Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I need help removing consrv.dll infection on 64 bit Windows 7. Logs At

Started by Dark_Matter , Mar 28 2012 10:18 AM

  • Please log in to reply

#1
Dark_Matter
Posted 28 March 2012 - 10:18 AM

Dark_Matter

    New Member

  • Member
  • Pip
  • 3 posts
I recently became infected with consrv.dll. It removed security center (defender and firewall). I could not utilize any of my restore points to recover. AVG detected and removed consrv but then the computer would only boot to a blue screen with stop: C0000135. This was remedied with the known registry fix that changed conserv.dll back to winsrv.dll using recovery console.

Steps that were taken once I booted to the desktop:

1. AVG was removed
2. Used TDSKiller
3. Ran Kapersky Virus Removal Tool
4. Ran Combofix with reboot
5. Used Rkill(s)
6. Then ran Combofix again with reboot

Result was that some of the bad behaviors were gone but the registry entry in “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\ still reverts back to loading consrv rather than winsrv and I assume the virus still persists. I need help removing it.

Thanks!
Rocky

OTL logfile created on: 3/28/2012 11:35:15 AM - Run 3
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Installs\VirusTools
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.99 Gb Total Physical Memory | 6.42 Gb Available Physical Memory | 80.35% Memory free
15.98 Gb Paging File | 14.16 Gb Available in Paging File | 88.62% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 229.47 Gb Total Space | 37.80 Gb Free Space | 16.47% Space Free | Partition Type: NTFS
Drive D: | 238.47 Gb Total Space | 85.70 Gb Free Space | 35.94% Space Free | Partition Type: NTFS

Computer Name: ALIENWARE | User Name: rockroland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Installs\VirusTools\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
PRC - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\Program Files\Alienware\Command Center\AlienFXHook32Mngr.exe (Alienware)
PRC - C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe (Alienware Corporation)
PRC - C:\Program Files\Alienware\Command Center\AlienFusionController.exe ()
PRC - C:\Program Files (x86)\OSD\OSD.exe ()
PRC - C:\Program Files (x86)\OSD\OSD_Service.exe ()
PRC - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
PRC - C:\Program Files (x86)\Common Files\LogiShrd\LQCVFX\COCIManager.exe ()
PRC - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe (Logitech Inc.)
PRC - C:\Program Files (x86)\CyberLink\Shared files\brs.exe (cyberlink)
PRC - C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe ()
PRC - C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
PRC - C:\Program Files\Logitech\Logitech WebCam Software\LU\LogitechUpdate.exe (Logitech, Inc.)
PRC - c:\Program Files\Logitech\Logitech WebCam Software\LU\LULnchr.exe (Logitech, Inc.)
PRC - C:\Program Files\OSD\Launch_CC.exe (Alienware Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\cb5bd98ffa4c82327b0e4db02bb58d2d\System.Management.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\f01c5c76d0a19516a37b7bd191a02cda\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\eedf95f16a7e81ca43dd8accf11498a3\System.Data.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\02f7846cbc5c02a5dbf50fd34325eb61\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6c51e152e7404188914c9fa4d8503ff9\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\ab87129c2b603f218e4aa5300c9b1bdd\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\f4b2424c1b32fbd11130482bb899b7ae\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\47b9e7f070271ff50f988f75ea68fa3e\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\9866d1f6178e1cde25642f1ac293ff8d\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e620323cacb5b6bfd93fd28d263440e4\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\faf4e8730ecbd07570111bb7c3b20565\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files (x86)\DivX\DivX Update\DivXUpdateCheck.dll ()
MOD - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
MOD - \\.\globalroot\systemroot\syswow64\mswsock.dll ()
MOD - C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienwareAlienFXModelResources\1.0.92.0__bebb3c8816410241\AlienwareAlienFXModelResources.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienwareAlienFXTools\1.0.92.0__bebb3c8816410241\AlienwareAlienFXTools.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienLabsTools\1.0.92.0__bebb3c8816410241\AlienLabsTools.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\Alienlabs.CommandCenter.Tools\1.0.92.0__bebb3c8816410241\Alienlabs.CommandCenter.Tools.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\LightFX\1.0.92.0__bebb3c8816410241\LightFX.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.DeviceDiscovery\1.0.92.0__bebb3c8816410241\AlienFX.DeviceDiscovery.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication.XPS\1.0.92.0__bebb3c8816410241\AlienFX.Communication.XPS.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienLabs.MasterIOBoard.Communication\1.0.92.0__bebb3c8816410241\AlienLabs.MasterIOBoard.Communication.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienLabs.MasterIOBoard.Communication.Core\1.0.92.0__bebb3c8816410241\AlienLabs.MasterIOBoard.Communication.Core.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication.PID0x516\1.0.92.0__bebb3c8816410241\AlienFX.Communication.PID0x516.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication.PID0x511\1.0.92.0__bebb3c8816410241\AlienFX.Communication.PID0x511.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication.PID0x514\1.0.92.0__bebb3c8816410241\AlienFX.Communication.PID0x514.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication.PID0x512\1.0.92.0__bebb3c8816410241\AlienFX.Communication.PID0x512.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication.PID0x515\1.0.92.0__bebb3c8816410241\AlienFX.Communication.PID0x515.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication.PID0x513\1.0.92.0__bebb3c8816410241\AlienFX.Communication.PID0x513.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication.Core\1.0.92.0__bebb3c8816410241\AlienFX.Communication.Core.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\AlienFX.Communication\1.0.92.0__bebb3c8816410241\AlienFX.Communication.dll ()
MOD - C:\Program Files\Alienware\Command Center\AlienFusionDomain.dll ()
MOD - C:\Program Files\Alienware\Command Center\AlienFusionController.exe ()
MOD - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
MOD - C:\Program Files (x86)\Common Files\LogiShrd\LQCVFX\COCIManager.exe ()
MOD - C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe ()


