Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer is very slow [Solved]


  • This topic is locked This topic is locked

#1
silviab

silviab

    Member

  • Member
  • PipPip
  • 54 posts
I have been using this computer while trying to fix my computer (Thanks Gringo for the previous help). Suddenly, this computer is very slow. When going, for example, to AOL to check business mail, the graphics take forever to load. This has been happening for about the last 4 days, approximately. I'm worried malware or something contaminated this computer. Below is the OTL report. I am running Windows 7.

OTL logfile created on: 1/2/2013 2:36:46 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Pelico\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.87 Gb Total Physical Memory | 2.39 Gb Available Physical Memory | 61.73% Memory free
7.74 Gb Paging File | 6.05 Gb Available in Paging File | 78.13% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 425.27 Gb Total Space | 358.05 Gb Free Space | 84.19% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 33.94 Gb Free Space | 84.86% Space Free | Partition Type: NTFS

Computer Name: PELICO-PC | User Name: Pelico | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/02 14:34:47 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Pelico\Desktop\OTL.exe
PRC - [2012/07/06 01:56:56 | 000,361,472 | ---- | M] (Alcatel-Lucent) -- C:\Program Files (x86)\Common Files\Motive\pcCMService.exe
PRC - [2011/11/09 10:46:34 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe
PRC - [2010/09/10 14:11:16 | 001,154,848 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2010/09/10 12:46:32 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2009/06/04 15:48:22 | 000,013,600 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
PRC - [2009/02/20 08:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe


========== Modules (No Company Name) ==========

MOD - [2011/03/16 23:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 14:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll


========== Services (SafeList) ==========

SRV:64bit: - [2012/09/12 20:21:48 | 000,368,896 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/09/12 20:21:48 | 000,022,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2012/07/06 01:57:02 | 000,441,344 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\pcCMService.exe -- (pcCMService64)
SRV:64bit: - [2009/07/13 17:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 17:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/06/04 15:48:20 | 000,864,032 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2012/07/06 01:56:56 | 000,361,472 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files (x86)\Common Files\Motive\pcCMService.exe -- (pcCMService)
SRV - [2010/09/10 12:46:32 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/29 23:40:16 | 001,043,584 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2009/07/23 20:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2009/06/10 13:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/06/10 03:41:10 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2009/06/10 03:41:02 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2009/06/10 03:40:22 | 001,124,848 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2009/02/20 08:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/08/30 21:03:48 | 000,128,456 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/02/29 22:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/03/10 22:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 22:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 05:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 03:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/08/25 19:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/01/07 10:33:16 | 000,158,848 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2009/07/13 17:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 17:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 17:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 13:59:33 | 005,020,672 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/07/09 02:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/06/12 14:19:58 | 000,287,960 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1y62x64.sys -- (e1yexpress)
DRV:64bit: - [2009/06/10 12:35:42 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/06/10 12:35:35 | 000,620,544 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2009/06/10 12:35:20 | 000,278,016 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\e1e6032e.sys -- (e1express)
DRV:64bit: - [2009/06/10 12:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 12:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 12:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 12:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/14 10:14:16 | 000,097,056 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwaudio.sys -- (btwaudio)
DRV:64bit: - [2009/05/14 10:14:14 | 000,131,360 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
DRV:64bit: - [2009/05/14 10:14:10 | 000,019,872 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)
DRV:64bit: - [2009/04/07 15:33:08 | 000,035,104 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwl2cap.sys -- (btwl2cap)
DRV - [2010/04/30 14:09:44 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/04/30 14:09:22 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/07/13 17:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 B3 E9 38 B7 59 CB 01 [binary data]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....ms}&fr=chr-atty
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files (x86)\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/09/20 13:42:35 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/09/20 13:42:35 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/06/10 13:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions)
O4 - HKLM..\Run: [StartCal.exe] C:\Program Files (x86)\IdeaCom\TSC\StartCal.exe calibrate_private File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8:64bit: - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: $talisma_url$ ([]https in Trusted sites)
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} https://pattcw.att.m...Installer64.cab (WebBrowserType Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{503D4542-68C2-451E-A5E7-B90BDA00C2B5}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F3B1286-B42F-4861-9ECE-85974B9080ED}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\intu-help-qb3 - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\qbwc - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/08 12:30:18 | 000,000,048 | -H-- | M] () - D:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/02 14:34:47 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Pelico\Desktop\OTL.exe
[2012/12/29 15:55:43 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Rainbow
[2012/12/29 15:54:13 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Chronicles of Emerland Solitaire
[2012/12/29 15:54:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Chronicles of Emerland Solitaire
[2012/12/29 15:54:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\The Chronicles of Emerland Solitaire
[2012/12/23 15:39:08 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fishdom 3
[2012/12/23 15:39:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fishdom 3
[2012/12/23 15:39:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Fishdom 3
[2012/12/19 16:26:34 | 000,649,864 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Pelico\Documents\autoruns.exe
[2012/12/14 16:07:55 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Absolutist
[2012/12/12 18:13:26 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Patchworkz
[2012/12/12 18:13:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Patchworkz
[2012/12/12 18:13:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Patchworkz
[2012/12/09 18:59:01 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Phantasmat - Crucible Peak Collector's Edition
[2012/12/09 18:59:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phantasmat - Crucible Peak Collector's Edition
[2012/12/09 18:59:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Phantasmat - Crucible Peak Collector's Edition
[2012/12/06 09:28:03 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Christmas Stories - Nutcracker Collector's Edition
[2012/12/06 09:28:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Christmas Stories - Nutcracker Collector's Edition
[2012/12/06 09:28:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Christmas Stories - Nutcracker Collector's Edition

========== Files - Modified Within 30 Days ==========

[2013/01/02 14:34:47 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Pelico\Desktop\OTL.exe
[2013/01/02 12:55:51 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/01/02 12:55:51 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/01/02 12:52:54 | 000,806,934 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/01/02 12:52:54 | 000,680,296 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/01/02 12:52:54 | 000,128,744 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/01/02 12:48:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/01/02 12:48:22 | 3118,342,144 | -HS- | M] () -- C:\hiberfil.sys
[2012/12/29 15:54:55 | 000,002,156 | ---- | M] () -- C:\Users\Public\Desktop\Play The Chronicles of Emerland Solitaire.lnk
[2012/12/29 15:54:55 | 000,001,302 | ---- | M] () -- C:\Users\Public\Desktop\More Great Games.lnk
[2012/12/23 15:39:42 | 000,001,911 | ---- | M] () -- C:\Users\Public\Desktop\Play Fishdom 3.lnk
[2012/12/21 03:16:44 | 000,472,576 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/12/19 16:26:48 | 000,055,296 | ---- | M] () -- C:\Users\Pelico\Documents\BSOD_Windows7_Vista_v2.64_jcgriff2_.exe
[2012/12/19 16:26:34 | 000,649,864 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Pelico\Documents\autoruns.exe
[2012/12/13 17:11:49 | 000,002,856 | ---- | M] () -- C:\Users\Pelico\Desktop\startup.rtf
[2012/12/13 10:26:06 | 000,005,651 | ---- | M] () -- C:\Users\Pelico\Desktop\Document.rtf
[2012/12/12 22:46:23 | 000,005,680 | ---- | M] () -- C:\Users\Pelico\Documents\Document.rtf
[2012/12/12 18:14:00 | 000,001,924 | ---- | M] () -- C:\Users\Public\Desktop\Play Patchworkz.lnk
[2012/12/09 19:01:21 | 000,002,278 | ---- | M] () -- C:\Users\Public\Desktop\Play Phantasmat - Crucible Peak Collector's Edition.lnk
[2012/12/06 09:29:49 | 000,002,322 | ---- | M] () -- C:\Users\Public\Desktop\Play Christmas Stories - Nutcracker Collector's Edition.lnk
[2012/12/05 13:47:45 | 000,002,329 | ---- | M] () -- C:\Users\Pelico\Documents\geek.rtf

========== Files Created - No Company Name ==========

[2012/12/29 15:54:55 | 000,002,156 | ---- | C] () -- C:\Users\Public\Desktop\Play The Chronicles of Emerland Solitaire.lnk
[2012/12/29 15:54:55 | 000,001,302 | ---- | C] () -- C:\Users\Public\Desktop\More Great Games.lnk
[2012/12/23 15:39:42 | 000,001,911 | ---- | C] () -- C:\Users\Public\Desktop\Play Fishdom 3.lnk
[2012/12/19 16:26:48 | 000,055,296 | ---- | C] () -- C:\Users\Pelico\Documents\BSOD_Windows7_Vista_v2.64_jcgriff2_.exe
[2012/12/13 17:11:49 | 000,002,856 | ---- | C] () -- C:\Users\Pelico\Desktop\startup.rtf
[2012/12/13 10:26:06 | 000,005,651 | ---- | C] () -- C:\Users\Pelico\Desktop\Document.rtf
[2012/12/12 22:46:23 | 000,005,680 | ---- | C] () -- C:\Users\Pelico\Documents\Document.rtf
[2012/12/12 18:14:00 | 000,001,924 | ---- | C] () -- C:\Users\Public\Desktop\Play Patchworkz.lnk
[2012/12/09 19:01:21 | 000,002,278 | ---- | C] () -- C:\Users\Public\Desktop\Play Phantasmat - Crucible Peak Collector's Edition.lnk
[2012/12/06 09:29:49 | 000,002,322 | ---- | C] () -- C:\Users\Public\Desktop\Play Christmas Stories - Nutcracker Collector's Edition.lnk
[2012/12/05 13:47:45 | 000,002,329 | ---- | C] () -- C:\Users\Pelico\Documents\geek.rtf

========== ZeroAccess Check ==========

[2009/07/13 20:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 21:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 20:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 17:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 04:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 17:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/12/14 16:07:55 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Absolutist
[2012/07/23 13:26:34 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\AlawarEntertainment
[2012/02/14 11:41:38 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Amulet_of_time
[2012/01/15 17:54:31 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Artifex Mundi
[2012/02/24 14:13:49 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Artogon
[2012/05/20 08:55:39 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Avery
[2012/08/13 17:07:52 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Big Fish Games
[2012/02/23 18:03:48 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\bigwig_media
[2011/11/15 17:46:33 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\BlamGames
[2012/06/02 11:23:00 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Blue Tea Games
[2012/07/13 17:20:40 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Boolat Games
[2013/01/01 13:38:55 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Boomzap
[2012/11/21 15:41:21 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Casual Arts
[2012/04/24 15:11:14 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\CasualMechanics
[2012/06/22 16:35:26 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\cerasus.media
[2012/07/31 15:49:37 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Crown
[2012/02/17 18:02:36 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\DailyMagic
[2012/03/17 15:19:38 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Dark Blue Games
[2012/07/15 14:56:38 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\DAVA
[2012/05/26 17:01:07 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Deep Shadows
[2011/12/14 17:25:08 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\DieselPuppet
[2012/01/31 14:56:35 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\EleFun Games
[2012/12/05 16:22:09 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Elephant Games
[2012/04/18 17:23:04 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Enki Games
[2013/01/01 14:42:23 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\ERS Game Studios
[2011/12/15 16:55:27 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Fanda Games
[2011/10/30 16:56:04 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Floodlight Games
[2012/04/27 15:33:36 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Freeze Tag
[2011/07/09 12:19:33 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Frogwares
[2012/11/24 17:54:27 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\funkitron
[2012/02/27 15:37:35 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\GameInvest
[2012/04/15 09:31:36 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\GameMill Entertainment
[2012/04/27 16:46:37 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\GO Games
[2011/07/31 12:19:23 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Gogii
[2012/03/21 11:59:55 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Gunnar Games
[2012/03/04 14:47:20 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\HitPoint Studios
[2012/02/22 11:12:33 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\JoyBits
[2012/02/06 18:37:07 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\KatGames
[2012/05/04 16:06:31 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Lazy Turtle Games
[2012/04/23 17:07:15 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\LegacyInteractive
[2011/07/11 15:41:43 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\LestaStudio
[2012/01/02 17:59:36 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\MagicIndie
[2012/06/05 11:44:11 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Mariaglorum
[2012/01/31 15:51:19 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\MumboJumbo
[2012/07/23 13:46:10 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Orneon
[2012/05/07 17:26:57 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\PassionFruit Games
[2012/05/27 08:43:51 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Persha Studia
[2011/07/05 16:38:47 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Phantasmat_bf_ce1
[2012/12/23 15:41:15 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Playrix Entertainment
[2012/06/17 16:47:43 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\quickclick
[2012/12/29 15:55:43 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Rainbow
[2012/07/07 16:38:06 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Skunk Studios
[2012/08/04 15:26:44 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Skyborn
[2012/06/21 17:03:13 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\SMIGames
[2012/08/12 12:46:05 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\SpinTop Games
[2011/07/28 16:39:32 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\SulusGames
[2012/04/27 16:29:35 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\tabagames
[2011/11/23 15:39:28 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\TeleportGamesLtd
[2012/01/31 12:37:14 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Ten Heavens
[2011/12/23 16:38:57 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Top Evidence
[2011/08/26 15:40:21 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Twilight Games
[2012/08/05 13:55:59 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Val'Gor 2
[2012/06/22 13:39:51 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\ValGor 2
[2011/07/24 16:35:28 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\VampireSagaHL
[2012/01/31 13:55:27 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Vast Studios
[2011/12/30 16:23:57 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Vogat Interactive
[2011/07/12 13:49:30 | 000,000,000 | ---D | M] -- C:\Users\Pelico\AppData\Roaming\Windows Live Writer

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:1409277B
@Alternate Data Stream - 261 bytes -> C:\ProgramData\TEMP:12258D63
@Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:D987CB43
@Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:CA1AFE85
@Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:4244811A
@Alternate Data Stream - 258 bytes -> C:\ProgramData\TEMP:84C34762
@Alternate Data Stream - 256 bytes -> C:\ProgramData\TEMP:754E278B
@Alternate Data Stream - 254 bytes -> C:\ProgramData\TEMP:FFC3922F
@Alternate Data Stream - 254 bytes -> C:\ProgramData\TEMP:BECA50FF
@Alternate Data Stream - 252 bytes -> C:\ProgramData\TEMP:5539129F
@Alternate Data Stream - 251 bytes -> C:\ProgramData\TEMP:6CF828C2
@Alternate Data Stream - 250 bytes -> C:\ProgramData\TEMP:6E65510A
@Alternate Data Stream - 250 bytes -> C:\ProgramData\TEMP:2E636DD9
@Alternate Data Stream - 249 bytes -> C:\ProgramData\TEMP:C46848E8
@Alternate Data Stream - 248 bytes -> C:\ProgramData\TEMP:2F474C84
@Alternate Data Stream - 248 bytes -> C:\ProgramData\TEMP:2A874675
@Alternate Data Stream - 247 bytes -> C:\ProgramData\TEMP:E8B61305
@Alternate Data Stream - 247 bytes -> C:\ProgramData\TEMP:6A9CA6CB
@Alternate Data Stream - 246 bytes -> C:\ProgramData\TEMP:3487C53E
@Alternate Data Stream - 246 bytes -> C:\ProgramData\TEMP:1A15E356
@Alternate Data Stream - 245 bytes -> C:\ProgramData\TEMP:96372A73
@Alternate Data Stream - 244 bytes -> C:\ProgramData\TEMP:E4E83517
@Alternate Data Stream - 243 bytes -> C:\ProgramData\TEMP:1B90AAB4
@Alternate Data Stream - 242 bytes -> C:\ProgramData\TEMP:65C4D44A
@Alternate Data Stream - 242 bytes -> C:\ProgramData\TEMP:3D4B733E
@Alternate Data Stream - 241 bytes -> C:\ProgramData\TEMP:A6F30843
@Alternate Data Stream - 241 bytes -> C:\ProgramData\TEMP:1224B4C3
@Alternate Data Stream - 240 bytes -> C:\ProgramData\TEMP:B8791731
@Alternate Data Stream - 240 bytes -> C:\ProgramData\TEMP:54403233
@Alternate Data Stream - 239 bytes -> C:\ProgramData\TEMP:E0888117
@Alternate Data Stream - 239 bytes -> C:\ProgramData\TEMP:5E73E1C2
@Alternate Data Stream - 238 bytes -> C:\ProgramData\TEMP:6EE8565A
@Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:97AAB7F2
@Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:16F4BC64
@Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:0E22C5DB
@Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:B1786630
@Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:5A9F1AE5
@Alternate Data Stream - 235 bytes -> C:\ProgramData\TEMP:FD7DCDA6
@Alternate Data Stream - 234 bytes -> C:\ProgramData\TEMP:FF717A18
@Alternate Data Stream - 234 bytes -> C:\ProgramData\TEMP:EBCF5924
@Alternate Data Stream - 233 bytes -> C:\ProgramData\TEMP:56FBA78D
@Alternate Data Stream - 233 bytes -> C:\ProgramData\TEMP:120B3AFD
@Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:D696AA12
@Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:3EC5BC08
@Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:1B389835
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:B0456F0C
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:AABECEFB
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:7A2101AB
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:5ECEFF17
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:0A74923C
@Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:B65E763D
@Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:ADE67221
@Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:795F6DEC
@Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:C3A047E3
@Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:A2FF62A6
@Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:9195103F
@Alternate Data Stream - 228 bytes -> C:\ProgramData\TEMP:F8DE80DB
@Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:F9689B72
@Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:6EA64886
@Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:6294B369
@Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:53B8C5D2
@Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:2F8138B7
@Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:0474F714
@Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:02CC0035
@Alternate Data Stream - 224 bytes -> C:\ProgramData\TEMP:5DB36C47
@Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:EAF954B6
@Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:B4258C5D
@Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:65137F0D
@Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:14B2E0BD
@Alternate Data Stream - 221 bytes -> C:\ProgramData\TEMP:AD2DB2F9
@Alternate Data Stream - 219 bytes -> C:\ProgramData\TEMP:88E8CC2E
@Alternate Data Stream - 219 bytes -> C:\ProgramData\TEMP:4D551822
@Alternate Data Stream - 218 bytes -> C:\ProgramData\TEMP:9725F1BC
@Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:9FD757A9
@Alternate Data Stream - 216 bytes -> C:\ProgramData\TEMP:1968990D
@Alternate Data Stream - 214 bytes -> C:\ProgramData\TEMP:902C848D
@Alternate Data Stream - 212 bytes -> C:\ProgramData\TEMP:ED0B32CA
@Alternate Data Stream - 210 bytes -> C:\ProgramData\TEMP:6C5EC3CD
@Alternate Data Stream - 210 bytes -> C:\ProgramData\TEMP:13AA281B
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:6017A808
@Alternate Data Stream - 205 bytes -> C:\ProgramData\TEMP:DA5888A7
@Alternate Data Stream - 204 bytes -> C:\ProgramData\TEMP:45912F61
@Alternate Data Stream - 201 bytes -> C:\ProgramData\TEMP:1DD8718C
@Alternate Data Stream - 200 bytes -> C:\ProgramData\TEMP:E51234A9
@Alternate Data Stream - 197 bytes -> C:\ProgramData\TEMP:A3E39C6A
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:6ED8B881
@Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:1E2D49E0
@Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:0168CC60
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:62AF94A0
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:4EC7F009
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:E265ED33
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:A6345BDA
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:39B14E09
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:FB71A279
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:9D6EAEC3
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:FD786DCA
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:4AC7B5C1
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:10B970A9
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:895A78C5
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:6896CCCE
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:95D421DF
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:FD6D11C9
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:084612C9
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:EE2DD6CC
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:EDE28CFC
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:2E33E4A6
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:10CB85CA
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E3615992
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:80253E8D
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:DF5ABA3D
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:132714FA
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:302ECBD6
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:FDEE14AC
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:9968F0E2
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:6A0A47E7
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:58E38390
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:F72306CC
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:0EC7A545

< End of report >
  • 0

Advertisements


#2
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
  • 0

#3
silviab

silviab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Gringo,

The result of the Security Check is below. I didn't even realize that this computer had Microsoft Essentials <G> I will do the other programs in a little while & post them.

Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
  • 0

#4
silviab

silviab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Below is the result of the AdwCleaner. It was much better than the one for my other computer. Can I run AdwCleaner on my other computer you helped me with, just to see if anything came back? Thank you again for all your help!

# AdwCleaner v2.104 - Logfile created 01/03/2013 at 13:33:41
# Updated 29/12/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Pelico - PELICO-PC
# Boot Mode : Normal
# Running from : C:\Users\Pelico\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [616 octets] - [03/01/2013 13:33:41]

########## EOF - C:\AdwCleaner[S1].txt - [675 octets] ##########
  • 0

#5
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
did you run --RogueKiller-- on this computer?


yes you can run it again on the other computer
  • 0

#6
silviab

silviab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Gringo,

Here is the result of RogueKiller.

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Pelico [Admin rights]
Mode : Remove -- Date : 01/03/2013 14:08:32

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-00V1A0 ATA Device +++++
--- User ---
[MBR] 0908d7bd66e32c6f9a94f4cfbd869acd
[BSP] 3f5f00fabe22debb13ca3a7b9e6dfc06 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 500 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 1026048 | Size: 40960 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 84912128 | Size: 435478 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: HP Photosmart C309a USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_01032013_02d1408.txt >>
RKreport[1]_S_01032013_02d1405.txt ; RKreport[2]_D_01032013_02d1408.txt
  • 0

#7
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#8
silviab

silviab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Gringo,

I downloaded Combofix & will do it tomorrow I do have a question, when I had Norton, I could just right click it & disable the program. How do I turn off Microsoft Essentials? When I open it from my taskbar, I don't see where I can temporarily disable it.

Thank you so much as always!!!

Silvia
  • 0

#9
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Click "Start" and "Microsoft Security Essentials." The Microsoft Security Essentials program opens.

Click the "Settings" tab and click "Real-time Protection" in the left pane.


Uncheck the "Turn on Real-time Protection (Recommended)" box.


Click "Save."
  • 0

#10
silviab

silviab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Here you go, the log from Combofix. I'm still having the problem when I go to AOL, the pictures don't download like before, it takes forever..

ComboFix 13-01-04.03 - Pelico 01/04/2013 15:24:01.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3965.2463 [GMT -8:00]
Running from: c:\users\Pelico\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-12-04 to 2013-01-04 )))))))))))))))))))))))))))))))
.
.
2013-01-04 23:28 . 2013-01-04 23:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-04 21:49 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DAA642FC-1FF2-484D-A16D-B213F72BB11B}\mpengine.dll
2013-01-04 00:39 . 2013-01-04 00:40 -------- d-----w- c:\program files (x86)\Death Upon an Austrian Sonata - A Dana Knightstone Novel Collector's Edition
2013-01-03 20:59 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-03 00:14 . 2013-01-03 00:16 -------- d-----w- c:\program files (x86)\Gothic Fiction - Dark Saga Collector's Edition
2012-12-29 23:55 . 2012-12-29 23:55 -------- d-----w- c:\users\Pelico\AppData\Roaming\Rainbow
2012-12-29 23:54 . 2012-12-29 23:54 -------- d-----w- c:\program files (x86)\The Chronicles of Emerland Solitaire
2012-12-23 23:39 . 2012-12-23 23:39 -------- d-----w- c:\program files (x86)\Fishdom 3
2012-12-21 11:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-21 11:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-21 11:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-21 11:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-15 00:07 . 2012-12-15 00:07 -------- d-----w- c:\users\Pelico\AppData\Roaming\Absolutist
2012-12-13 02:13 . 2012-12-13 02:14 -------- d-----w- c:\program files (x86)\Patchworkz
2012-12-12 03:21 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-10 02:59 . 2012-12-10 03:01 -------- d-----w- c:\program files (x86)\Phantasmat - Crucible Peak Collector's Edition
2012-12-06 17:28 . 2012-12-06 17:29 -------- d-----w- c:\program files (x86)\Christmas Stories - Nutcracker Collector's Edition
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-12 11:03 . 2010-09-05 18:01 67413224 ----a-w- c:\windows\system32\MRT.exe
2012-11-28 20:22 . 2012-11-28 20:22 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CAFD0AB5-97FF-445F-A6F5-C918A7ED84D8}\gapaengine.dll
2012-10-16 08:38 . 2012-11-28 01:31 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38 . 2012-11-28 01:31 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39 . 2012-11-28 01:31 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-09 18:17 . 2012-11-16 04:30 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-10-09 18:17 . 2012-11-16 04:30 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-10-09 17:40 . 2012-11-16 04:30 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40 . 2012-11-16 04:30 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-06-10 244208]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-6-4 1079584]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-9-10 1154848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-06-10 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-06-10 166384]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-01-07 158848]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-06-10 1124848]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-03 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S2 pcCMService;pcCMService;c:\program files (x86)\Common Files\Motive\pcCMService.exe [2012-07-06 361472]
S2 pcCMService64;pcCMService64;c:\program files\Common Files\Motive\pcCMService.exe [2012-07-06 441344]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 35104]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [2009-06-12 287960]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [2009-06-10 620544]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-17 10134560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.aol.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: $talisma_url$
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-StartCal.exe - c:\program files (x86)\IdeaCom\TSC\StartCal.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-04 15:31:44
ComboFix-quarantined-files.txt 2013-01-04 23:31
.
Pre-Run: 384,023,420,928 bytes free
Post-Run: 388,043,427,840 bytes free
.
- - End Of File - - 7DE5FDE0AAE47FC2AEFB8E6BAE2DE519
  • 0

Advertisements


#11
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
  • 0

#12
silviab

silviab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Here is the OTL log:

OTL logfile created on: 1/5/2013 2:10:46 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Pelico\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.87 Gb Total Physical Memory | 2.23 Gb Available Physical Memory | 57.63% Memory free
7.74 Gb Paging File | 6.15 Gb Available in Paging File | 79.43% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 425.27 Gb Total Space | 361.63 Gb Free Space | 85.04% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 33.94 Gb Free Space | 84.86% Space Free | Partition Type: NTFS

Computer Name: PELICO-PC | User Name: Pelico | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Pelico\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Common Files\Motive\pcCMService.exe (Alcatel-Lucent)
PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe (Adobe Systems, Inc.)
PRC - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
PRC - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe (Broadcom Corporation.)
PRC - C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (pcCMService64) -- C:\Program Files\Common Files\Motive\pcCMService.exe (Alcatel-Lucent)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (btwdins) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
SRV - (pcCMService) -- C:\Program Files (x86)\Common Files\Motive\pcCMService.exe (Alcatel-Lucent)
SRV - (QBCFMonitorService) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (HPSLPSVC) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL (Hewlett-Packard Co.)
SRV - (QBFCService) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (RoxLiveShare10) -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (Sonic Solutions)
SRV - (RoxWatch10) -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe (Sonic Solutions)
SRV - (RoxMediaDB10) -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe (Sonic Solutions)
SRV - (BcmSqlStartupSvc) -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Sonic Solutions)
DRV:64bit: - (e1yexpress) -- C:\Windows\SysNative\drivers\e1y62x64.sys (Intel Corporation)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek Corporation )
DRV:64bit: - (netr28x) -- C:\Windows\SysNative\drivers\netr28x.sys (Ralink Technology, Corp.)
DRV:64bit: - (e1express) -- C:\Windows\SysNative\drivers\e1e6032e.sys (Intel Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (btwaudio) -- C:\Windows\SysNative\drivers\btwaudio.sys (Broadcom Corporation.)
DRV:64bit: - (btwavdt) -- C:\Windows\SysNative\drivers\btwavdt.sys (Broadcom Corporation.)
DRV:64bit: - (btwrchid) -- C:\Windows\SysNative\drivers\btwrchid.sys (Broadcom Corporation.)
DRV:64bit: - (btwl2cap) -- C:\Windows\SysNative\drivers\btwl2cap.sys (Broadcom Corporation.)
DRV - (MRESP50) -- C:\Program Files (x86)\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MREMP50) -- C:\Program Files (x86)\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 B3 E9 38 B7 59 CB 01 [binary data]
IE - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....ms}&fr=chr-atty
IE - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files (x86)\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/09/20 13:42:35 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/09/20 13:42:35 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2013/01/04 15:29:59 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe (Sonic Solutions)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8:64bit: - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-445615110-1285691362-2501240338-1005\..Trusted Domains: $talisma_url$ ([]https in Trusted sites)
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} https://pattcw.att.m...Installer64.cab (WebBrowserType Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{503D4542-68C2-451E-A5E7-B90BDA00C2B5}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F3B1286-B42F-4861-9ECE-85974B9080ED}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\intu-help-qb3 - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\qbwc - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/04 15:23:02 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/01/04 15:23:02 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/01/04 15:23:02 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/01/04 15:22:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/01/04 15:22:46 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/01/03 18:33:21 | 005,019,583 | R--- | C] (Swearware) -- C:\Users\Pelico\Desktop\ComboFix.exe
[2013/01/03 16:39:16 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Death Upon an Austrian Sonata - A Dana Knightstone Novel Collector's Edition
[2013/01/03 16:39:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Death Upon an Austrian Sonata - A Dana Knightstone Novel Collector's Edition
[2013/01/03 16:39:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Death Upon an Austrian Sonata - A Dana Knightstone Novel Collector's Edition
[2013/01/03 14:03:59 | 000,000,000 | ---D | C] -- C:\Users\Pelico\Desktop\RK_Quarantine
[2013/01/02 16:14:24 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Gothic Fiction - Dark Saga Collector's Edition
[2013/01/02 16:14:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gothic Fiction - Dark Saga Collector's Edition
[2013/01/02 16:14:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Gothic Fiction - Dark Saga Collector's Edition
[2013/01/02 14:34:47 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Pelico\Desktop\OTL.exe
[2012/12/29 15:55:43 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Rainbow
[2012/12/29 15:54:13 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Chronicles of Emerland Solitaire
[2012/12/29 15:54:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Chronicles of Emerland Solitaire
[2012/12/29 15:54:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\The Chronicles of Emerland Solitaire
[2012/12/23 15:39:08 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fishdom 3
[2012/12/23 15:39:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fishdom 3
[2012/12/23 15:39:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Fishdom 3
[2012/12/21 03:00:30 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2012/12/21 03:00:30 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[2012/12/21 03:00:29 | 000,367,616 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2012/12/21 03:00:29 | 000,295,424 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2012/12/19 16:26:34 | 000,649,864 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Pelico\Documents\autoruns.exe
[2012/12/14 16:07:55 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Absolutist
[2012/12/12 18:13:26 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Patchworkz
[2012/12/12 18:13:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Patchworkz
[2012/12/12 18:13:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Patchworkz
[2012/12/12 03:01:28 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/12/12 03:01:28 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/12/12 03:01:27 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/12/12 03:01:27 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/12/12 03:01:27 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/12/12 03:01:27 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/12/12 03:01:27 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012/12/12 03:01:27 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/12/12 03:01:26 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/12/12 03:01:26 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/12/12 03:01:25 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/12/12 03:01:25 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2012/12/12 03:01:24 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/12/12 03:01:24 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/12/12 03:01:24 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2012/12/11 19:21:45 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2012/12/11 19:21:45 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2012/12/11 19:21:45 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2012/12/11 19:21:44 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2012/12/11 19:21:43 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2012/12/11 19:21:43 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2012/12/11 19:21:43 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2012/12/11 19:21:43 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2012/12/11 19:21:43 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2012/12/11 19:21:43 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2012/12/11 19:21:43 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2012/12/11 19:21:42 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2012/12/11 19:21:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/12/11 19:21:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2012/12/11 19:21:41 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2012/12/11 19:21:41 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2012/12/11 19:21:41 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2012/12/11 19:21:41 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2012/12/11 19:21:41 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2012/12/11 19:21:41 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2012/12/11 19:21:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/12/11 19:21:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2012/12/11 19:21:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2012/12/11 19:21:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2012/12/11 19:21:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2012/12/11 19:21:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2012/12/11 19:21:40 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2012/12/11 19:21:40 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2012/12/11 19:21:40 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2012/12/11 19:21:40 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2012/12/11 19:21:40 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2012/12/11 19:21:40 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2012/12/11 19:21:39 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2012/12/11 19:21:29 | 000,478,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dpnet.dll
[2012/12/11 19:21:29 | 000,376,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dpnet.dll
[2012/12/09 18:59:01 | 000,000,000 | ---D | C] -- C:\Users\Pelico\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Phantasmat - Crucible Peak Collector's Edition
[2012/12/09 18:59:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Phantasmat - Crucible Peak Collector's Edition
[2012/12/09 18:59:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Phantasmat - Crucible Peak Collector's Edition

========== Files - Modified Within 30 Days ==========

[2013/01/04 15:29:59 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2013/01/04 15:21:04 | 005,019,583 | R--- | M] (Swearware) -- C:\Users\Pelico\Desktop\ComboFix.exe
[2013/01/03 16:40:13 | 000,002,554 | ---- | M] () -- C:\Users\Public\Desktop\Play Death Upon an Austrian Sonata - A Dana Knightstone Novel Collector's Edition.lnk
[2013/01/03 16:40:13 | 000,001,382 | ---- | M] () -- C:\Users\Public\Desktop\More Great Games.lnk
[2013/01/03 13:45:46 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/01/03 13:45:46 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/01/03 13:42:53 | 000,806,934 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/01/03 13:42:53 | 000,680,296 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/01/03 13:42:53 | 000,128,744 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/01/03 13:38:21 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/01/03 13:38:16 | 3118,342,144 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/03 12:18:40 | 000,761,856 | ---- | M] () -- C:\Users\Pelico\Desktop\RogueKiller.exe
[2013/01/03 12:18:11 | 000,551,997 | ---- | M] () -- C:\Users\Pelico\Desktop\adwcleaner.exe
[2013/01/03 12:17:35 | 000,856,731 | ---- | M] () -- C:\Users\Pelico\Desktop\SecurityCheck.exe
[2013/01/02 16:16:15 | 000,002,278 | ---- | M] () -- C:\Users\Public\Desktop\Play Gothic Fiction - Dark Saga Collector's Edition.lnk
[2013/01/02 14:34:47 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Pelico\Desktop\OTL.exe
[2012/12/29 15:54:55 | 000,002,156 | ---- | M] () -- C:\Users\Public\Desktop\Play The Chronicles of Emerland Solitaire.lnk
[2012/12/23 15:39:42 | 000,001,911 | ---- | M] () -- C:\Users\Public\Desktop\Play Fishdom 3.lnk
[2012/12/21 03:16:44 | 000,472,576 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/12/19 16:26:48 | 000,055,296 | ---- | M] () -- C:\Users\Pelico\Documents\BSOD_Windows7_Vista_v2.64_jcgriff2_.exe
[2012/12/19 16:26:34 | 000,649,864 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Pelico\Documents\autoruns.exe
[2012/12/16 09:11:22 | 000,046,080 | ---- | M] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2012/12/16 06:45:03 | 000,367,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2012/12/16 06:13:28 | 000,295,424 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2012/12/16 06:13:20 | 000,034,304 | ---- | M] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[2012/12/13 17:11:49 | 000,002,856 | ---- | M] () -- C:\Users\Pelico\Desktop\startup.rtf
[2012/12/13 10:26:06 | 000,005,651 | ---- | M] () -- C:\Users\Pelico\Desktop\Document.rtf
[2012/12/12 22:46:23 | 000,005,680 | ---- | M] () -- C:\Users\Pelico\Documents\Document.rtf
[2012/12/12 18:14:00 | 000,001,924 | ---- | M] () -- C:\Users\Public\Desktop\Play Patchworkz.lnk
[2012/12/09 19:01:21 | 000,002,278 | ---- | M] () -- C:\Users\Public\Desktop\Play Phantasmat - Crucible Peak Collector's Edition.lnk

========== Files Created - No Company Name ==========

[2013/01/04 15:23:02 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/01/04 15:23:02 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/01/04 15:23:02 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/01/04 15:23:02 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/01/04 15:23:02 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/01/03 16:40:13 | 000,002,554 | ---- | C] () -- C:\Users\Public\Desktop\Play Death Upon an Austrian Sonata - A Dana Knightstone Novel Collector's Edition.lnk
[2013/01/03 16:40:13 | 000,001,382 | ---- | C] () -- C:\Users\Public\Desktop\More Great Games.lnk
[2013/01/03 12:18:34 | 000,761,856 | ---- | C] () -- C:\Users\Pelico\Desktop\RogueKiller.exe
[2013/01/03 12:18:11 | 000,551,997 | ---- | C] () -- C:\Users\Pelico\Desktop\adwcleaner.exe
[2013/01/03 12:17:35 | 000,856,731 | ---- | C] () -- C:\Users\Pelico\Desktop\SecurityCheck.exe
[2013/01/02 16:16:15 | 000,002,278 | ---- | C] () -- C:\Users\Public\Desktop\Play Gothic Fiction - Dark Saga Collector's Edition.lnk
[2012/12/29 15:54:55 | 000,002,156 | ---- | C] () -- C:\Users\Public\Desktop\Play The Chronicles of Emerland Solitaire.lnk
[2012/12/23 15:39:42 | 000,001,911 | ---- | C] () -- C:\Users\Public\Desktop\Play Fishdom 3.lnk
[2012/12/19 16:26:48 | 000,055,296 | ---- | C] () -- C:\Users\Pelico\Documents\BSOD_Windows7_Vista_v2.64_jcgriff2_.exe
[2012/12/13 17:11:49 | 000,002,856 | ---- | C] () -- C:\Users\Pelico\Desktop\startup.rtf
[2012/12/13 10:26:06 | 000,005,651 | ---- | C] () -- C:\Users\Pelico\Desktop\Document.rtf
[2012/12/12 22:46:23 | 000,005,680 | ---- | C] () -- C:\Users\Pelico\Documents\Document.rtf
[2012/12/12 18:14:00 | 000,001,924 | ---- | C] () -- C:\Users\Public\Desktop\Play Patchworkz.lnk
[2012/12/09 19:01:21 | 000,002,278 | ---- | C] () -- C:\Users\Public\Desktop\Play Phantasmat - Crucible Peak Collector's Edition.lnk

========== ZeroAccess Check ==========

[2009/07/13 20:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 21:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 20:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 17:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 04:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 17:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:1409277B
@Alternate Data Stream - 261 bytes -> C:\ProgramData\TEMP:12258D63
@Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:D987CB43
@Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:CA1AFE85
@Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:4244811A
@Alternate Data Stream - 258 bytes -> C:\ProgramData\TEMP:84C34762
@Alternate Data Stream - 256 bytes -> C:\ProgramData\TEMP:754E278B
@Alternate Data Stream - 254 bytes -> C:\ProgramData\TEMP:FFC3922F
@Alternate Data Stream - 254 bytes -> C:\ProgramData\TEMP:BECA50FF
@Alternate Data Stream - 252 bytes -> C:\ProgramData\TEMP:5539129F
@Alternate Data Stream - 251 bytes -> C:\ProgramData\TEMP:6CF828C2
@Alternate Data Stream - 250 bytes -> C:\ProgramData\TEMP:6E65510A
@Alternate Data Stream - 250 bytes -> C:\ProgramData\TEMP:2E636DD9
@Alternate Data Stream - 249 bytes -> C:\ProgramData\TEMP:C46848E8
@Alternate Data Stream - 248 bytes -> C:\ProgramData\TEMP:2F474C84
@Alternate Data Stream - 248 bytes -> C:\ProgramData\TEMP:2A874675
@Alternate Data Stream - 247 bytes -> C:\ProgramData\TEMP:E8B61305
@Alternate Data Stream - 247 bytes -> C:\ProgramData\TEMP:6A9CA6CB
@Alternate Data Stream - 246 bytes -> C:\ProgramData\TEMP:3487C53E
@Alternate Data Stream - 246 bytes -> C:\ProgramData\TEMP:1A15E356
@Alternate Data Stream - 245 bytes -> C:\ProgramData\TEMP:A6345BDA
@Alternate Data Stream - 245 bytes -> C:\ProgramData\TEMP:96372A73
@Alternate Data Stream - 244 bytes -> C:\ProgramData\TEMP:E4E83517
@Alternate Data Stream - 243 bytes -> C:\ProgramData\TEMP:1B90AAB4
@Alternate Data Stream - 242 bytes -> C:\ProgramData\TEMP:65C4D44A
@Alternate Data Stream - 242 bytes -> C:\ProgramData\TEMP:3D4B733E
@Alternate Data Stream - 241 bytes -> C:\ProgramData\TEMP:A6F30843
@Alternate Data Stream - 241 bytes -> C:\ProgramData\TEMP:1224B4C3
@Alternate Data Stream - 240 bytes -> C:\ProgramData\TEMP:B8791731
@Alternate Data Stream - 240 bytes -> C:\ProgramData\TEMP:54403233
@Alternate Data Stream - 239 bytes -> C:\ProgramData\TEMP:E0888117
@Alternate Data Stream - 239 bytes -> C:\ProgramData\TEMP:5E73E1C2
@Alternate Data Stream - 238 bytes -> C:\ProgramData\TEMP:6EE8565A
@Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:97AAB7F2
@Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:16F4BC64
@Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:0E22C5DB
@Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:B1786630
@Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:5A9F1AE5
@Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:0168CC60
@Alternate Data Stream - 235 bytes -> C:\ProgramData\TEMP:FD7DCDA6
@Alternate Data Stream - 234 bytes -> C:\ProgramData\TEMP:FF717A18
@Alternate Data Stream - 234 bytes -> C:\ProgramData\TEMP:EBCF5924
@Alternate Data Stream - 233 bytes -> C:\ProgramData\TEMP:56FBA78D
@Alternate Data Stream - 233 bytes -> C:\ProgramData\TEMP:120B3AFD
@Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:D696AA12
@Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:3EC5BC08
@Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:1B389835
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:B0456F0C
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:AABECEFB
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:7A2101AB
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:5ECEFF17
@Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:0A74923C
@Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:B65E763D
@Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:ADE67221
@Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:795F6DEC
@Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:C3A047E3
@Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:A2FF62A6
@Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:9195103F
@Alternate Data Stream - 228 bytes -> C:\ProgramData\TEMP:F8DE80DB
@Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:F9689B72
@Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:6EA64886
@Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:6294B369
@Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:53B8C5D2
@Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:2F8138B7
@Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:0474F714
@Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:02CC0035
@Alternate Data Stream - 224 bytes -> C:\ProgramData\TEMP:5DB36C47
@Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:EAF954B6
@Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:B4258C5D
@Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:65137F0D
@Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:14B2E0BD
@Alternate Data Stream - 221 bytes -> C:\ProgramData\TEMP:AD2DB2F9
@Alternate Data Stream - 219 bytes -> C:\ProgramData\TEMP:88E8CC2E
@Alternate Data Stream - 219 bytes -> C:\ProgramData\TEMP:4D551822
@Alternate Data Stream - 218 bytes -> C:\ProgramData\TEMP:9725F1BC
@Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:9FD757A9
@Alternate Data Stream - 216 bytes -> C:\ProgramData\TEMP:1968990D
@Alternate Data Stream - 214 bytes -> C:\ProgramData\TEMP:902C848D
@Alternate Data Stream - 212 bytes -> C:\ProgramData\TEMP:ED0B32CA
@Alternate Data Stream - 210 bytes -> C:\ProgramData\TEMP:6C5EC3CD
@Alternate Data Stream - 210 bytes -> C:\ProgramData\TEMP:13AA281B
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:6017A808
@Alternate Data Stream - 205 bytes -> C:\ProgramData\TEMP:DA5888A7
@Alternate Data Stream - 204 bytes -> C:\ProgramData\TEMP:45912F61
@Alternate Data Stream - 201 bytes -> C:\ProgramData\TEMP:1DD8718C
@Alternate Data Stream - 200 bytes -> C:\ProgramData\TEMP:E51234A9
@Alternate Data Stream - 197 bytes -> C:\ProgramData\TEMP:A3E39C6A
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:6ED8B881
@Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:1E2D49E0
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:62AF94A0
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:4EC7F009
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:E265ED33
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:39B14E09
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:FB71A279
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:9D6EAEC3
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:FD786DCA
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:4AC7B5C1
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:10B970A9
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:895A78C5
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:6896CCCE
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:95D421DF
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:FD6D11C9
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:084612C9
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:EE2DD6CC
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:EDE28CFC
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:2E33E4A6
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:10CB85CA
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E3615992
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:80253E8D
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:DF5ABA3D
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:132714FA
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:302ECBD6
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:FDEE14AC
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:9968F0E2
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:6A0A47E7
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:58E38390
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:F72306CC
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:0EC7A545

< End of report >
  • 0

#13
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image text box.
    :OTL
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    O4 - HKLM..\Run: [] File not found
    O18:64bit: - Protocol\Handler\intu-help-qb3 - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
    O18:64bit: - Protocol\Handler\qbwc - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    @Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:1409277B
    @Alternate Data Stream - 261 bytes -> C:\ProgramData\TEMP:12258D63
    @Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:D987CB43
    @Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:CA1AFE85
    @Alternate Data Stream - 259 bytes -> C:\ProgramData\TEMP:4244811A
    @Alternate Data Stream - 258 bytes -> C:\ProgramData\TEMP:84C34762
    @Alternate Data Stream - 256 bytes -> C:\ProgramData\TEMP:754E278B
    @Alternate Data Stream - 254 bytes -> C:\ProgramData\TEMP:FFC3922F
    @Alternate Data Stream - 254 bytes -> C:\ProgramData\TEMP:BECA50FF
    @Alternate Data Stream - 252 bytes -> C:\ProgramData\TEMP:5539129F
    @Alternate Data Stream - 251 bytes -> C:\ProgramData\TEMP:6CF828C2
    @Alternate Data Stream - 250 bytes -> C:\ProgramData\TEMP:6E65510A
    @Alternate Data Stream - 250 bytes -> C:\ProgramData\TEMP:2E636DD9
    @Alternate Data Stream - 249 bytes -> C:\ProgramData\TEMP:C46848E8
    @Alternate Data Stream - 248 bytes -> C:\ProgramData\TEMP:2F474C84
    @Alternate Data Stream - 248 bytes -> C:\ProgramData\TEMP:2A874675
    @Alternate Data Stream - 247 bytes -> C:\ProgramData\TEMP:E8B61305
    @Alternate Data Stream - 247 bytes -> C:\ProgramData\TEMP:6A9CA6CB
    @Alternate Data Stream - 246 bytes -> C:\ProgramData\TEMP:3487C53E
    @Alternate Data Stream - 246 bytes -> C:\ProgramData\TEMP:1A15E356
    @Alternate Data Stream - 245 bytes -> C:\ProgramData\TEMP:A6345BDA
    @Alternate Data Stream - 245 bytes -> C:\ProgramData\TEMP:96372A73
    @Alternate Data Stream - 244 bytes -> C:\ProgramData\TEMP:E4E83517
    @Alternate Data Stream - 243 bytes -> C:\ProgramData\TEMP:1B90AAB4
    @Alternate Data Stream - 242 bytes -> C:\ProgramData\TEMP:65C4D44A
    @Alternate Data Stream - 242 bytes -> C:\ProgramData\TEMP:3D4B733E
    @Alternate Data Stream - 241 bytes -> C:\ProgramData\TEMP:A6F30843
    @Alternate Data Stream - 241 bytes -> C:\ProgramData\TEMP:1224B4C3
    @Alternate Data Stream - 240 bytes -> C:\ProgramData\TEMP:B8791731
    @Alternate Data Stream - 240 bytes -> C:\ProgramData\TEMP:54403233
    @Alternate Data Stream - 239 bytes -> C:\ProgramData\TEMP:E0888117
    @Alternate Data Stream - 239 bytes -> C:\ProgramData\TEMP:5E73E1C2
    @Alternate Data Stream - 238 bytes -> C:\ProgramData\TEMP:6EE8565A
    @Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:97AAB7F2
    @Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:16F4BC64
    @Alternate Data Stream - 237 bytes -> C:\ProgramData\TEMP:0E22C5DB
    @Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:B1786630
    @Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:5A9F1AE5
    @Alternate Data Stream - 236 bytes -> C:\ProgramData\TEMP:0168CC60
    @Alternate Data Stream - 235 bytes -> C:\ProgramData\TEMP:FD7DCDA6
    @Alternate Data Stream - 234 bytes -> C:\ProgramData\TEMP:FF717A18
    @Alternate Data Stream - 234 bytes -> C:\ProgramData\TEMP:EBCF5924
    @Alternate Data Stream - 233 bytes -> C:\ProgramData\TEMP:56FBA78D
    @Alternate Data Stream - 233 bytes -> C:\ProgramData\TEMP:120B3AFD
    @Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:D696AA12
    @Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:3EC5BC08
    @Alternate Data Stream - 232 bytes -> C:\ProgramData\TEMP:1B389835
    @Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:B0456F0C
    @Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:AABECEFB
    @Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:7A2101AB
    @Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:5ECEFF17
    @Alternate Data Stream - 231 bytes -> C:\ProgramData\TEMP:0A74923C
    @Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:B65E763D
    @Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:ADE67221
    @Alternate Data Stream - 230 bytes -> C:\ProgramData\TEMP:795F6DEC
    @Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:C3A047E3
    @Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:A2FF62A6
    @Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:9195103F
    @Alternate Data Stream - 228 bytes -> C:\ProgramData\TEMP:F8DE80DB
    @Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:F9689B72
    @Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:6EA64886
    @Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:6294B369
    @Alternate Data Stream - 227 bytes -> C:\ProgramData\TEMP:53B8C5D2
    @Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:2F8138B7
    @Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:0474F714
    @Alternate Data Stream - 226 bytes -> C:\ProgramData\TEMP:02CC0035
    @Alternate Data Stream - 224 bytes -> C:\ProgramData\TEMP:5DB36C47
    @Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:EAF954B6
    @Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:B4258C5D
    @Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:65137F0D
    @Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:14B2E0BD
    @Alternate Data Stream - 221 bytes -> C:\ProgramData\TEMP:AD2DB2F9
    @Alternate Data Stream - 219 bytes -> C:\ProgramData\TEMP:88E8CC2E
    @Alternate Data Stream - 219 bytes -> C:\ProgramData\TEMP:4D551822
    @Alternate Data Stream - 218 bytes -> C:\ProgramData\TEMP:9725F1BC
    @Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:9FD757A9
    @Alternate Data Stream - 216 bytes -> C:\ProgramData\TEMP:1968990D
    @Alternate Data Stream - 214 bytes -> C:\ProgramData\TEMP:902C848D
    @Alternate Data Stream - 212 bytes -> C:\ProgramData\TEMP:ED0B32CA
    @Alternate Data Stream - 210 bytes -> C:\ProgramData\TEMP:6C5EC3CD
    @Alternate Data Stream - 210 bytes -> C:\ProgramData\TEMP:13AA281B
    @Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:6017A808
    @Alternate Data Stream - 205 bytes -> C:\ProgramData\TEMP:DA5888A7
    @Alternate Data Stream - 204 bytes -> C:\ProgramData\TEMP:45912F61
    @Alternate Data Stream - 201 bytes -> C:\ProgramData\TEMP:1DD8718C
    @Alternate Data Stream - 200 bytes -> C:\ProgramData\TEMP:E51234A9
    @Alternate Data Stream - 197 bytes -> C:\ProgramData\TEMP:A3E39C6A
    @Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:6ED8B881
    @Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:1E2D49E0
    @Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:62AF94A0
    @Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:4EC7F009
    @Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:E265ED33
    @Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:39B14E09
    @Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:FB71A279
    @Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:9D6EAEC3
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:FD786DCA
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:4AC7B5C1
    @Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:10B970A9
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:895A78C5
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:6896CCCE
    @Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:95D421DF
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:FD6D11C9
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:084612C9
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:EE2DD6CC
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:EDE28CFC
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:2E33E4A6
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:10CB85CA
    @Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E3615992
    @Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:80253E8D
    @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:DF5ABA3D
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:132714FA
    @Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:302ECBD6
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:FDEE14AC
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:9968F0E2
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:6A0A47E7
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:58E38390
    @Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:F72306CC
    @Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:0EC7A545    
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
  • 0

#14
silviab

silviab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Gringo,

I did what you asked & it did ask to reboot which I did. But when it rebooted, it never opened a report in notebook. What should I do? Repeat the scan in otl?

Thanks,

Silvia
  • 0

#15
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

  • 1






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP