B64906C9EAC627E3C10847B0FDA -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_93bffb8909b85d46\iexplore.exe
[2009/01/14 04:33:26 | 000,701,440 | ---- | M] (Microsoft Corporation) MD5=1ACD856D345FA54F89335C793B2B0874 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20823_none_8a115c9dee6081e6\iexplore.exe
[2009/11/21 09:04:19 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=1B5572B8B9CD678E814F57B245400F64 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22956_none_6ec34e240169f05e\iexplore.exe
[2009/11/21 00:42:38 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=1B6362BB14FCEB9E76BCF9A953B04788 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18865_none_78828b751cb61529\iexplore.exe
[2009/08/27 07:50:25 | 000,711,448 | ---- | M] (Microsoft Corporation) MD5=1B9D3D4A9C9133CA250DB65370DF3060 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18319_none_8b7ed3ecd25be974\iexplore.exe
[2009/07/18 06:16:49 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=1D5A01AA2DE47C052AF46D7EBCB003A3 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16890_none_938dbbb909df18d0\iexplore.exe
[2009/07/18 15:39:09 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=1D8163DBFECAEDB9C48C5F55084BC491 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18294_none_9577fb8707020f1d\iexplore.exe
[2009/03/02 22:18:52 | 000,636,072 | ---- | M] (Microsoft Corporation) MD5=1DD66A2851DACDEC32EAE8F9A8865ABD -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_9465e0f822c1744a\iexplore.exe
[2009/04/24 10:25:27 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=1F44940EF1D07D0BDAF80E55853DFBD0 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16851_none_93b9fbb309bdc263\iexplore.exe
[2009/10/27 07:51:59 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=233BF9AD6999D768293B39755F7DCA1D -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18349_none_8b5e6428d2743d47\iexplore.exe
[2010/02/23 09:06:13 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=25DB705A7DC85C208B3CF2D20F118AA7 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22995_none_78ebb87c35ec08c6\iexplore.exe
[2009/04/11 00:27:44 | 000,636,080 | ---- | M] (Microsoft Corporation) MD5=2C5168C856455CC43C4B4E1CC1920001 -- C:\Windows\SoftwareDistribution\Download\fce438afafdfd7622141fad99a8dd451\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_97c0beeb03de7f46\iexplore.exe
[2011/02/22 00:50:19 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=2E70FE17239DFCA6209FD698D0F18C61 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19048_none_6e465be0e84297ba\iexplore.exe
[2009/01/14 04:35:15 | 000,701,440 | ---- | M] (Microsoft Corporation) MD5=2EEE7F65B04F759FE7D238AD6EAB90B7 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20777_none_89df4c43ee8575d0\iexplore.exe
[2009/01/14 04:35:16 | 000,701,440 | ---- | M] (Microsoft Corporation) MD5=31705413C889C5503F564C642D83C282 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16643_none_89721e14d5531cd7\iexplore.exe
[2009/04/24 10:07:30 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=3319AE709DEAA8539AB3B4110C3C675D -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22418_none_8c07706deb7a6fe7\iexplore.exe
[2009/07/18 16:19:00 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=3336F6E73AD028FC310947DFA84CD554 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16890_none_89391166d57e56d5\iexplore.exe
[2010/11/02 00:29:04 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=37302FCB9B7D54B0DBB43624E7A21B3C -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18999_none_6e11746ce86a0984\iexplore.exe
[2010/01/02 08:58:26 | 000,638,216 | ---- | M] (Microsoft Corporation) MD5=3D8DA00B028DEA9517066F1CECBFC4A2 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22973_none_78ff57c035dd9e36\iexplore.exe
[2010/05/04 00:32:18 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=48A6109E8DF0365195298CC527B7426A -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23019_none_7946112635a7c1dc\iexplore.exe
[2010/09/08 00:26:34 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=4A719476A6393B1DCACFEB4F3AC6599C -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23067_none_790e00f635d21ae3\iexplore.exe
[2009/01/14 04:28:19 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=4DBD95312B1C96C5285D38F1D748CD4D -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_943fc8b222dd3258\iexplore.exe
[2009/03/02 22:58:49 | 000,712,888 | ---- | M] (Microsoft Corporation) MD5=4F49A46AB978ED80D536E25FC87AF3F5 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_8b71013cd266bc39\iexplore.exe
[2009/10/27 09:11:10 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=4F9B04D546C23A295F3F0AE015BE51DB -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16945_none_93c8cead09b208f5\iexplore.exe
[2009/07/18 06:39:30 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=51B17FD4415B38F783F7C8EDABD3157D -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18294_none_8b235134d2a14d22\iexplore.exe
[2011/12/15 01:36:29 | 000,638,240 | ---- | M] (Microsoft Corporation) MD5=54EF418BD99720658CCE24210799BD1A -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23286_none_78f764a035e333bc\iexplore.exe
[2009/03/02 22:41:00 | 000,712,888 | ---- | M] (Microsoft Corporation) MD5=57731E60EA98B8C279DCB5BBB82B68B7 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_8979f0eed54daf2f\iexplore.exe
[2009/04/11 01:11:08 | 000,712,864 | ---- | M] (Microsoft Corporation) MD5=58136AB5A3DF2D44BBB483629188584A -- C:\Windows\SoftwareDistribution\Download\fce438afafdfd7622141fad99a8dd451\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_8d6c1498cf7dbd4b\iexplore.exe
[2010/11/02 00:03:13 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=5AB037B17F8A87D052F5A88E0D29A3C8 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18999_none_78661ebf1ccacb7f\iexplore.exe
[2008/01/20 20:48:06 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=5B92133D3E7FB2644677686305E29E81 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_95d545df06bcb3fa\iexplore.exe
[2010/05/04 00:00:35 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=5C9B1062EA7A44E8F6BFDE994B68C7AA -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18928_none_78b0cde91c92ee91\iexplore.exe
[2009/10/27 07:38:38 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=5EAC3DEC57F735F2F63672EC5D34ED5E -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22550_none_8bd43053eba2121a\iexplore.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\iexplore.exe
[2009/01/14 04:19:39 | 000,633,632 | ---- | M] (Microsoft Corporation) MD5=6655B851D9EEF7C83395EE52D551B448 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_946a09fe22bda664\iexplore.exe
[2009/01/14 04:33:26 | 000,701,440 | ---- | M] (Microsoft Corporation) MD5=699D1D2EAF5C80E7361809B0ED8AE773 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16681_none_8944ddd0d57559ed\iexplore.exe
[2009/04/24 10:27:28 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=6B9F780596A6FA37909A1E17B13DB8F3 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21046_none_89fe97abee6e3636\iexplore.exe
[2009/08/27 08:19:49 | 000,711,448 | ---- | M] (Microsoft Corporation) MD5=6CBD8F2C431A57689549BF06D5B75B6F -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16916_none_89959468d5380c7e\iexplore.exe
[2010/05/04 00:57:44 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=6E4A7132FE953AFFAE00B15835404564 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18928_none_6e5c2396e8322c96\iexplore.exe
[2009/01/14 22:59:48 | 000,709,800 | ---- | M] (Microsoft Corporation) MD5=724BC813643C688280F353EC23128A66 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20996_none_89c8afedee968ea9\iexplore.exe
[2010/06/26 00:06:48 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=7420BE0E7D3D1320054F7ACA0594953D -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18943_none_78962c9f1ca7a7c0\iexplore.exe
[2010/12/18 01:19:44 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=7852371DA9EFBC17B645558E23780EAC -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23111_none_793e10bc35aef44b\iexplore.exe
[2009/10/27 07:24:29 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=79B60CC26404F8FC2B351A7551D93C17 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18349_none_95b30e7b06d4ff42\iexplore.exe
[2009/03/08 15:09:11 | 000,661,344 | ---- | M] (Microsoft Corporation) MD5=7A81E0CECAE7B98459A073981F0124D5 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18702_none_6e6bbde6e827625c\iexplore.exe
[2011/05/28 01:09:20 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=7EE10C5413AD7ED1AF9E8FAE1B58FC3E -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23181_none_78f2614835e7b7e2\iexplore.exe
[2009/07/18 06:16:45 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=7FCF4E704A48D95202F3E7A1E1A21412 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21089_none_942b032c22ecb3fa\iexplore.exe
[2009/10/27 07:22:34 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=80675329E0FD54F016C4F8A83C616349 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21148_none_9455447822cd2806\iexplore.exe
[2010/02/23 01:03:07 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=81AF4A1549710310E56B43C4D3F3657C -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18904_none_6e6dc246e8258f58\iexplore.exe
[2010/09/08 00:49:26 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=827BE3F3C80787B00F19E36B19531197 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18975_none_6e23131ce85d6c46\iexplore.exe
[2009/04/24 10:32:29 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=8679C8CD9690758AF0984290A1843E72 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16851_none_89655160d55d0068\iexplore.exe
[2009/01/14 04:28:19 | 000,701,440 | ---- | M] (Microsoft Corporation) MD5=88BC0B30EE1C0344119778A6E8F2509F -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_89908f2ad53c937d\iexplore.exe
[2010/01/02 00:40:20 | 000,638,216 | ---- | M] (Microsoft Corporation) MD5=88BD42DAE7CFFEB256CA7145A15E4843 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18882_none_7869eabf1cc90106\iexplore.exe
[2009/11/21 00:53:25 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=8ADB04E86E8A38307D0663CD002BFFD1 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18865_none_6e2de122e855532e\iexplore.exe
[2009/03/02 22:32:44 | 000,636,072 | ---- | M] (Microsoft Corporation) MD5=8BA2B7A05F88BE0D45237A0994AD8366 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_961169b0201311a9\iexplore.exe
[2009/01/14 04:19:39 | 000,709,408 | ---- | M] (Microsoft Corporation) MD5=8BC05A19FA4C19025D564A2201709F70 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_8a155fabee5ce469\iexplore.exe
[2010/12/18 00:56:48 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=8F69AE4F1AC2E1D2C34348D519007A2C -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19019_none_6e67cbeee8295d3e\iexplore.exe
[2010/11/02 01:13:47 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=92A17B0A89D14815AACC62CD190B6CE3 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23091_none_78e78f7635efd6ac\iexplore.exe
[2009/01/14 04:35:15 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=9437CA21CD48C9B6BFD6F5AC0143D251 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16643_none_93c6c86709b3ded2\iexplore.exe
[2011/05/28 01:46:21 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=947A0CEFBB04E0DD2741AD1060B2B287 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23181_none_6e9db6f60186f5e7\iexplore.exe
[2009/08/27 07:34:35 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=97867B45571A242E31900D991668F247 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22508_none_8c12423feb72511d\iexplore.exe
[2011/02/22 01:18:28 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=9CE5543464432CA73134F170FA2BF823 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23143_none_791fa18c35c57acc\iexplore.exe
[2010/05/04 00:59:11 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=9D0512508DBDD31DA29BC05941417101 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23019_none_6ef166d40146ffe1\iexplore.exe
[2009/08/27 08:04:53 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=9E45866CD349219784CD5A7620DBEB8A -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16916_none_93ea3ebb0998ce79\iexplore.exe
[2009/03/02 22:40:22 | 000,636,072 | ---- | M] (Microsoft Corporation) MD5=9E6C1527D9A2C64BFD780AA23075380F -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_95c5ab8f06c77e34\iexplore.exe
[2009/01/14 04:33:26 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=9F1427F203CA078005C9943800929640 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20823_none_946606f022c143e1\iexplore.exe
[2010/02/23 00:39:16 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=9F52FBE99C749E3F32C75124F09F1B03 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18904_none_78c26c991c865153\iexplore.exe
[2009/08/27 07:43:41 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=A76AFC309AA55CD607A28AC41C7D7603 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21116_none_9473b3a822b6a185\iexplore.exe
[2009/03/02 22:36:03 | 000,712,888 | ---- | M] (Microsoft Corporation) MD5=AA8005889396DF530BCDF0E2AA0E7A04 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_8a1136a5ee60b24f\iexplore.exe
[2011/12/15 00:22:33 | 000,638,240 | ---- | M] (Microsoft Corporation) MD5=AB18B8902C06954F8DFBAC5C6DC7E1E8 -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
[2011/12/15 00:22:33 | 000,638,240 | ---- | M] (Microsoft Corporation) MD5=AB18B8902C06954F8DFBAC5C6DC7E1E8 -- C:\Windows\ERDNT\cache86\iexplore.exe
[2011/12/15 00:22:33 | 000,638,240 | ---- | M] (Microsoft Corporation) MD5=AB18B8902C06954F8DFBAC5C6DC7E1E8 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19190_none_785cf62d1cd317d9\iexplore.exe
[2009/10/27 09:11:14 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=AB8E0D9CA22D724985DB1744DE2481A9 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16945_none_8974245ad55146fa\iexplore.exe
[2008/01/20 20:50:37 | 000,701,952 | ---- | M] (Microsoft Corporation) MD5=AC2C3BAFD177B60C3B5E4DDBCC2C2DB3 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_8b809b8cd25bf1ff\iexplore.exe
[2009/10/27 08:14:14 | 000,711,432 | ---- | M] (Microsoft Corporation) MD5=AF7A1B47A329B0754E4DA2CD532207EF -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21148_none_8a009a25ee6c660b\iexplore.exe
[2009/03/08 15:09:24 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18702_none_78c068391c882457\iexplore.exe
[2010/01/02 09:15:56 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=B7ECFA3A546360E2A39ADBE1D773F3DC -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22973_none_6eaaad6e017cdc3b\iexplore.exe
[2010/12/18 00:28:35 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=B988D7F127B94BD5BF8356FE81B985C4 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19019_none_78bc76411c8a1f39\iexplore.exe
[2009/08/27 07:38:13 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=BBF84F317553520BB78AEF7B047325C1 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18319_none_95d37e3f06bcab6f\iexplore.exe
[2011/02/22 00:21:12 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=C1D36A2CBE0CEC4DF593DB1288CF586E -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19048_none_789b06331ca359b5\iexplore.exe
[2009/07/18 06:25:05 | 000,711,448 | ---- | M] (Microsoft Corporation) MD5=C6558E30E94FE3DF893CE85F6948B5DA -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22475_none_8bc39007ebadcb88\iexplore.exe
[2011/12/15 00:47:49 | 000,660,768 | ---- | M] (Microsoft Corporation) MD5=C7884BC0B78D6EE27D9CD469B9C410DF -- C:\Program Files\Internet Explorer\iexplore.exe
[2011/12/15 00:47:49 | 000,660,768 | ---- | M] (Microsoft Corporation) MD5=C7884BC0B78D6EE27D9CD469B9C410DF -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19190_none_6e084bdae87255de\iexplore.exe
[2010/01/02 01:09:58 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=C9256212D298D96FE0F63D69ECD9CE97 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18882_none_6e15406ce8683f0b\iexplore.exe
[2011/05/28 00:24:59 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=CF331868494D0527484520912736518E -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19088_none_6e1b1c30e863077e\iexplore.exe
[2010/02/23 10:03:02 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=D1978C9901DAA9A1C2EE78A707B1449A -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22995_none_6e970e2a018b46cb\iexplore.exe
[2009/04/24 10:03:18 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=D5271AC4A06AD9D1E2EA0151B79B2657 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21046_none_945341fe22cef831\iexplore.exe
[2010/09/08 00:02:42 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=D5A730DFDEAE005373E62BC2A866E3BB -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18975_none_7877bd6f1cbe2e41\iexplore.exe
[2009/01/14 04:28:19 | 000,701,440 | ---- | M] (Microsoft Corporation) MD5=D5A7B74CA0826CF5BCE4AE0152231A9B -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_89eb1e5fee7c705d\iexplore.exe
[2009/04/24 10:01:36 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=D6157423C117F24D24695866A1D0A93F -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22418_none_965c1ac01fdb31e2\iexplore.exe
[2009/01/14 22:50:38 | 000,709,800 | ---- | M] (Microsoft Corporation) MD5=D6F4816C6B7BE9A125E138B903C2B0EF -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16809_none_89a3634cd52d3f6b\iexplore.exe
[2009/03/02 23:02:08 | 000,712,872 | ---- | M] (Microsoft Corporation) MD5=D7379B3EF7C87578F8966FF5C7B46E9D -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_8bbcbf5debb24fae\iexplore.exe
[2010/09/08 01:28:01 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=D93AB1673986658EF1931FA751BCCF69 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23067_none_6eb956a4017158e8\iexplore.exe
[2011/02/22 01:54:38 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=E79C480F9DCD7512AAB9727A533CB152 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23143_none_6ecaf73a0164b8d1\iexplore.exe
[2009/11/21 09:05:17 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=E7F8DF50E483D165BB01F367D3519AA7 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22956_none_7917f87635cab259\iexplore.exe
[2010/06/26 00:31:23 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=E9D8A71AFDCA528A184C1498E22A8241 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18943_none_6e41824ce846e5c5\iexplore.exe
[2009/03/02 22:22:10 | 000,636,072 | ---- | M] (Microsoft Corporation) MD5=EA4BE33726155F89D89A3FE7142878E0 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_93ce9b4109ae712a\iexplore.exe
[2009/07/18 05:55:42 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=EBEE9E4421F35CD861107DDA0266FBB1 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22475_none_96183a5a200e8d83\iexplore.exe
[2011/12/15 02:02:25 | 000,660,768 | ---- | M] (Microsoft Corporation) MD5=EBFB7B1209DFC75E1971981E46CF2AA8 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23286_none_6ea2ba4e018271c1\iexplore.exe
[2011/05/28 00:09:21 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=ED65737D70FDEAC29F738E77D2496EE5 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19088_none_786fc6831cc3c979\iexplore.exe
[2010/06/26 00:52:42 | 000,638,232 | ---- | M] (Microsoft Corporation) MD5=F05B3A2C6CB319DD1377AD566CF5ECE5 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23040_none_791c9ec835c831a0\iexplore.exe
[2009/01/14 22:18:47 | 000,634,024 | ---- | M] (Microsoft Corporation) MD5=F0B1CA517977BA2FF6DA33F1B966C488 -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20996_none_941d5a4022f750a4\iexplore.exe
[2009/04/24 10:08:04 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=F294D8EEB05C835EC44A12CE0A1DFE7A -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18248_none_95b20c4b06d5e8c4\iexplore.exe
[2010/11/02 01:42:15 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=F686191623AC22EE2521C2D17157B199 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23091_none_6e92e524018f14b1\iexplore.exe
[2010/06/28 12:17:01 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=F896A6A9965B9C64061BE97F6D84B075 -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23040_none_6ec7f47601676fa5\iexplore.exe
[2010/12/18 01:54:56 | 000,660,760 | ---- | M] (Microsoft Corporation) MD5=FC6DC0E786A4D2E7DA6E9C012ED2E64F -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23111_none_6ee9666a014e3250\iexplore.exe
[2009/04/24 10:23:20 | 000,711,448 | ---- | M] (Microsoft Corporation) MD5=FD4E1EF226A34D093AAD475B94C5E36E -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18248_none_8b5d61f8d27526c9\iexplore.exe
[2009/08/27 07:19:25 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=FE2DFF83B7753AC47C553EF7D5289BEE -- C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22508_none_9666ec921fd31318\iexplore.exe
[2009/01/14 04:19:39 | 000,709,408 | ---- | M] (Microsoft Corporation) MD5=FF441810C3CA6DC897CB322F60A6902F -- C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_896b5136d5579b4b\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2009/03/08 16:15:57 | 000,004,608 | ---- | M] (Microsoft Corporation) MD5=11E9431B29BD64A1FB13369BB8AD4116 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 16:15:57 | 000,004,608 | ---- | M] (Microsoft Corporation) MD5=11E9431B29BD64A1FB13369BB8AD4116 -- C:\Windows\winsxs\amd64_microsoft-windows-i..texplorer.resources_31bf3856ad364e35_8.0.6001.18702_en-us_7c9630f422ee47f7\iexplore.exe.mui
[2006/11/02 09:13:34 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=3CCDDDBC49DEACA370F39A9F0E146A1B -- C:\Windows\winsxs\wow64_microsoft-windows-i..texplorer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_a1c8f6f0449888c1\iexplore.exe.mui
[2009/03/08 15:27:11 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 15:27:11 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Windows\winsxs\wow64_microsoft-windows-i..texplorer.resources_31bf3856ad364e35_8.0.6001.18702_en-us_86eadb46574f09f2\iexplore.exe.mui
[2006/11/02 09:13:29 | 000,005,632 | ---- | M] (Microsoft Corporation) MD5=D421BD7B9646679254B0D855823C6F21 -- C:\Windows\winsxs\amd64_microsoft-windows-i..texplorer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_97744c9e1037c6c6\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-A033F7A0.PF >
[2012/02/27 12:59:34 | 000,089,636 | ---- | M] () MD5=57E80112184E24E730099E77DA175A0B -- C:\Windows\Prefetch\IEXPLORE.EXE-A033F7A0.pf

< MD5 for: WINLOGON.EXE >
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/04/11 01:11:08 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=6D0773A3A65D28B663F334C90441D01A -- C:\Windows\ERDNT\cache64\winlogon.exe
[2009/04/11 01:11:08 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=6D0773A3A65D28B663F334C90441D01A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_cdcd15a68a70b877\winlogon.exe
[2008/01/20 20:49:47 | 000,406,016 | ---- | M] () MD5=856491FCED98093D824B9EB2892F564A -- C:\Windows\SysNative\winlogon.exe
[2008/01/20 20:49:47 | 000,406,016 | ---- | M] (Microsoft Corporation) MD5=856491FCED98093D824B9EB2892F564A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_cbe19c9a8d4eed2b\winlogon.exe
[2009/04/11 00:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\SoftwareDistribution\Download\fce438afafdfd7622141fad99a8dd451\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 20:50:38 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\SysWOW64\winlogon.exe
[2008/01/20 20:50:38 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< MD5 for: WINLOGON.EXE.MUI >
[2008/01/20 20:52:39 | 000,019,968 | ---- | M] () MD5=1DB95B0920FA9783476AC46F187C06F6 -- C:\Windows\SysNative\en-US\winlogon.exe.mui
[2008/01/20 20:52:39 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=1DB95B0920FA9783476AC46F187C06F6 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.0.6001.18000_en-us_27172d0ebc73e370\winlogon.exe.mui
[2008/01/20 20:52:28 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=26AC28BF50DC112BAA794A83E08588F0 -- C:\Windows\SysWOW64\en-US\winlogon.exe.mui
[2008/01/20 20:52:28 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=26AC28BF50DC112BAA794A83E08588F0 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.0.6001.18000_en-us_caf8918b0416723a\winlogon.exe.mui
[2006/11/02 09:13:52 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=2D30AB05DBA78517B34C0AAC71DF5299 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.0.6000.16386_en-us_24e06b12bf88d29c\winlogon.exe.mui
[2006/11/02 09:13:03 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=A1D2856F3EC3C86EBBF1442B0245A8B3 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.0.6000.16386_en-us_c8c1cf8f072b6166\winlogon.exe.mui

< MD5 for: WINLOGON.EXE-DEDDC9B6.PF >
[2012/02/29 11:49:02 | 000,013,648 | ---- | M] () MD5=AD4951818584CECC8E358683B8351FB9 -- C:\Windows\Prefetch\WINLOGON.EXE-DEDDC9B6.pf

< MD5 for: WINLOGON.MOF >
[2006/09/18 15:38:40 | 000,002,794 | ---- | M] () MD5=545C578F290B9CDD280966939935B9EA -- C:\Windows\SysNative\wbem\winlogon.mof
[2006/09/18 15:41:56 | 000,002,794 | ---- | M] () MD5=545C578F290B9CDD280966939935B9EA -- C:\Windows\SysWOW64\wbem\winlogon.mof
[2006/09/18 15:38:40 | 000,002,794 | ---- | M] () MD5=545C578F290B9CDD280966939935B9EA -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon-mof_31bf3856ad364e35_6.0.6000.16386_none_da20a358315a3dca\winlogon.mof
[2006/09/18 15:41:56 | 000,002,794 | ---- | M] () MD5=545C578F290B9CDD280966939935B9EA -- C:\Windows\winsxs\x86_microsoft-windows-winlogon-mof_31bf3856ad364e35_6.0.6000.16386_none_7e0207d478fccc94\winlogon.mof

< End of report >

Hi chiro.j.elliott,

This will be a short log, remember to click the none button.

Next

Please open OTL.


Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, click the None button near the top (it may looked greyed out)

In the window under Custom Scans/Fixes copy and paste the following



/md5start
userinit.*
/md5stop



Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.



As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
Do not use this instance of your browser for anything besides doing this scan
When the scan is complete and the results saved, close that instance of your browser
Open a new one the usual way and post the results in this topic.



*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET (http://www.eset.eu/online-scanner)

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)


Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

Push the back button.
Push Finish
Re-enable your Antivirus software.


Please post back with
OTL.txt
ESET log if there is one

OTL logfile created on: 3/1/2012 1:10:21 PM - Run 4
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Ryan\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19190)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 1.72 Gb Available Physical Memory | 43.48% Memory free
8.09 Gb Paging File | 5.98 Gb Available in Paging File | 73.98% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 288.01 Gb Total Space | 201.10 Gb Free Space | 69.82% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 3.25 Gb Free Space | 32.49% Space Free | Partition Type: NTFS
Drive E: | 557.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< >


< MD5 for: USERINIT.EXE >
[2008/01/20 20:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache86\userinit.exe
[2008/01/20 20:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\SysWOW64\userinit.exe
[2008/01/20 20:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2008/01/20 20:49:46 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\ERDNT\cache64\userinit.exe
[2008/01/20 20:49:46 | 000,028,160 | ---- | M] () MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\SysNative\userinit.exe
[2008/01/20 20:49:46 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe

< MD5 for: USERINIT.EXE.MUI >
[2006/11/02 09:13:42 | 000,003,584 | ---- | M] () MD5=7A820F1B24D266DE11444D6C8FA8AC8A -- C:\Windows\SysNative\en-US\userinit.exe.mui
[2006/11/02 09:13:42 | 000,003,584 | ---- | M] (Microsoft Corporation) MD5=7A820F1B24D266DE11444D6C8FA8AC8A -- C:\Windows\winsxs\amd64_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_e9d87fb38dc4f328\userinit.exe.mui
[2006/11/02 09:13:55 | 000,004,096 | ---- | M] (Microsoft Corporation) MD5=F058F2BAE89E70B2A79D5EB820092EEB -- C:\Windows\SysWOW64\en-US\userinit.exe.mui
[2006/11/02 09:13:55 | 000,004,096 | ---- | M] (Microsoft Corporation) MD5=F058F2BAE89E70B2A79D5EB820092EEB -- C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8db9e42fd56781f2\userinit.exe.mui

< MD5 for: USERINIT.EXE-5114915C.PF >
[2012/02/29 11:47:21 | 000,012,380 | ---- | M] () MD5=4A24B4EBE04B610A2FA33CCE48917BE3 -- C:\Windows\Prefetch\USERINIT.EXE-5114915C.pf

< End of report >

[B]online scan results:

C:\Qoobox\Quarantine\C\ProgramData\de6342b\6738.mof.vir Win32/RogueAV.A trojan
C:\Qoobox\Quarantine\C\ProgramData\de6342b\CUde63.exe.vir Win32/RogueAV.I trojan
C:\Users\Ryan\AppData\LocalLow\FilmFanaticEI\Installr\Cache\44550795.exe a variant of Win32/Toolbar.MyWebSearch.O application
C:\Users\Ryan\AppData\LocalLow\TelevisionFanaticEI\Installr\Cache\445D93BD.exe a variant of Win32/Toolbar.MyWebSearch.O application

Hi chiro.j.elliott,

That looks ok. 2 files have all ready been quarantined the other 2 are warnings of some toolbars included with an installer.

A little tidying up then we can clean up the tools.

Next

The 64 bit version of java is out of date.

Go to Start > Control Panel , switch to Classic View if it isn't already.

Locate the Java (64) icon (it looks like a coffee cup)
double click it to open it
click the Update tab
Click update now


Next Right click on OTL.exe and chose Run as Administrator to run it
Under the Custom Scans/Fixes box at the bottom, paste in the following
Do Not copy the word CODE
please note the fix starts with the :


:Services

:OTL
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present

:Commands
[emptytemp]
[creatrestorepoint]


Then click the Run Fix button at the top
Let the program run unhindered
Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.

The date and such is wrong?? but this is what opened after the computer restarted!!

OTL logfile created on: 3/1/2012 1:10:21 PM - Run 4
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Ryan\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19190)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 1.72 Gb Available Physical Memory | 43.48% Memory free
8.09 Gb Paging File | 5.98 Gb Available in Paging File | 73.98% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 288.01 Gb Total Space | 201.10 Gb Free Space | 69.82% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 3.25 Gb Free Space | 32.49% Space Free | Partition Type: NTFS
Drive E: | 557.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< >


< MD5 for: USERINIT.EXE >
[2008/01/20 20:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache86\userinit.exe
[2008/01/20 20:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\SysWOW64\userinit.exe
[2008/01/20 20:50:36 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2008/01/20 20:49:46 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\ERDNT\cache64\userinit.exe
[2008/01/20 20:49:46 | 000,028,160 | ---- | M] () MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\SysNative\userinit.exe
[2008/01/20 20:49:46 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe

< MD5 for: USERINIT.EXE.MUI >
[2006/11/02 09:13:42 | 000,003,584 | ---- | M] () MD5=7A820F1B24D266DE11444D6C8FA8AC8A -- C:\Windows\SysNative\en-US\userinit.exe.mui
[2006/11/02 09:13:42 | 000,003,584 | ---- | M] (Microsoft Corporation) MD5=7A820F1B24D266DE11444D6C8FA8AC8A -- C:\Windows\winsxs\amd64_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_e9d87fb38dc4f328\userinit.exe.mui
[2006/11/02 09:13:55 | 000,004,096 | ---- | M] (Microsoft Corporation) MD5=F058F2BAE89E70B2A79D5EB820092EEB -- C:\Windows\SysWOW64\en-US\userinit.exe.mui
[2006/11/02 09:13:55 | 000,004,096 | ---- | M] (Microsoft Corporation) MD5=F058F2BAE89E70B2A79D5EB820092EEB -- C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8db9e42fd56781f2\userinit.exe.mui

< MD5 for: USERINIT.EXE-5114915C.PF >
[2012/02/29 11:47:21 | 000,012,380 | ---- | M] () MD5=4A24B4EBE04B610A2FA33CCE48917BE3 -- C:\Windows\Prefetch\USERINIT.EXE-5114915C.pf

< End of report >

Hi chiro.j.elliott,

That's the scan log from yesterday. did you run the fix from my last post? If you did the OTL fix log can be found at C:\_OTL\MovedFiles It will have a file name consisting of numbers that reflect the date and time stamp the fix was ran. It will be something similar to 03022012_091009.log . Please copy and paste the contents into your next reply.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData
->Temp folder emptied: 0 bytes

User: Becca
->Temp folder emptied: 99643 bytes
->Temporary Internet Files folder emptied: 47439557 bytes
->Java cache emptied: 77479709 bytes
->FireFox cache emptied: 56676328 bytes
->Flash cache emptied: 818 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Ryan
->Temp folder emptied: 1329008 bytes
->Temporary Internet Files folder emptied: 3014524 bytes
->Java cache emptied: 93576279 bytes
->FireFox cache emptied: 140372807 bytes
->Flash cache emptied: 1481 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 713852420 bytes
%systemroot%\System32 .tmp files removed: 32768 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 376135 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,082.00 mb

Error: Unable to interpret <[creatrestorepoint]> in the current context!

OTL by OldTimer - Version 3.2.33.2 log created on 03022012_105349

Files\Folders moved on Reboot...
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UUE35ATD\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MMX15HPD\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JJENX5YD\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1WCZT13\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Hi chiro.j.elliott,

Everything looks ok. Let's give it one more run with combofix now that you can run in normal windows.

Delete the copy of combofix you have from your desktop and download a new from Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)or Link 2 (http://www.infospyware.net/antimalware/combofix/) and sve it to your desktop. Do not run it.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE



File::
C:\Users\Ryan\AppData\LocalLow\FilmFanaticEI\Installr\Cache\44550795.exe
C:\Users\Ryan\AppData\LocalLow\TelevisionFanaticEI\Installr\Cache\445D93BD.exe



In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post the log.

I have just attached the file as it wont even let me put it in two posts!!

Hi chiro.j.elliott,

I don't see an antivirus program installed. I can give you some links to some very good free ones if you wish.

Everything looks good so we'll remove the tools.

From your desktop, please delete, if present
any notepads/logs that we created
DDS.scr




Next

Click the Start button,in the search box type Run. At the top click run

Copy and paste the following line into the run box and click OK

Combofix /uninstall


Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.


Updates

You should reinstall Vista Service Pack 2


Anitvirus

If you don't have an antivirus program installed download one of these free ones.


Avast (http://www.avast.com/free-antivirus-download)
Help and support can be found here Avast Forum (http://forum.avast.com/)
AVG (http://free.grisoft.com/freeweb.php/doc/2/)
Help and support can be found here AVG Forum (http://forum.grisoft.cz/freeforum/index.php)
Antivir PersonalEditionClassic (http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html)
Help and support can be found here Avira Personal Support Forum (http://www.free-av.com/en/support/index.html)
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
Support (http://go.microsoft.com/fwlink/?LinkID=153442)


Java

The 64bit version of java is out of date. You can get the 64bit version HERE (http://www.java.com/en/download/manual.jsp)

Click on Windows Offline (64-bit)

Once you have downloaded jre-6u31windows-x64-.exe and saved it to the desktop:

Click Start > Control Panel . Under Programs click uninstall a program and uninstall

Java? 6 Update 13 (64-bit)


Double click the file you downloaded to install the java. Pass on any 3rd party add ons you may be offered.


Adobe Reader

You have an older version of Adobe Reader. You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources. If you choose FoxIt be sure to decline the Foxit Toolbar offered during the install.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 9.1 first. Be sure to move any PDF documents to another folder first though.


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL (http://www.bleepingcomputer.com/forums/tutorial60.html) for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware, IMO)


You should also use Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS (http://www.mvps.org/winhelp2002/hosts.htm)

Please read the info on disabling the DNS Client before installing a custom hosts file.


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


- Make sure you have reset Automatic Updates to your chosen option Click your start button > All Programsl > Windows Update > change settings


- Keep your antivirus program updated, as well as any other security programs you have.


-More tips and programs can be found HERE (http://forums.whatthetech.com/Preventing_Malware_Tools_Practices_Safe_Computing_t98700.html)

Please post back if you have any problems.

Thanks SOOO much for your help!! things are running smoothly again!!!

Hi chiro.j.elliott,

You're welcome.

take care

Since this issue appears to be resolved ... this Topic has been closed.