========== Win32 Services (SafeList) ==========

SRV:64bit: - (NovacomD) -- C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe (Palm)
SRV:64bit: - (PEERNET Spooler Service 9.0) -- C:\Windows\SysNative\spool\drivers\x64\3\PNSvc9.exe (PEERNET Inc.)
SRV:64bit: - (AlienFusionService) -- C:\Program Files\Alienware\Command Center\AlienFusionService.exe (Alienware)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (STacSV) -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ec0230c23ac63514\stacsv64.exe (IDT, Inc.)
SRV:64bit: - (LVPrcS64) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV:64bit: - (EvtEng) Intel® -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV:64bit: - (MyWiFiDHCPDNS) -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe ()
SRV:64bit: - (RegSrvc) Intel® -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV:64bit: - (btwdins) -- c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (sfilter) -- C:\Windows\SysNative\MobilePreInstallerService.dll (Oak Technology Inc.)
SRV:64bit: - (AESTFilters) -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ec0230c23ac63514\AESTSr64.exe (Andrea Electronics Corporation)
SRV:64bit: - (CustomSvc) -- C:\Program Files\OSD\Service1.exe ()
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SRV - (PEERNET Spooler Service 9.0) -- C:\Windows\system32\spool\DRIVERS\x64\3\PNSvc9.exe (PEERNET Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (HappyOSD) -- C:\Program Files (x86)\OSD\OSD_Service.exe ()
SRV - (STacSV) -- C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ec0230c23ac63514\STacSV64.exe (IDT, Inc.)
SRV - (InstallFilterService) -- C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe ()
SRV - (SCPDFReadSpool) -- C:\Program Files (x86)\SolidDocuments\Solid Converter PDF\SCPDFV6\SolidConverterPDFServicex64.exe (Solid Documents, LLC)
SRV - (IAANTMON) Intel® -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (AESTFilters) -- C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ec0230c23ac63514\AESTSr64.exe (Andrea Electronics Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)
DRV:64bit: - (IDMWFP) -- C:\Windows\SysNative\drivers\idmwfp.sys (Tonec Inc.)
DRV:64bit: - (msvad_simple) SplitCam Virtual Audio Device (Simple) (WDM) -- C:\Windows\SysNative\drivers\SplitCamAudio.sys (Windows ® Win 7 DDK provider)
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (Lbd) -- C:\Windows\SysNative\drivers\Lbd.sys (Lavasoft AB)
DRV:64bit: - (cbfs3) -- C:\Windows\SysNative\drivers\cbfs3.sys (EldoS Corporation)
DRV:64bit: - (AnyDVD) -- C:\Windows\SysNative\drivers\AnyDVD.sys (SlySoft, Inc.)
DRV:64bit: - (RimUsb) -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys (Research In Motion Limited)
DRV:64bit: - (RimVSerPort) -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys (Research in Motion Ltd)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (ElbyCDIO) -- C:\Windows\SysNative\drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (itecir) -- C:\Windows\SysNative\drivers\itecir.sys (ITE Tech. Inc. )
DRV:64bit: - (AtiHdmiService) -- C:\Windows\SysNative\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atipmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (e1kexpress) Intel® -- C:\Windows\SysNative\drivers\e1k62x64.sys (Intel Corporation)
DRV:64bit: - (STHDA) -- C:\Windows\SysNative\drivers\stwrt64.sys (IDT, Inc.)
DRV:64bit: - (Acceler) -- C:\Windows\SysNative\drivers\Acceler.sys (ST Microelectronics)
DRV:64bit: - (stdflt) -- C:\Windows\SysNative\drivers\stdflt.sys (ST Microelectronics)
DRV:64bit: - (iSSetup) -- C:\Windows\SysNative\drivers\iSSetup.sys (Intel Corporation)
DRV:64bit: - (LVUVC64) Logitech QuickCam Fusion(UVC) -- C:\Windows\SysNative\drivers\lvuvc64.sys (Logitech Inc.)
DRV:64bit: - (LVRS64) -- C:\Windows\SysNative\drivers\lvrs64.sys (Logitech Inc.)
DRV:64bit: - (lvpopf64) -- C:\Windows\SysNative\drivers\lvpopf64.sys (Logitech Inc.)
DRV:64bit: - (LVPr2Mon) -- C:\Windows\SysNative\drivers\LVPr2M64.sys ()
DRV:64bit: - (LVPr2M64) -- C:\Windows\SysNative\drivers\LVPr2M64.sys ()
DRV:64bit: - (NETw5s64) Intel® -- C:\Windows\SysNative\drivers\NETw5s64.sys (Intel Corporation)
DRV:64bit: - (ioatdma2) Intel® -- C:\Windows\SysNative\drivers\qd262x64.sys (Intel Corporation)
DRV:64bit: - (ioatdma1) -- C:\Windows\SysNative\drivers\qd162x64.sys (Intel Corporation)
DRV:64bit: - (ioatdma) Intel® -- C:\Windows\SysNative\drivers\ioatdma.sys (Intel Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ROOTMODEM) -- C:\Windows\SysNative\drivers\rootmdm.sys (Microsoft Corporation)
DRV:64bit: - (rixdpcie) -- C:\Windows\SysNative\drivers\rixdpe64.sys (REDC)
DRV:64bit: - (rimspci) -- C:\Windows\SysNative\drivers\rimspe64.sys (REDC)
DRV:64bit: - (risdpcie) -- C:\Windows\SysNative\drivers\risdpe64.sys (REDC)
DRV:64bit: - (btwaudio) -- C:\Windows\SysNative\drivers\btwaudio.sys (Broadcom Corporation.)
DRV:64bit: - (btwavdt) -- C:\Windows\SysNative\drivers\btwavdt.sys (Broadcom Corporation.)
DRV:64bit: - (btwrchid) -- C:\Windows\SysNative\drivers\btwrchid.sys (Broadcom Corporation.)
DRV:64bit: - (rimmptsk) -- C:\Windows\SysNative\drivers\rimmpx64.sys (REDC)
DRV:64bit: - (rismxdp) -- C:\Windows\SysNative\drivers\rixdpx64.sys (REDC)
DRV:64bit: - (rimsptsk) -- C:\Windows\SysNative\drivers\rimspx64.sys (REDC)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV:64bit: - (btwl2cap) -- C:\Windows\SysNative\drivers\btwl2cap.sys (Broadcom Corporation.)
DRV:64bit: - (FACAP) -- C:\Windows\SysNative\drivers\facap.sys (Sensible Vision )
DRV:64bit: - (IAMTVE) Driver for Intel® -- C:\Windows\SysNative\drivers\IAMTVE.sys (Intel Corporation)
DRV:64bit: - (IAMTXPE) Driver for Intel® -- C:\Windows\SysNative\drivers\IAMTXPE.sys (Intel Corporation)
DRV - (AnyDVD) -- C:\Windows\SysWOW64\drivers\AnyDVD.sys (SlySoft, Inc.)
DRV - ({FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}) -- C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl (CyberLink Corp.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE:64bit: - HKLM\..\SearchScopes\{DC5BAF6E-FF46-416F-BB0C-C72B70A8CF32}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{80CC740C-97EB-425B-ADAA-0B4DF660620E}: "URL" = http://www.bing.com/...rc=IE-SearchBox


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://support.alienware.com [binary data]
IE - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\..\SearchScopes\{35AD596A-5FAD-43E3-8DDE-1EA6BC3740BC}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7GGNI_enUS475
IE - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.2.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25
FF - prefs.js..extensions.enabledItems: [email protected]:7.3.6
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\rockroland\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\rockroland\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Users\rockroland\AppData\Roaming\IDM\idmmzcc5 [2012/03/18 04:35:44 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\SeaMonkey\Extensions\\[email protected]: C:\Users\rockroland\AppData\Roaming\IDM\idmmzcc5 [2012/03/18 04:35:44 | 000,000,000 | ---D | M]

[2010/10/24 00:35:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\rockroland\AppData\Roaming\Mozilla\Extensions
[2011/09/09 00:57:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\rockroland\AppData\Roaming\Mozilla\Firefox\Profiles\5w15itt1.default\extensions
[2010/10/24 00:41:27 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\rockroland\AppData\Roaming\Mozilla\Firefox\Profiles\5w15itt1.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/10/24 00:40:03 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\rockroland\AppData\Roaming\Mozilla\Firefox\Profiles\5w15itt1.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/11/06 01:29:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/04/30 12:20:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
[2012/03/18 04:35:44 | 000,000,000 | ---D | M] (IDM CC) -- C:\USERS\ROCKROLAND\APPDATA\ROAMING\IDM\IDMMZCC5
[2011/04/30 12:19:54 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\rockroland\AppData\Local\Google\Chrome\Application\17.0.963.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\rockroland\AppData\Local\Google\Chrome\Application\17.0.963.83\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\rockroland\AppData\Local\Google\Chrome\Application\17.0.963.83\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\rockroland\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\rockroland\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.18_0\
CHR - Extension: Gmail = C:\Users\rockroland\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/03/27 19:59:37 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (IDM integration (IDMIEHlprObj Class)) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll (Internet Download Manager, Tonec Inc.)
O2:64bit: - BHO: (Virtual Storage Mount Notification) - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2 - BHO: (IDM integration (IDMIEHlprObj Class)) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll (Internet Download Manager, Tonec Inc.)
O2 - BHO: (Virtual Storage Mount Notification) - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3:64bit: - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [AlienFX Controller] C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe (Alienware Corporation)
O4:64bit: - HKLM..\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe ()
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4:64bit: - HKLM..\Run: [pdfFactory3] C:\Windows\SysNative\spool\DRIVERS\x64\3\fppdis3a.exe (FinePrint Software, LLC)
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BDRegion] C:\Program Files (x86)\CyberLink\Shared files\brs.exe (cyberlink)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OSD_LAUNCH] c:\Program Files (x86)\OSD\Launch_OSD.exe (HH)
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-850405567-2436268138-2046711074-1000..\Run: [Launch_CC] c:\Program Files\OSD\Launch_CC.exe (Alienware Corporation)
O4 - Startup: C:\Users\rockroland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shortcut_xprint.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm ()
O8:64bit: - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm ()
O8:64bit: - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8:64bit: - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm ()
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra Button: @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000011 - mmswsock.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O15 - HKU\S-1-5-21-850405567-2436268138-2046711074-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech....Detection32.cab (Device Detection)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://oas.support....veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://home.apollol...0,2011,1213,303 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} https://home.apollol...,2011,0622,1118 (F5 Networks Auto Update)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.syste...el_4.4.22.0.cab (Reg Error: Key error.)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://home.apollol...0,2011,1125,600 (F5 Networks Host Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{790194D4-987A-47DE-854E-A7B08ED6B566}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C5E7DF15-8DAB-4C2D-9216-A458441BE079}: DhcpNameServer = 192.168.10.1 64.134.255.2 64.134.255.10
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\gopher - No CLSID value found
O18 - Protocol\Handler\ms-help - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\WB: DllName - (C:\Program Files (x86)\Stardock\MyColors\fast64.dll) - File not found
O21:64bit: - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O21 - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O22:64bit: - SharedTaskScheduler: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - Virtual Storage Mount Notification - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O22 - SharedTaskScheduler: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - Virtual Storage Mount Notification - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/09/25 18:19:33 | 000,024,068 | ---- | M] () - C:\AutoInsuranceIdCards.pdf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: sfilter - C:\Windows\SysNative\MobilePreInstallerService.dll (Oak Technology Inc.)
NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/28 11:33:13 | 000,000,000 | R--D | C] -- C:\Users\rockroland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 8
[2012/03/28 11:28:30 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Roaming\Malwarebytes
[2012/03/28 11:28:21 | 000,023,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/03/28 11:28:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/28 11:28:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/03/28 11:28:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/03/27 22:11:19 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/03/27 21:57:13 | 000,000,000 | ---D | C] -- C:\regback
[2012/03/27 19:59:38 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012/03/27 19:58:28 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/03/27 19:57:03 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/03/27 19:36:53 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Local\temp
[2012/03/27 19:34:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/03/27 19:34:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/03/27 19:34:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/03/27 19:31:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/27 19:30:03 | 004,443,082 | R--- | C] (Swearware) -- C:\Users\rockroland\Desktop\ComboFix.exe
[2012/03/27 18:45:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2012/03/25 23:52:52 | 000,000,000 | ---D | C] -- C:\userback
[2012/03/25 13:06:37 | 000,000,000 | ---D | C] -- C:\Users\rockroland\Desktop\RK_Quarantine
[2012/03/25 10:03:28 | 000,000,000 | ---D | C] -- C:\AVG
[2012/03/25 05:41:01 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2012/03/25 05:36:45 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2012/03/25 05:31:39 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/03/25 01:22:27 | 000,000,000 | ---D | C] -- C:\Windows\system64
[2012/03/24 19:06:24 | 000,000,000 | ---D | C] -- C:\flight
[2012/03/24 19:01:23 | 000,000,000 | ---D | C] -- C:\Billboard
[2012/03/23 16:55:45 | 000,000,000 | ---D | C] -- C:\MyDisc
[2012/03/23 15:56:03 | 000,000,000 | ---D | C] -- C:\Users\rockroland\Kaufman, Izabella
[2012/03/23 15:55:19 | 000,000,000 | ---D | C] -- C:\Users\rockroland\Batch 6
[2012/03/23 11:28:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech
[2012/03/23 11:28:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\LogiShrd
[2012/03/22 10:08:34 | 000,000,000 | ---D | C] -- C:\Users\rockroland\RR
[2012/03/21 01:08:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012/03/21 01:08:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2012/03/19 19:59:58 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Surveillance Pro v6.8
[2012/03/19 19:59:22 | 000,224,256 | ---- | C] (GPS) -- C:\Windows\svcreng.dll
[2012/03/19 19:59:20 | 000,590,848 | ---- | C] (GP Systems Integration) -- C:\Windows\utimcache.exe
[2012/03/19 19:59:20 | 000,420,352 | ---- | C] (GP Systems Integration) -- C:\Windows\stidraw32.exe
[2012/03/19 19:59:19 | 000,646,144 | ---- | C] (GP Systems Integration) -- C:\Windows\sysnadr64.exe
[2012/03/19 19:59:17 | 003,338,752 | ---- | C] (GP Systems Integration) -- C:\Windows\diskediag.exe
[2012/03/19 11:01:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
[2012/03/19 11:01:02 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2012/03/16 07:08:36 | 000,149,640 | ---- | C] (Tonec Inc.) -- C:\Windows\SysNative\drivers\idmwfp.sys
[2012/03/12 15:49:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinDirStat
[2012/03/12 13:33:08 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Roaming\Google
[2012/03/12 13:32:30 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/03/12 13:32:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2012/03/12 13:32:11 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Local\Google
[2012/03/12 13:32:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2012/03/10 19:39:08 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Local\Pleasant_Solutions
[2012/03/10 19:21:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlackBerry
[2012/03/10 19:21:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Research In Motion
[2012/03/10 19:21:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Research In Motion
[2012/03/10 19:16:41 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Local\Programs
[2012/03/10 19:16:41 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Berry Extract
[2012/03/07 17:03:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/03/07 17:03:08 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/03/07 17:01:28 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2012/03/07 17:01:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Bonjour
[2012/03/05 23:09:13 | 000,000,000 | ---D | C] -- C:\Users\rockroland\Documents\My Kindle Content
[2012/03/05 23:08:51 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
[2012/03/05 23:08:51 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Local\Amazon
[2012/03/05 23:08:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Amazon
[2012/02/29 13:13:45 | 000,000,000 | ---D | C] -- C:\ProgramData\AOL Downloads
[2012/02/28 06:35:02 | 000,000,000 | ---D | C] -- C:\Users\rockroland\AppData\Roaming\Media Player Classic
[1 C:\Users\rockroland\*.tmp files -> C:\Users\rockroland\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/28 11:36:01 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-850405567-2436268138-2046711074-1000UA.job
[2012/03/28 11:33:11 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/28 11:33:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/28 11:33:02 | 2138,427,391 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/28 11:28:22 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/28 11:26:07 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/28 09:24:22 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-850405567-2436268138-2046711074-1000Core.job
[2012/03/28 04:33:32 | 073,771,189 | ---- | M] () -- C:\Users\rockroland\Documents\Untitled (2).wma
[2012/03/28 02:29:50 | 000,193,559 | ---- | M] () -- C:\Users\rockroland\Documents\Untitled.wma
[2012/03/28 01:56:17 | 000,017,931 | ---- | M] () -- C:\Users\rockroland\Desktop\View Ticket.pdf
[2012/03/28 01:53:00 | 000,233,537 | ---- | M] () -- C:\Users\rockroland\Desktop\DEACTIVATION.pdf
[2012/03/28 01:05:44 | 000,003,609 | ---- | M] () -- C:\Windows\memgprep.dll
[2012/03/28 00:58:33 | 000,019,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/28 00:58:33 | 000,019,728 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/27 21:22:39 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\drivers\lvuvc.hs
[2012/03/27 20:10:49 | 000,730,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/03/27 20:10:49 | 000,627,082 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/03/27 20:10:49 | 000,107,366 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/03/27 19:59:37 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/03/27 19:37:57 | 000,004,150 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/03/25 13:16:56 | 004,443,082 | R--- | M] (Swearware) -- C:\Users\rockroland\Desktop\ComboFix.exe
[2012/03/25 05:34:13 | 005,154,304 | ---- | M] () -- C:\Users\rockroland\WindowsDefender.msi
[2012/03/25 05:31:45 | 000,002,342 | ---- | M] () -- C:\Users\rockroland\Desktop\Google Chrome.lnk
[2012/03/25 04:37:23 | 552,870,912 | ---- | M] () -- C:\klucens.pst
[2012/03/25 01:40:10 | 000,001,183 | ---- | M] () -- C:\inlvCK.cpj
[2012/03/25 01:20:45 | 000,000,064 | ---- | M] () -- C:\Windows\SysWow64\rp_stats.dat
[2012/03/25 01:20:45 | 000,000,044 | ---- | M] () -- C:\Windows\SysWow64\rp_rules.dat
[2012/03/23 22:18:30 | 000,006,139 | ---- | M] () -- C:\amexrecent.csv
[2012/03/23 22:18:30 | 000,001,463 | ---- | M] () -- C:\Activity.CSV
[2012/03/23 22:18:30 | 000,000,415 | ---- | M] () -- C:\Acaativity.CSV
[2012/03/23 16:44:30 | 000,016,532 | ---- | M] () -- C:\2011-calendar-green-gray.gif
[2012/03/23 16:37:28 | 000,016,544 | ---- | M] () -- C:\2012-calendar-green-gray.gif
[2012/03/23 15:45:38 | 000,002,830 | ---- | M] () -- C:\itunes.csv
[2012/03/23 11:28:24 | 000,002,085 | ---- | M] () -- C:\Users\Public\Desktop\Logitech Webcam Software.lnk
[2012/03/23 09:52:31 | 011,249,006 | ---- | M] () -- C:\Rocky and Kate Roland - Refinance Application - 524 Vernon Glencoe, IL -.tif
[2012/03/23 09:49:58 | 000,315,772 | ---- | M] () -- C:\2012-2013-calendar.jpg
[2012/03/22 01:42:13 | 001,088,600 | ---- | M] () -- C:\Rocky and Kate Roland - Refinance Application - 524 Vernon Glencoe, IL 2012-03-22.pdf
[2012/03/21 01:08:19 | 000,002,515 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/03/19 22:06:19 | 000,000,304 | ---- | M] () -- C:\Windows\km32hlpr.dll
[2012/03/19 22:06:19 | 000,000,000 | ---- | M] () -- C:\Windows\wnsperf32.dll
[2012/03/19 22:06:19 | 000,000,000 | ---- | M] () -- C:\Windows\stdensrv.dll
[2012/03/19 22:06:19 | 000,000,000 | ---- | M] () -- C:\Windows\javexisb.dll
[2012/03/19 22:06:19 | 000,000,000 | ---- | M] () -- C:\Windows\javexisa.dll
[2012/03/19 22:06:19 | 000,000,000 | ---- | M] () -- C:\Windows\cr2gui32.dll
[2012/03/18 04:40:24 | 000,000,000 | ---- | M] () -- C:\secretxes.7z
[2012/03/16 17:22:36 | 000,000,000 | ---- | M] () -- C:\devynlover_2.7z
[2012/03/16 17:22:02 | 062,304,870 | ---- | M] () -- C:\msn_vids1.7z
[2012/03/16 17:21:08 | 000,000,000 | ---- | M] () -- C:\msn_vids2.7z
[2012/03/16 17:20:20 | 000,000,000 | ---- | M] () -- C:\devynlover.7z
[2012/03/16 11:50:53 | 000,184,924 | -H-- | M] () -- C:\Windows\SysWow64\mlfcache.dat
[2012/03/15 21:19:39 | 000,360,205 | ---- | M] () -- C:\yep.JPG
[2012/03/15 21:19:28 | 000,374,133 | ---- | M] () -- C:\no no.JPG
[2012/03/15 13:28:40 | 000,695,957 | ---- | M] () -- C:\Unclaimed Property Form.pdf
[2012/03/15 11:35:52 | 000,119,274 | ---- | M] () -- C:\Users\rockroland\Desktop\Memo Style.pdf
[2012/03/15 11:27:44 | 000,128,664 | ---- | M] () -- C:\Users\rockroland\Desktop\www.amazon.com_gp_orc_returns_labels_load.pdf
[2012/03/14 17:44:29 | 000,410,768 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/03/12 15:49:56 | 000,001,033 | ---- | M] () -- C:\Users\rockroland\Desktop\WinDirStat.lnk
[2012/03/10 19:24:22 | 000,016,896 | ---- | M] () -- C:\Users\rockroland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/10 19:21:49 | 000,002,233 | ---- | M] () -- C:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
[2012/03/10 19:16:42 | 000,001,477 | ---- | M] () -- C:\Users\rockroland\Desktop\Berry Extract.lnk
[2012/03/10 15:18:06 | 000,359,788 | ---- | M] () -- C:\IMG00114-20120310-1418.jpg
[2012/03/10 15:17:50 | 000,296,848 | ---- | M] () -- C:\IMG00113-20120310-1417.jpg
[2012/03/10 15:17:12 | 000,380,950 | ---- | M] () -- C:\IMG00111-20120310-1417.jpg
[2012/03/10 15:15:16 | 000,400,851 | ---- | M] () -- C:\IMG00110-20120310-1415.jpg
[2012/03/10 15:15:04 | 000,420,802 | ---- | M] () -- C:\IMG00109-20120310-1415.jpg
[2012/03/10 15:14:34 | 000,121,838 | ---- | M] () -- C:\IMG00108-20120310-1414.jpg
[2012/03/10 15:14:24 | 000,272,828 | ---- | M] () -- C:\IMG00107-20120310-1414.jpg
[2012/03/10 15:14:08 | 008,164,239 | ---- | M] () -- C:\Goose 66 Vette.wmv
[2012/03/10 15:14:08 | 006,554,025 | ---- | M] () -- C:\Goose 66 Vette.3GP
[2012/03/10 14:57:04 | 003,959,410 | ---- | M] () -- C:\Goose Volo James Dean.3GP
[2012/03/10 14:54:00 | 005,586,650 | ---- | M] () -- C:\Goose at Volo Fins.3GP
[2012/03/10 14:49:54 | 003,516,848 | ---- | M] () -- C:\Goose at Volo.3GP
[2012/03/10 14:47:44 | 000,815,459 | ---- | M] () -- C:\Volo.3GP
[2012/03/07 17:03:40 | 000,001,755 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/03/06 23:10:24 | 000,177,787 | ---- | M] () -- C:\IMG00104-20120306-2210.jpg
[2012/03/06 23:09:46 | 000,181,922 | ---- | M] () -- C:\IMG00103-20120306-2209.jpg
[2012/03/06 23:08:56 | 000,230,421 | ---- | M] () -- C:\IMG00102-20120306-2208.jpg
[2012/03/06 23:07:12 | 000,508,423 | ---- | M] () -- C:\IMG00101-20120306-2207.jpg
[2012/03/06 23:06:38 | 000,563,666 | ---- | M] () -- C:\IMG00100-20120306-2206.jpg
[2012/03/06 06:53:07 | 000,001,431 | ---- | M] () -- C:\Windows\SplitCam.INI
[2012/03/05 23:08:57 | 000,001,996 | ---- | M] () -- C:\Users\rockroland\Desktop\Kindle.lnk
[2012/03/04 04:32:02 | 000,089,501 | ---- | M] () -- C:\Users\rockroland\Desktop\pdf_en_us_repairform.pdf
[2012/02/29 13:13:45 | 000,000,335 | ---- | M] () -- C:\Windows\nsreg.dat
[1 C:\Users\rockroland\*.tmp files -> C:\Users\rockroland\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/28 11:28:22 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/28 04:33:32 | 073,771,189 | ---- | C] () -- C:\Users\rockroland\Documents\Untitled (2).wma
[2012/03/28 02:29:50 | 000,193,559 | ---- | C] () -- C:\Users\rockroland\Documents\Untitled.wma
[2012/03/28 01:51:58 | 000,233,537 | ---- | C] () -- C:\Users\rockroland\Desktop\DEACTIVATION.pdf
[2012/03/28 01:51:36 | 000,017,931 | ---- | C] () -- C:\Users\rockroland\Desktop\View Ticket.pdf
[2012/03/27 19:34:32 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/03/27 19:34:32 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/03/27 19:34:32 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/03/27 19:34:32 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/03/27 19:34:32 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/03/25 05:34:33 | 005,154,304 | ---- | C] () -- C:\Users\rockroland\WindowsDefender.msi
[2012/03/25 05:31:45 | 000,002,342 | ---- | C] () -- C:\Users\rockroland\Desktop\Google Chrome.lnk
[2012/03/25 05:31:12 | 000,000,928 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-850405567-2436268138-2046711074-1000UA.job
[2012/03/25 05:31:12 | 000,000,876 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-850405567-2436268138-2046711074-1000Core.job
[2012/03/25 01:40:10 | 000,001,183 | ---- | C] () -- C:\inlvCK.cpj
[2012/03/24 19:02:29 | 000,015,452 | R--- | C] () -- C:\Rocky and Ankur.jpg
[2012/03/23 16:44:33 | 000,016,532 | ---- | C] () -- C:\2011-calendar-green-gray.gif
[2012/03/23 16:37:33 | 000,016,544 | ---- | C] () -- C:\2012-calendar-green-gray.gif
[2012/03/23 16:22:03 | 000,000,415 | ---- | C] () -- C:\Acaativity.CSV
[2012/03/23 16:21:50 | 000,001,463 | ---- | C] () -- C:\Activity.CSV
[2012/03/23 16:17:27 | 000,006,139 | ---- | C] () -- C:\amexrecent.csv
[2012/03/23 15:45:15 | 000,002,830 | ---- | C] () -- C:\itunes.csv
[2012/03/23 11:28:24 | 000,002,085 | ---- | C] () -- C:\Users\Public\Desktop\Logitech Webcam Software.lnk
[2012/03/23 09:50:44 | 000,315,772 | ---- | C] () -- C:\2012-2013-calendar.jpg
[2012/03/22 01:42:13 | 001,088,600 | ---- | C] () -- C:\Rocky and Kate Roland - Refinance Application - 524 Vernon Glencoe, IL 2012-03-22.pdf
[2012/03/22 01:39:00 | 011,249,006 | ---- | C] () -- C:\Rocky and Kate Roland - Refinance Application - 524 Vernon Glencoe, IL -.tif
[2012/03/19 19:59:58 | 000,035,027 | ---- | C] () -- C:\Windows\prfsmgr.chm
[2012/03/19 19:59:29 | 000,006,718 | ---- | C] () -- C:\Users\rockroland\Desktop\SystemSrvPro.htm
[2012/03/19 19:59:22 | 010,989,568 | ---- | C] ( ) -- C:\Windows\sspro.exe
[2012/03/19 19:59:17 | 000,003,609 | ---- | C] () -- C:\Windows\memgprep.dll
[2012/03/19 19:59:17 | 000,000,304 | ---- | C] () -- C:\Windows\km32hlpr.dll
[2012/03/19 19:59:17 | 000,000,000 | ---- | C] () -- C:\Windows\wnsperf32.dll
[2012/03/19 19:59:17 | 000,000,000 | ---- | C] () -- C:\Windows\stdensrv.dll
[2012/03/19 19:59:17 | 000,000,000 | ---- | C] () -- C:\Windows\javexisb.dll
[2012/03/19 19:59:17 | 000,000,000 | ---- | C] () -- C:\Windows\javexisa.dll
[2012/03/19 19:59:17 | 000,000,000 | ---- | C] () -- C:\Windows\cr2gui32.dll
[2012/03/19 11:01:34 | 028,136,960 | ---- | C] () -- C:\cassie41msn.avi
[2012/03/18 04:40:24 | 000,000,000 | ---- | C] () -- C:\secretxes.7z
[2012/03/16 17:22:36 | 000,000,000 | ---- | C] () -- C:\devynlover_2.7z
[2012/03/16 17:21:29 | 062,304,870 | ---- | C] () -- C:\msn_vids1.7z
[2012/03/16 17:21:08 | 000,000,000 | ---- | C] () -- C:\msn_vids2.7z
[2012/03/16 17:20:20 | 000,000,000 | ---- | C] () -- C:\devynlover.7z
[2012/03/15 13:28:40 | 000,695,957 | ---- | C] () -- C:\Unclaimed Property Form.pdf
[2012/03/15 11:35:52 | 000,119,274 | ---- | C] () -- C:\Users\rockroland\Desktop\Memo Style.pdf
[2012/03/15 11:27:44 | 000,128,664 | ---- | C] () -- C:\Users\rockroland\Desktop\www.amazon.com_gp_orc_returns_labels_load.pdf
[2012/03/12 15:49:56 | 000,001,033 | ---- | C] () -- C:\Users\rockroland\Desktop\WinDirStat.lnk
[2012/03/12 13:32:13 | 000,000,906 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/12 13:32:13 | 000,000,902 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/10 19:46:55 | 000,164,864 | -H-- | C] () -- C:\3475732849_10.qcp
[2012/03/10 19:46:55 | 000,027,648 | ---- | C] () -- C:\3475732849_7.qcp
[2012/03/10 19:46:54 | 000,027,648 | ---- | C] () -- C:\3475732849_5.qcp
[2012/03/10 19:46:54 | 000,024,576 | ---- | C] () -- C:\3475732849_6.qcp
[2012/03/10 19:21:49 | 000,002,233 | ---- | C] () -- C:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
[2012/03/10 19:16:42 | 000,001,477 | ---- | C] () -- C:\Users\rockroland\Desktop\Berry Extract.lnk
[2012/03/10 15:18:06 | 000,359,788 | ---- | C] () -- C:\IMG00114-20120310-1418.jpg
[2012/03/10 15:17:50 | 000,296,848 | ---- | C] () -- C:\IMG00113-20120310-1417.jpg
[2012/03/10 15:17:10 | 000,380,950 | ---- | C] () -- C:\IMG00111-20120310-1417.jpg
[2012/03/10 15:15:14 | 000,400,851 | ---- | C] () -- C:\IMG00110-20120310-1415.jpg
[2012/03/10 15:15:04 | 000,420,802 | ---- | C] () -- C:\IMG00109-20120310-1415.jpg
[2012/03/10 15:14:34 | 000,121,838 | ---- | C] () -- C:\IMG00108-20120310-1414.jpg
[2012/03/10 15:14:24 | 000,272,828 | ---- | C] () -- C:\IMG00107-20120310-1414.jpg
[2012/03/10 15:12:50 | 008,164,239 | ---- | C] () -- C:\Goose 66 Vette.wmv
[2012/03/10 15:12:50 | 006,554,025 | ---- | C] () -- C:\Goose 66 Vette.3GP
[2012/03/10 14:55:52 | 003,959,410 | ---- | C] () -- C:\Goose Volo James Dean.3GP
[2012/03/10 14:52:36 | 005,586,650 | ---- | C] () -- C:\Goose at Volo Fins.3GP
[2012/03/10 14:48:46 | 003,516,848 | ---- | C] () -- C:\Goose at Volo.3GP
[2012/03/10 14:46:58 | 000,815,459 | ---- | C] () -- C:\Volo.3GP
[2012/03/07 17:03:40 | 000,001,755 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/03/06 23:10:24 | 000,177,787 | ---- | C] () -- C:\IMG00104-20120306-2210.jpg
[2012/03/06 23:09:44 | 000,181,922 | ---- | C] () -- C:\IMG00103-20120306-2209.jpg
[2012/03/06 23:08:54 | 000,230,421 | ---- | C] () -- C:\IMG00102-20120306-2208.jpg
[2012/03/06 23:07:12 | 000,508,423 | ---- | C] () -- C:\IMG00101-20120306-2207.jpg
[2012/03/06 23:06:36 | 000,563,666 | ---- | C] () -- C:\IMG00100-20120306-2206.jpg
[2012/03/05 23:08:57 | 000,001,996 | ---- | C] () -- C:\Users\rockroland\Desktop\Kindle.lnk
[2012/02/29 14:39:46 | 552,870,912 | ---- | C] () -- C:\klucens.pst
[2012/02/09 00:32:56 | 000,001,431 | ---- | C] () -- C:\Windows\SplitCam.INI
[2012/02/08 03:56:55 | 000,650,752 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2012/02/08 03:56:55 | 000,243,200 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2012/02/08 03:56:53 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2012/02/01 05:30:53 | 000,016,896 | ---- | C] () -- C:\Users\rockroland\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/26 05:51:20 | 000,000,027 | ---- | C] () -- C:\Windows\msrresmap.dll
[2012/01/21 10:56:56 | 000,000,000 | ---- | C] () -- C:\Windows\f5unistall.INI
[2012/01/15 05:26:21 | 000,000,600 | ---- | C] () -- C:\Users\rockroland\AppData\Local\PUTTY.RND
[2011/10/30 16:42:14 | 000,000,151 | ---- | C] () -- C:\Users\rockroland\AppData\Roaming\burnaware.ini
[2011/08/17 11:14:25 | 000,013,898 | ---- | C] () -- C:\Windows\hpomdl19.dat.temp
[2011/08/03 19:31:35 | 000,129,024 | ---- | C] () -- C:\Windows\SysWow64\AVERM.dll
[2011/08/03 19:31:35 | 000,028,672 | ---- | C] () -- C:\Windows\SysWow64\AVEQT.dll
[2011/04/26 12:26:20 | 000,000,064 | ---- | C] () -- C:\Windows\SysWow64\rp_stats.dat
[2011/04/26 12:26:20 | 000,000,044 | ---- | C] () -- C:\Windows\SysWow64\rp_rules.dat
[2011/03/26 01:21:30 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2011/01/17 13:53:24 | 000,184,924 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2010/11/24 02:36:56 | 000,000,074 | ---- | C] () -- C:\Windows\MPLAYER.INI
[2010/10/24 00:35:05 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/10/13 17:48:09 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2010/10/09 17:27:50 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\Iyvu9_32.dll
[2010/10/07 15:54:25 | 000,000,466 | ---- | C] () -- C:\Windows\apdfpr.ini
[2010/08/25 23:53:16 | 000,000,173 | -HS- | C] () -- C:\ProgramData\.zreglib
[2010/08/24 15:55:43 | 000,000,116 | ---- | C] () -- C:\Windows\ConverterCore.INI
[2010/08/11 13:15:27 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2010/08/10 18:45:51 | 000,004,150 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/08/10 01:22:32 | 000,007,598 | ---- | C] () -- C:\Users\rockroland\AppData\Local\Resmon.ResmonCfg
[2010/07/18 15:15:22 | 000,001,035 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2010/07/18 14:29:16 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/05/21 14:38:00 | 000,097,584 | ---- | C] () -- C:\Windows\SysWow64\CCBiosSupportAPI.dll

========== LOP Check ==========

[2011/09/09 19:28:02 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\BDREBUILDER
[2012/03/25 01:44:02 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\DMCache
[2012/01/26 15:39:18 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\ExpanDrive
[2010/08/11 10:58:08 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\FileOpen
[2012/03/28 02:34:37 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\FileZilla
[2011/04/24 14:29:08 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\GetRightToGo
[2012/03/18 04:35:39 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\IDM
[2012/01/31 20:25:16 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\IMCapture for Skype
[2011/01/11 21:02:35 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\Internet Chess Club
[2012/02/18 18:54:51 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\Jason Robitaille
[2011/10/23 20:24:54 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\Leadertech
[2010/09/11 19:58:28 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\Passware
[2012/02/09 18:55:09 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\Research In Motion
[2010/08/28 16:57:00 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\SlySoft
[2012/03/28 02:06:25 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\SolidDocuments
[2010/12/11 15:42:32 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\SoundSpectrum
[2011/08/01 15:05:20 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\uTorrent
[2010/09/18 14:03:10 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\YCanPDF
[2012/03/06 01:39:57 | 000,000,000 | ---D | M] -- C:\Users\rockroland\AppData\Roaming\YouSendIt
[2012/03/03 01:57:25 | 000,032,536 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: CONSRV.DLL >
[2009/07/13 21:39:46 | 000,051,712 | ---- | M] () MD5=CEF08BD499D029B6E685850CAC86F749 -- C:\Windows\SysNative\consrv.dll
[2009/07/13 21:39:46 | 000,051,712 | ---- | M] () MD5=CEF08BD499D029B6E685850CAC86F749 -- C:\Windows\system64\consrv.dll

< MD5 for: EXPLORER.EXE >
[2010/07/18 15:18:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=00B0358734CAA32C39D181FE6916B178 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20542_none_b8b0208ee0ce1889\explorer.exe
[2011/02/26 02:23:14 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=0862495E0C825893DB75EF44FAEA8E93 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_adc24107935a7e25\explorer.exe
[2011/02/26 01:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2009/07/13 21:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe
[2011/02/26 01:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_b8ce9756e0b786a4\explorer.exe
[2010/07/18 15:19:04 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe
[2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_b816eb59c7bb4020\explorer.exe
[2011/02/25 02:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\ERDNT\cache86\explorer.exe
[2011/02/25 02:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\explorer.exe
[2011/02/25 02:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2011/02/26 02:14:34 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=3B69712041F3D63605529BD66DC00C48 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2010/07/18 15:18:50 | 002,868,736 | ---- | M] (Microsoft Corporation) MD5=6D4F9E4B640B413C6F73414327484C80 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16434_none_addea9f19345cd81\explorer.exe
[2010/07/18 15:18:55 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=700073016DAC1C3D2E7E2CE4223334B6 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\SysWOW64\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2010/07/18 15:19:04 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=9AAAEC8DAC27AA17B053E6352AD233AE -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[2010/07/18 15:18:55 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe
[2010/11/20 09:24:45 | 002,872,320 | ---- | M] (Microsoft Corporation) MD5=AC4C51EB24AA95B77F705AB159189E24 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
[2010/07/18 15:19:04 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=B8EC4BD49CE8F6FC457721BFC210B67F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[2010/07/18 15:18:55 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe
[2009/07/13 21:39:10 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=C235A51CB740E45FFA0EBFB9BAFCDA64 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
[2010/07/18 15:19:04 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe
[2010/07/18 15:18:50 | 002,868,736 | ---- | M] (Microsoft Corporation) MD5=CA17F8620815267DC838E30B68CB5052 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20542_none_ae5b763cac6d568e\explorer.exe
[2011/02/26 02:26:45 | 002,870,784 | ---- | M] (Microsoft Corporation) MD5=E38899074D4951D31B4040E994DD7C8D -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_ae79ed04ac56c4a9\explorer.exe
[2010/07/18 15:18:55 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=F170B4A061C9E026437B193B4D571799 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe
[2010/07/18 15:18:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=FC89FACA0473641CB625EDA9277D0885 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16434_none_b8335443c7a68f7c\explorer.exe

< MD5 for: SVCHOST.EXE >
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\ERDNT\cache86\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2009/07/13 21:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\ERDNT\cache64\svchost.exe
[2009/07/13 21:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\SysNative\svchost.exe
[2009/07/13 21:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\system64\svchost.exe
[2009/07/13 21:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

< MD5 for: USERINIT.EXE >
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\ERDNT\cache86\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\SysWOW64\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009/07/13 21:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
[2009/07/13 21:39:48 | 000,030,208 | ---- | M] (Microsoft Corporation) MD5=6F8F1376A13114CC10C0E69274F5A4DE -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_381dabbceb60feb2\userinit.exe
[2010/11/20 09:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\ERDNT\cache64\userinit.exe
[2010/11/20 09:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\SysNative\userinit.exe
[2010/11/20 09:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\system64\userinit.exe
[2010/11/20 09:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe

< MD5 for: WINLOGON.EXE >
[2010/11/20 09:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\ERDNT\cache64\winlogon.exe
[2010/11/20 09:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\SysNative\winlogon.exe
[2010/11/20 09:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\system64\winlogon.exe
[2010/11/20 09:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
[2009/07/13 21:39:52 | 000,389,120 | ---- | M] (Microsoft Corporation) MD5=132328DF455B0028F13BF0ABEE51A63A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2010/07/18 15:19:04 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=A93D41A4D4B0D91C072D11DD8AF266DE -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_cc522fd507b468f8\winlogon.exe
[2010/07/18 15:19:04 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=DA3E2A6FA9660CC75B471530CE88453A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad\winlogon.exe

< C:\Windows\assembly\tmp\U\*.* /s >

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >

< type c:\diskreport.txt /c >
Microsoft DiskPart version 6.1.7601
Copyright © 1999-2008 Microsoft Corporation.
On computer: ALIENWARE
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 E DVD-ROM 0 B No Media
Volume 1 RECOVERY NTFS Partition 8 GB Healthy System
Volume 2 C OS NTFS Partition 229 GB Healthy Boot
Volume 3 D DATAPART1 NTFS Partition 238 GB Healthy

< >

< End of report >

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-28 11:50:16
-----------------------------
11:50:16.072 OS Version: Windows x64 6.1.7601 Service Pack 1
11:50:16.072 Number of processors: 8 586 0x1E05
11:50:16.072 ComputerName: ALIENWARE UserName:
11:50:16.634 Initialize success
11:51:00.938 AVAST engine defs: 12032801
11:51:05.571 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:51:05.571 Disk 0 Vendor: SAMSUNG_ VBM2 Size: 244198MB BusType: 3
11:51:05.571 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
11:51:05.571 Disk 1 Vendor: SAMSUNG_ VBM2 Size: 244198MB BusType: 3
11:51:05.571 Disk 0 MBR read successfully
11:51:05.587 Disk 0 MBR scan
11:51:05.587 Disk 0 Windows 7 default MBR code
11:51:05.587 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 101 MB offset 63
11:51:05.587 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 9118 MB offset 208896
11:51:05.602 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 234977 MB offset 18882560
11:51:05.602 Disk 0 scanning C:\Windows\system32\drivers
11:51:11.983 Service scanning
11:51:20.251 Service sfilter C:\Windows\system32\MobilePreInstallerService.dll **INFECTED** Win64:ZAccess-E [Rtk]
11:51:22.591 Modules scanning
11:51:22.591 Disk 0 trace - called modules:
11:51:22.591 ntoskrnl.exe CLASSPNP.SYS disk.sys stdflt.sys iaStor.sys hal.dll
11:51:22.606 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007cb5790]
11:51:22.606 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa8007bbace0]
11:51:22.606 5 stdflt.sys[fffff88001b65a4a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007a40050]
11:51:31.530 AVAST engine scan C:\Windows
11:51:32.762 AVAST engine scan C:\Windows\system32
11:51:36.178 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
11:51:36.241 File: C:\Windows\system32\crauto.dll **INFECTED** Win64:ZAccess-E [Rtk]
11:51:44.525 File: C:\Windows\system32\lxrjd31s.dll **INFECTED** Win64:ZAccess-E [Rtk]
11:51:45.461 File: C:\Windows\system32\MobilePreInstallerService.dll **INFECTED** Win64:ZAccess-E [Rtk]
11:52:04.867 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
11:52:05.351 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
11:52:28.579 AVAST engine scan C:\Windows\system32\drivers
11:52:31.933 AVAST engine scan C:\Users\rockroland
11:52:34.928 File: C:\Users\rockroland\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe **INFECTED** Win32:Malware-gen
11:52:34.959 File: C:\Users\rockroland\AppData\Local\Google\Update\1.3.21.111\GoogleUpdate.exe **INFECTED** Win32:Trojan-gen
11:52:35.365 File: C:\Users\rockroland\AppData\Local\Google\Update\GoogleUpdate.exe **INFECTED** Win32:Trojan-gen
11:52:55.520 AVAST engine scan C:\ProgramData
11:53:04.709 Scan finished successfully
11:53:23.881 Disk 0 MBR has been saved successfully to "C:\Installs\VirusTools\MBR.dat"
11:53:23.897 The log file has been saved successfully to "C:\Installs\VirusTools\aswMBR.txt"

Attached Files


  • 0

Advertisements

#2
RKinner
Posted 28 March 2012 - 04:14 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Run aswMBR again (with Avast engine) and when done, press the Fix button if it is lit.

Then run it again and post the log. Also run Combofix again and post its log. Then run OTL, Quickscan,

Ron
  • 0

#3
Dark_Matter
Posted 28 March 2012 - 05:49 PM

Dark_Matter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for getting back to me. I had some help in the avast forum and felt I was getting to the completion point and then did what you said above. The first run of aswMBR gave me this:

11:51:36.178 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
11:51:36.241 File: C:\Windows\system32\crauto.dll **INFECTED** Win64:ZAccess-E [Rtk]
11:51:44.525 File: C:\Windows\system32\lxrjd31s.dll **INFECTED** Win64:ZAccess-E [Rtk]
11:51:45.461 File: C:\Windows\system32\MobilePreInstallerService.dll **INFECTED** Win64:ZAccess-E [Rtk]
11:52:04.867 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
11:52:05.351 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]

I cleaned that and ran again (logs attached) and it looks ok.
I ran combofix and OTL and Kapersky virus removal tool. All looked good (attached)

I am going to restore security center and enable defender and adaware for now. Thanks for your help!

ComboFix 12-03-28.02 - rockroland 03/28/2012 19:19:00.6.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8180.6228 [GMT -4:00]
Running from: c:\installs\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-28 23:22 . 2012-03-28 23:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-28 23:22 . 2012-03-28 23:22 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-03-28 23:03 . 2012-03-28 23:03 65536 ---hatw- C:\~klucens.pst.tmp
2012-03-28 15:28 . 2012-03-28 15:28 -------- d-----w- c:\users\rockroland\AppData\Roaming\Malwarebytes
2012-03-28 15:28 . 2012-03-28 15:28 -------- d-----w- c:\programdata\Malwarebytes
2012-03-28 01:57 . 2012-03-28 01:57 -------- d-----w- C:\regback
2012-03-27 23:36 . 2012-03-28 23:22 -------- d-----w- c:\users\rockroland\AppData\Local\temp
2012-03-27 22:45 . 2012-03-27 22:45 -------- d-----w- c:\programdata\Kaspersky Lab
2012-03-26 03:52 . 2012-03-26 03:52 -------- d-----w- C:\userback
2012-03-25 14:03 . 2012-03-25 14:03 -------- d-----w- C:\AVG
2012-03-25 09:41 . 2012-03-25 09:41 -------- d--h--w- c:\programdata\Common Files
2012-03-25 09:36 . 2012-03-25 17:23 -------- d-----w- c:\programdata\MFAData
2012-03-25 09:34 . 2012-03-25 09:34 5154304 ----a-w- c:\users\rockroland\WindowsDefender.msi
2012-03-24 23:06 . 2012-03-24 23:08 -------- d-----w- C:\flight
2012-03-24 23:01 . 2012-03-24 23:03 -------- d-----w- C:\Billboard
2012-03-23 20:55 . 2012-03-23 20:55 -------- d-----w- C:\MyDisc
2012-03-23 19:56 . 2012-03-23 19:57 -------- d-----w- c:\users\rockroland\Kaufman, Izabella
2012-03-23 19:55 . 2012-03-23 19:55 -------- d-----w- c:\users\rockroland\Batch 6
2012-03-23 15:28 . 2012-03-23 15:28 -------- d-----w- c:\program files (x86)\Common Files\LogiShrd
2012-03-23 11:43 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{205E47FA-825F-435C-BCD4-30A3F64B0B80}\mpengine.dll
2012-03-22 14:08 . 2012-03-22 14:09 -------- d-----w- c:\users\rockroland\RR
2012-03-21 05:08 . 2012-03-21 05:08 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-03-19 23:59 . 2012-01-24 23:18 10989568 ----a-w- c:\windows\sspro.exe
2012-03-19 23:59 . 2011-06-21 10:00 224256 ----a-w- c:\windows\svcreng.dll
2012-03-19 23:59 . 2012-01-13 14:06 590848 ----a-w- c:\windows\utimcache.exe
2012-03-19 23:59 . 2012-01-13 13:38 420352 ----a-w- c:\windows\stidraw32.exe
2012-03-19 23:59 . 2012-01-13 14:00 646144 ----a-w- c:\windows\sysnadr64.exe
2012-03-19 23:59 . 2012-03-28 05:05 3609 ----a-w- c:\windows\memgprep.dll
2012-03-19 23:59 . 2012-01-24 23:12 3338752 ----a-w- c:\windows\diskediag.exe
2012-03-19 15:01 . 2012-03-19 15:01 -------- d-----w- c:\program files\7-Zip
2012-03-16 11:08 . 2012-02-08 01:13 149640 ----a-w- c:\windows\system32\drivers\idmwfp.sys
2012-03-14 17:18 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 17:18 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 17:18 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 16:29 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 16:29 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 16:29 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 16:29 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 16:29 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 16:29 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 16:29 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 16:29 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 16:29 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 16:29 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-12 19:49 . 2012-03-12 19:49 -------- d-----w- c:\program files (x86)\WinDirStat
2012-03-12 17:32 . 2012-03-12 17:32 -------- d-----w- c:\program files\Google
2012-03-12 17:32 . 2012-03-25 09:31 -------- d-----w- c:\users\rockroland\AppData\Local\Google
2012-03-12 17:32 . 2012-03-12 17:32 -------- d-----w- c:\program files (x86)\Google
2012-03-10 23:39 . 2012-03-10 23:39 -------- d-----w- c:\users\rockroland\AppData\Local\Pleasant_Solutions
2012-03-10 23:21 . 2012-03-10 23:21 -------- d-----w- c:\programdata\Research In Motion
2012-03-10 23:21 . 2012-03-10 23:21 -------- d-----w- c:\program files (x86)\Research In Motion
2012-03-10 23:16 . 2012-03-10 23:16 -------- d-----w- c:\users\rockroland\AppData\Local\Programs
2012-03-07 21:03 . 2012-03-07 21:03 -------- d-----w- c:\program files\iPod
2012-03-07 21:01 . 2012-03-07 21:01 -------- d-----w- c:\program files\Bonjour
2012-03-07 21:01 . 2012-03-07 21:01 -------- d-----w- c:\program files (x86)\Bonjour
2012-03-06 03:08 . 2012-03-06 03:08 -------- d-----w- c:\users\rockroland\AppData\Local\Amazon
2012-03-06 03:08 . 2012-03-06 03:08 -------- d-----w- c:\program files (x86)\Amazon
2012-02-29 17:13 . 2012-02-29 17:13 -------- d-----w- c:\programdata\AOL Downloads
2012-02-28 10:35 . 2012-02-28 10:35 -------- d-----w- c:\users\rockroland\AppData\Roaming\Media Player Classic
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 13:18 . 2010-08-10 03:52 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 16:01 . 2012-02-15 16:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 16:01 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-07 18:00 . 2012-02-08 07:56 79360 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2012-02-06 21:02 . 2012-02-06 21:02 24064 ----a-w- c:\windows\system32\SplitCamAudio.sys
2012-01-30 09:29 . 2012-01-30 09:29 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-17 12:31 . 2012-01-17 12:31 23040 ----a-w- c:\windows\system32\drivers\SplitCamAudio.sys
2012-01-04 10:44 . 2012-02-14 19:49 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 08:58 . 2012-02-14 19:49 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\SysWow64\DivXControlPanelApplet.cpl
2012-01-03 07:03 . 2012-02-01 00:17 810496 ----a-w- c:\windows\system32\xvidcore.dll
2012-01-03 07:03 . 2012-02-01 00:17 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2012-01-03 07:03 . 2012-02-01 00:17 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2012-01-03 07:03 . 2012-02-06 20:48 389120 ----a-w- c:\windows\SysWow64\actskn43.ocx
2012-01-03 07:03 . 2012-02-06 20:48 389120 ----a-w- c:\windows\system32\actskn43.ocx
2011-12-30 06:26 . 2012-02-14 19:49 515584 ----a-w- c:\windows\system32\timedate.cpl
2011-12-30 05:27 . 2012-02-14 19:49 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-27_23.38.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-18 16:49 . 2012-03-28 00:08 61482 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-28 23:04 52692 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-08-10 03:33 . 2012-03-27 23:32 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-10 03:33 . 2012-03-28 06:37 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-10 03:33 . 2012-03-27 23:32 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-10 03:33 . 2012-03-28 06:37 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-28 06:37 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-27 23:32 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-22 21:42 . 2012-03-28 15:32 2440 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2010-08-22 21:42 . 2012-03-18 08:32 2440 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2010-08-10 04:01 . 2012-03-28 23:04 9930 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-850405567-2436268138-2046711074-1000_UserData.bin
+ 2012-03-28 03:57 . 2012-03-28 03:57 9560 c:\windows\system32\NetworkList\Icons\{80D2C45A-BEA8-4EA9-ADA0-97BA551912E2}_48.bin
+ 2012-03-28 03:57 . 2012-03-28 03:57 4280 c:\windows\system32\NetworkList\Icons\{80D2C45A-BEA8-4EA9-ADA0-97BA551912E2}_32.bin
+ 2012-03-28 03:57 . 2012-03-28 03:57 2456 c:\windows\system32\NetworkList\Icons\{80D2C45A-BEA8-4EA9-ADA0-97BA551912E2}_24.bin
+ 2012-03-28 19:22 . 2012-03-28 23:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-27 23:37 . 2012-03-27 23:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-28 19:22 . 2012-03-28 23:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-27 23:37 . 2012-03-27 23:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-27 23:37 . 2009-10-07 05:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
+ 2012-03-28 23:02 . 2009-10-07 05:47 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
+ 2009-07-14 04:54 . 2012-03-28 05:19 180224 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-03-27 22:44 180224 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-10 15:32 . 2012-03-28 13:13 464848 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2010-08-10 05:31 . 2012-03-28 22:41 461760 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-03-27 23:11 627082 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-28 23:07 627082 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-03-27 23:11 107366 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-03-28 23:07 107366 c:\windows\system32\perfc009.dat
+ 2009-07-14 04:46 . 2012-03-28 04:53 112304 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 05:01 . 2012-03-27 23:37 372072 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-28 19:17 372072 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-03-27 23:37 . 2012-03-27 23:37 372840 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-850405567-2436268138-2046711074-1000-4096.dat
+ 2012-03-27 23:37 . 2012-03-28 15:32 372840 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-850405567-2436268138-2046711074-1000-4096.dat
- 2009-07-14 04:54 . 2012-03-27 22:44 2211840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-28 05:19 2211840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-28 05:19 3473408 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-27 22:44 3473408 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-27 22:43 . 2012-03-28 15:32 1389964 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-850405567-2436268138-2046711074-1000-8192.dat
- 2010-08-24 02:44 . 2012-03-27 23:37 21145404 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-850405567-2436268138-2046711074-1000-12288.dat
+ 2010-08-24 02:44 . 2012-03-28 15:32 21145404 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-850405567-2436268138-2046711074-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2011-10-15 00:39 158224 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch_CC"="c:\program files\OSD\Launch_CC.exe" [2009-02-19 20480]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-03-12 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OSD_LAUNCH"="c:\program files (x86)\OSD\Launch_OSD.exe" [2010-07-18 32768]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-04 98304]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-17 91432]
"PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-08-28 75048]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
.
c:\users\rockroland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
shortcut_xprint.lnk - c:\program files (x86)\Informatik Inc\Informatik xPrint\xPrintFileWatcher.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-12 136176]
R2 HappyOSD;HappyOSD;c:\program files (x86)\OSD\OSD_Service.exe [2009-12-30 16384]
R2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 ALSysIO;ALSysIO;c:\users\ROCKRO~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [x]
R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\DRIVERS\facap.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-12 136176]
R3 IAMTVE;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTVE.sys [x]
R3 IAMTXPE;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTXPE.sys [x]
R3 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-11-30 59904]
R3 ioatdma1;ioatdma1;c:\windows\System32\Drivers\qd162x64.sys [x]
R3 ioatdma2;Intel® QuickData Technology device ver.2;c:\windows\System32\Drivers\qd262x64.sys [x]
R3 iSSetup;iSSetup;c:\windows\system32\DRIVERS\iSSetup.sys [x]
R3 lvpopf64;Logitech POP Suppression Filter;c:\windows\system32\DRIVERS\lvpopf64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech QuickCam Fusion(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2009-09-21 315664]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 PEERNET Spooler Service 9.0;PEERNET Spooler Service 9.0;c:\windows\system32\spool\DRIVERS\x64\3\PNSvc9.exe [2011-01-21 159048]
R3 SCPDFReadSpool;SolidConverterPDFReadSpool;c:\program files (x86)\SolidDocuments\Solid Converter PDF\SCPDFV6\SolidConverterPDFServicex64.exe [2009-10-24 320512]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 CustomSvc;Vista Session Launcher Service;c:\program files\OSD\Service1.exe [2009-02-20 13312]
R4 ElcomSoftDistributedPasswordRecoveryServer;Elcomsoft Distributed Password Recovery Server;c:\program files (x86)\ElcomSoft\Distributed Password Recovery\esdprs.exe [x]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]
S0 ioatdma;Intel® QuickData Technology device;c:\windows\System32\Drivers\ioatdma.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [x]
S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2011/09/09 16:52];c:\program files (x86)\CyberLink\PowerDVD8\000.fcl [2009-08-28 22:36 146928]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ec0230c23ac63514\AESTSr64.exe [2009-03-03 89600]
S2 AlienFusionService;Alienware Fusion Service;c:\program files\Alienware\Command Center\AlienFusionService.exe [2010-05-21 14648]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-06-25 72192]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [x]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [x]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-12 17:32]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-12 17:32]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-850405567-2436268138-2046711074-1000Core.job
- c:\users\rockroland\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 07:39]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-850405567-2436268138-2046711074-1000UA.job
- c:\users\rockroland\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 07:39]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2011-10-15 00:39 191504 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 23432 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-09-21 1926928]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2463232]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
"pdfFactory3"="c:\windows\system32\spool\DRIVERS\x64\3\fppdis3a.exe" [2010-08-16 759296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-12-03 487424]
"AlienFX Controller"="c:\program files\Alienware\Command Center\AlienwareAlienFXController.exe" [2010-05-21 63304]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
obvious
MREMP50a64
sfilter
vci
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-850405567-2436268138-2046711074-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ee,4f,c8,67,7f,e2,a9,e6,7f,ef,06,e2,d5,a3,49,72,0e,67,bb,4a,0d,
77,4d,8e,43,8a,dc,c2,9e,d0,d7,6a,f6,f6,b0,ac,0c,a7,a1,ad,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-850405567-2436268138-2046711074-1000_Classes\Wow6432Node\CLSID\{c89322cc-8a39-4865-893a-438eac00bec7}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000015c
"Therad"=dword:0000001b
"MData"=hex(0):65,7c,1e,a1,67,2d,81,8e,56,fd,2f,16,f0,1b,e1,e5,fc,12,ee,82,b9,
f0,86,cd,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-28 19:24:54
ComboFix-quarantined-files.txt 2012-03-28 23:24
ComboFix2.txt 2012-03-28 21:18
ComboFix3.txt 2012-03-28 19:25
ComboFix4.txt 2012-03-28 00:01
ComboFix5.txt 2012-03-28 23:18
.
Pre-Run: 40,351,072,256 bytes free
Post-Run: 40,389,619,712 bytes free
.
- - End Of File - - 76F2A7357DBED1B884AA102DF43ACC22

Attached Files


  • 0

#4
RKinner
Posted 28 March 2012 - 07:35 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
If you open regedit and go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost then double click on netsvcs in the right pane you will see that sfilter is still listed there. You might want to double click on netsvcs and then remove the sfilter from the list. This isn't really necessary but I hate to leave malware traces around.

I also like to

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

mkdir  \Windows\system32\consrv.dll

mkdir  \Windows\system64\consrv.dll

This keeps the infection from ever coming back since it can't put its file in the folder if there is a subfolder of the same name. (Actually on the last one, \Windows\system64 is actually a malware created folder so it might be better to delete the folder system64 and its files and subfolders and then copy some small file to c:\windows\ and rename it to system64 )

We should check to see if it broke anything:


Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).
sfc  /scannow

(This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

I assume you have installed Avast to replace AVG?

http://www.avast.com...ivirus-download
Download and Save the installer then right click on it and run as admin.
Register when it asks you to.
Once it installs and updates:
Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

Ron
  • 0

#5
Dark_Matter
Posted 29 March 2012 - 12:20 PM

Dark_Matter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks Ron.

I followed your steps exactly. Attached are the logs.

Attached Thumbnails

  • scan result pg1.jpg
  • scan result pg2.jpg
  • Scan result pg3.jpg

Attached Files


  • 0

#6
RKinner
Posted 29 March 2012 - 12:30 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
We need to cleanup System Restore:

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.



You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/ Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.


If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP