Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirects, Windows Update failing


  • This topic is locked This topic is locked
75 replies to this topic

#1 thelaw

thelaw

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 27 April 2012 - 02:18 AM

Hi guys. I am new here, so please tell me if I am not following proper protocol here.

System is a relative's netbook. That means no dvd drive and no Windows install DVD. Here is what I know:

-Cannot even enable Windows Firewall.
-No CD Emulation programs installed.
-GMer scan can only includes Services, Registry, Files, and ADS checked. I am unable to check System, Sections, Devices, Modules, Processes, Threads, and Libraries.
-Have trouble even getting some anti-malware programs to even load, yet alone run.
-Some files may have been hidden or marked read-only by this infection.
-Windows updates have been failing.
-Because Windows updates keeps failing, there are no more non-infected restore points.
-Search results are being redirected.


I would appreciate any help you guys can give me. Thanks so much.

Here is the DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 1:30:36 on 2012-04-25
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.2039.1068 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k bthsvcs
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Intel AppUp(SM) center] "c:\program files\intel\intelappstore\bin\serviceManager.lnk"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
uPolicies-system: WallpaperStyle = 2
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: WallpaperStyle = 2
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{C175AE8F-8D9A-4439-AB02-F4F30C15DA90} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{C175AE8F-8D9A-4439-AB02-F4F30C15DA90}\1374058483 : DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{C175AE8F-8D9A-4439-AB02-F4F30C15DA90}\2516D616461602C496D696475646023516E647160224162726162716 : DhcpNameServer = 12.127.17.71 168.215.210.226 168.215.210.230
TCP: Interfaces\{C175AE8F-8D9A-4439-AB02-F4F30C15DA90}\328373842653A282E2F2E3F3C6A3C46652A2 : DhcpNameServer = 10.10.1.1
TCP: Interfaces\{C175AE8F-8D9A-4439-AB02-F4F30C15DA90}\464646565656 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C175AE8F-8D9A-4439-AB02-F4F30C15DA90}\76F676F696E666C696768647 : DhcpNameServer = 172.19.134.2
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKslb5714bc4;MpKslb5714bc4;c:\windows\system32\mpenginestore\MpKslb5714bc4.sys [2012-4-24 29904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_fa0513b7754bf240\AEstSrv.exe [2009-3-2 81920]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-4-27 50688]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-4-13 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-10 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-4-13 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-3-17 167424]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-12 52224]
S3 UCORESYS;UCORESYS;c:\users\owner\appdata\local\temp\pftf07a.tmp\Ucoresys.sys [2008-7-24 15432]
.
=============== Created Last 30 ================
.
2012-04-25 04:51:56 -------- d-----w- c:\windows\system32\MpEngineStore
2012-04-25 04:50:42 -------- d-----w- C:\69213ef1eff039a5abea
2012-04-24 23:34:42 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{657f854e-1b56-4ac6-b918-b0acd587cd70}\offreg.dll
2012-04-24 23:03:34 -------- d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2012-04-24 23:03:02 -------- d-----w- c:\programdata\Malwarebytes
2012-04-24 23:02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-24 22:25:23 6734704 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{657f854e-1b56-4ac6-b918-b0acd587cd70}\mpengine.dll
2012-04-14 23:04:04 -------- d-----w- c:\users\owner\appdata\local\Google
2012-04-14 20:31:15 558592 ----a-w- c:\users\owner\appdata\roaming\microsoft\microsoft\fptjnmg.dll
2012-04-14 20:31:12 558592 ----a-w- c:\users\owner\appdata\roaming\microsoft\microsoft\kmzkybj.dll
2012-04-14 00:05:30 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-11 04:22:28 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 03:36:31 543336 ----a-w- c:\users\owner\appdata\roaming\microsoft\microsoft\hqsysrld.dll
2012-04-10 03:36:29 208896 ----a-w- c:\users\owner\appdata\roaming\microsoft\microsoft\arroibs.dll
2012-04-07 17:32:10 -------- d-----w- c:\programdata\AIM Toolbar
2012-04-07 17:32:10 -------- d-----w- c:\program files\AIM Toolbar
2012-04-07 17:31:47 -------- d-----w- c:\program files\common files\Software Update Utility
2012-04-07 16:51:14 -------- d-----w- c:\users\owner\appdata\local\Apps
2012-04-07 16:51:13 -------- d-----w- c:\users\owner\appdata\local\Deployment
2012-04-04 06:47:41 -------- d-----w- c:\program files\iPod
2012-04-04 06:47:39 -------- d-----w- c:\program files\iTunes
2012-04-04 06:43:21 -------- d-----w- c:\program files\Bonjour
2012-04-04 06:35:56 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-04-04 06:35:56 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-04-04 06:35:56 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-04-04 06:35:56 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-04-04 06:35:56 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-04-04 06:35:56 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-04-04 06:35:56 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2012-04-14 23:07:45 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 18:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 18:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-03 03:54:27 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 1:43:29.16 ===============



Here is an abbreviated GMER file because I cannot check the other options:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-26 23:12:44
Windows 6.1.7601 Service Pack 1
Running: xu6pqvio.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kgloapow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6b2af2e9
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00265ec04a7b
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6b2af2e9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00265ec04a7b (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime 2012-04-27 01:39:07
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect@LastSuccessTime 2012-04-26 06:45:25
Reg HKLM\SOFTWARE\Classes\CLSID\{F706B4B5-72BC-49D5-967C-05194FA83446}\LocalServer32@ "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe"
Reg HKLM\SOFTWARE\Classes\TypeLib\{84DCD935-B80A-4DBA-8530-F151736F7F8C}\1.0\0\win32@ c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe\1
Reg HKLM\SOFTWARE\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0\0\win32@ c:\Program Files\Microsoft Security Client\Antimalware\MsMpCom.dll
Reg HKLM\SOFTWARE\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF400}\1.0\HELPDIR@ c:\Program Files\Microsoft Security Client\Antimalware\

---- Files - GMER 1.0.15 ----

File C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5AO2CQDO\if[2].htm 184 bytes
File C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5AO2CQDO\if[3].htm 2776 bytes
File C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJPRC2JA\pixel_adsafeprotected_com[1].gif 43 bytes
File C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJPRC2JA\like[2].htm 33961 bytes
File C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4L51GP1\emily[1].htm 11782 bytes
File C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4L51GP1\alice[1].js 23497 bytes
File C:\Windows\$NtUninstallKB42357$\3543299655 0 bytes
File C:\Windows\$NtUninstallKB42357$\3543299655\L 0 bytes
File C:\Windows\$NtUninstallKB42357$\3543299655\U 0 bytes
File C:\Windows\$NtUninstallKB42357$\4200934047 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  DDS.txt   11.74KB   0 downloads
  • Attached File  ark.txt   3.3KB   3 downloads

Edited by thelaw, 27 April 2012 - 02:20 AM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:28 PM

Posted 27 April 2012 - 02:23 AM

Hello thelaw and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


Running OTL

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Copy and Paste the following code into the Posted Image textbox.
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    CreateRestorePoint
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %SYSTEMDRIVE%\*.exe
    "c:\users\owner\appdata\roaming\microsoft\microsoft\*.* /s
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    tdx.sys
    afd.sys
    netbt.sys
    /md5stop
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 thelaw

thelaw
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 27 April 2012 - 03:51 AM

1. n/a
2. malware is killing TDSkiller before the program finishes loading.
3. Farbar Service Scanner log:

Farbar Service Scanner Version: 24-04-2012
Ran by Owner (administrator) on 27-04-2012 at 00:44:32
Running from "F:\fix tools"
Microsoft Windows 7 Starter Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

4. OTL.txt & Extras.txt logs

a. OTL.txt

OTL logfile created on: 4/27/2012 12:51:03 AM - Run 1
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Owner\Desktop
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.30 Gb Available Physical Memory | 65.26% Memory free
3.98 Gb Paging File | 3.26 Gb Available in Paging File | 81.77% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 137.51 Gb Total Space | 103.26 Gb Free Space | 75.09% Space Free | Partition Type: NTFS
Drive D: | 11.33 Gb Total Space | 1.89 Gb Free Space | 16.68% Space Free | Partition Type: NTFS
Drive F: | 491.71 Mb Total Space | 11.71 Mb Free Space | 2.38% Space Free | Partition Type: FAT

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/27 00:28:00 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
PRC - [2011/06/23 21:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 05:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/09/03 09:05:34 | 000,566,024 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
PRC - [2009/08/13 18:09:38 | 000,467,036 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2009/08/13 18:09:38 | 000,221,266 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\stacsv.exe
PRC - [2009/03/02 19:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\AEstSrv.exe


========== Modules (No Company Name) ==========

MOD - [2010/10/13 12:45:55 | 003,928,304 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\plugin\libbizlplugin.dll
MOD - [2010/09/03 09:05:30 | 000,400,384 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\sqlite3.dll
MOD - [2010/09/03 09:05:30 | 000,322,048 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\log4cplus.dll
MOD - [2010/09/03 09:05:30 | 000,194,048 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\libgsoap.dll
MOD - [2010/09/03 09:05:30 | 000,013,312 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\featureController.dll
MOD - [2010/09/03 09:05:28 | 002,202,624 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\QtCore4.dll
MOD - [2010/09/03 09:05:28 | 000,959,488 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\QtNetwork4.dll
MOD - [2010/09/03 09:05:28 | 000,377,856 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\QtXml4.dll
MOD - [2010/09/03 09:05:28 | 000,062,464 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\zlib1.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/04/14 16:07:46 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/08/13 18:09:38 | 000,221,266 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\stacsv.exe -- (STacSV)
SRV - [2009/05/22 11:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/03/02 19:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\AEstSrv.exe -- (AESTFilters)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\RtsUCcid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts516xIR.sys -- (RtsUIR)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\kaqhhbcs.sys -- (kaqhhbcs)
DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010/11/20 03:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 02:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/04/14 02:01:48 | 000,045,736 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)
DRV - [2009/08/13 18:09:38 | 000,409,088 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2009/07/13 16:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 15:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)
DRV - [2009/06/24 11:59:10 | 000,167,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2009/04/27 17:26:44 | 000,050,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20)
DRV - [2008/07/24 15:16:12 | 000,015,432 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Users\Owner\AppData\Local\Temp\pftF07A.tmp\UCORESYS.SYS -- (UCORESYS)
DRV - [2005/08/17 08:47:48 | 000,073,696 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM)
DRV - [2005/08/17 08:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 08:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/08/17 08:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
IE - HKLM\..\SearchScopes,DefaultScope = {309B6E7A-5F40-4B69-B6F7-77B1634D9911}
IE - HKLM\..\SearchScopes\{15565EC0-EEBD-4452-BF6B-2C7ADB97C322}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKLM\..\SearchScopes\{309B6E7A-5F40-4B69-B6F7-77B1634D9911}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aimright-chromesbox-en-us&tb_uuid=20120407173136285&tb_oid=07-04-2012&tb_mrud=07-04-2012


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\..\SearchScopes,DefaultScope = {309B6E7A-5F40-4B69-B6F7-77B1634D9911}
IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\..\SearchScopes\{15565EC0-EEBD-4452-BF6B-2C7ADB97C322}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\..\SearchScopes\{309B6E7A-5F40-4B69-B6F7-77B1634D9911}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aimright-chromesbox-en-us&tb_uuid=20120407173136285&tb_oid=07-04-2012&tb_mrud=07-04-2012
IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8064.0206: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/12 23:04:32 | 000,000,000 | ---D | M]


========== Chrome ==========


O1 HOSTS File: ([2009/06/10 14:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AOL Messaging Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKLM\..\Toolbar: (AOL Messaging Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Intel AppUp(SM) center] C:\Program Files\Intel\IntelAppStore\bin\serviceManager.lnk ()
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\S-1-5-21-466536345-1373091364-2548406962-1000..\Run: [ArcSoft] C:\Users\Owner\AppData\Local\Deployment\ArcSoft\qnrxtf.dll (MainConcept GmbH)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: WallpaperStyle = 2
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: WallpaperStyle = 2
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-466536345-1373091364-2548406962-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: WallpaperStyle = 2
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C175AE8F-8D9A-4439-AB02-F4F30C15DA90}: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/03/12 12:48:06 | 000,000,090 | ---- | M] () - F:\AUTORUN.INF -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

MsConfig - StartUpReg: Aim - hkey= - key= - C:\Program Files\AIM\aim.exe (AOL Inc.)
MsConfig - StartUpReg: APSDaemon - hkey= - key= - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
MsConfig - StartUpReg: HP - hkey= - key= - C:\Program Files\Hewlett-Packard\HP QuickSync\QuickSync.exe (Hewlett-Packard)
MsConfig - StartUpReg: HP BTW Detect Program - hkey= - key= - C:\Program Files\HP\HPBTWD.exe ()
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\HP\HP Software Update\hpwuschd2.exe (Hewlett-Packard)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
MsConfig - StartUpReg: Update - hkey= - key= - File not found
MsConfig - StartUpReg: UpdatePRCShortCut - hkey= - key= - C:\Program Files\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: WirelessAssistant - hkey= - key= - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard)
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: MsMpSvc - C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: WinDefend - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/04/27 00:46:28 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2012/04/26 22:28:15 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/04/25 01:10:44 | 000,883,616 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Owner\Desktop\FixExec.exe
[2012/04/25 01:10:44 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Owner\Desktop\unhide.exe
[2012/04/24 21:51:56 | 000,000,000 | ---D | C] -- C:\Windows\System32\MpEngineStore
[2012/04/24 21:50:42 | 000,000,000 | ---D | C] -- C:\69213ef1eff039a5abea
[2012/04/24 21:11:47 | 015,659,960 | ---- | C] (Microsoft Corporation) -- C:\Users\Owner\Desktop\Windows-KB890830-V4.7.exe
[2012/04/24 20:59:47 | 002,073,648 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Owner\Desktop\tdsskiller.exe
[2012/04/24 16:03:34 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Malwarebytes
[2012/04/24 16:03:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/24 16:03:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/04/24 16:02:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/04/14 16:04:04 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Google
[2012/04/13 23:06:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2012/04/13 23:06:52 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/04/13 17:05:30 | 004,126,368 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerInstaller.exe
[2012/04/10 21:22:28 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/04/07 10:32:10 | 000,000,000 | ---D | C] -- C:\ProgramData\AIM Toolbar
[2012/04/07 10:32:10 | 000,000,000 | ---D | C] -- C:\Program Files\AIM Toolbar
[2012/04/07 10:31:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2012/04/07 10:31:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AIM
[2012/04/07 09:51:14 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Apps
[2012/04/07 09:51:13 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Deployment
[2012/04/07 09:15:09 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SMART HDD
[2012/04/03 23:49:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/04/03 23:47:41 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/04/03 23:47:39 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/04/03 23:43:21 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2012/04/03 23:35:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/04/03 23:34:55 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime

========== Files - Modified Within 30 Days ==========

[2012/04/27 00:38:02 | 000,626,278 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/27 00:38:02 | 000,107,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/27 00:37:34 | 000,014,128 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/27 00:37:34 | 000,014,128 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/27 00:35:49 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/27 00:30:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/27 00:30:05 | 1603,772,416 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/27 00:28:00 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2012/04/27 00:20:03 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/27 00:05:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/26 22:36:56 | 000,002,113 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/04/25 01:08:42 | 000,883,616 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Owner\Desktop\FixExec.exe
[2012/04/25 01:08:24 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Owner\Desktop\unhide.exe
[2012/04/24 21:11:47 | 015,659,960 | ---- | M] (Microsoft Corporation) -- C:\Users\Owner\Desktop\Windows-KB890830-V4.7.exe
[2012/04/24 20:55:48 | 002,073,648 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Owner\Desktop\tdsskiller.exe
[2012/04/24 20:55:12 | 000,302,592 | ---- | M] () -- C:\Users\Owner\Desktop\xu6pqvio.exe
[2012/04/24 20:54:22 | 001,008,141 | ---- | M] () -- C:\Users\Owner\Desktop\rkill.com
[2012/04/21 18:37:34 | 000,000,322 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForOwner.job
[2012/04/14 16:07:45 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/04/14 16:07:45 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/04/14 12:32:42 | 000,000,330 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForDanielQ.job
[2012/04/13 17:05:36 | 004,126,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerInstaller.exe
[2012/04/09 18:27:23 | 000,001,767 | ---- | M] () -- C:\Users\Owner\Desktop\Spotify.lnk
[2012/04/07 10:31:13 | 000,001,094 | ---- | M] () -- C:\IPH.PH
[2012/04/07 10:31:04 | 000,001,881 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
[2012/04/07 09:36:16 | 000,000,160 | ---- | M] () -- C:\ProgramData\-ARvOixGEGB2tglr
[2012/04/07 09:36:16 | 000,000,000 | ---- | M] () -- C:\ProgramData\-ARvOixGEGB2tgl
[2012/04/07 09:36:03 | 000,000,256 | ---- | M] () -- C:\ProgramData\ARvOixGEGB2tgl
[2012/04/03 23:49:02 | 000,001,753 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/04/03 23:35:35 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk

========== Files Created - No Company Name ==========

[2012/04/26 22:36:12 | 000,001,897 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/04/25 01:15:35 | 000,002,141 | ---- | C] () -- C:\Users\Public\Desktop\Intel AppUp(SM) center.lnk
[2012/04/25 01:15:35 | 000,002,075 | ---- | C] () -- C:\Users\Public\Desktop\Angry Birds Seasons.lnk
[2012/04/25 01:15:35 | 000,002,019 | ---- | C] () -- C:\Users\Public\Desktop\Angry Birds Rio.lnk
[2012/04/25 01:15:35 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/04/25 01:15:35 | 000,001,753 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/04/25 01:15:35 | 000,001,234 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2012/04/25 01:15:35 | 000,000,940 | ---- | C] () -- C:\Users\Public\Desktop\Angry Birds.lnk
[2012/04/25 01:15:34 | 000,002,557 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2012/04/25 01:15:34 | 000,001,562 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Try Microsoft Office for 60 days.lnk
[2012/04/25 01:15:34 | 000,001,515 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/04/25 01:15:34 | 000,001,352 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
[2012/04/25 01:15:34 | 000,001,330 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2012/04/25 01:15:34 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2012/04/25 01:15:34 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2012/04/25 01:15:34 | 000,000,182 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pandora Internet Radio.url
[2012/04/25 01:15:33 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2012/04/24 21:02:03 | 000,302,592 | ---- | C] () -- C:\Users\Owner\Desktop\xu6pqvio.exe
[2012/04/24 21:00:46 | 001,008,141 | ---- | C] () -- C:\Users\Owner\Desktop\rkill.com
[2012/04/13 23:16:32 | 000,000,330 | ---- | C] () -- C:\Windows\tasks\HPCeeScheduleForDanielQ.job
[2012/04/13 23:07:17 | 000,000,888 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/13 23:07:16 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/11 16:26:42 | 000,001,105 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2012/04/10 21:22:30 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/07 10:31:04 | 000,001,855 | ---- | C] () -- C:\Users\Public\Desktop\AIM.lnk
[2012/04/07 09:15:10 | 000,000,160 | ---- | C] () -- C:\ProgramData\-ARvOixGEGB2tglr
[2012/04/07 09:15:10 | 000,000,000 | ---- | C] () -- C:\ProgramData\-ARvOixGEGB2tgl
[2012/04/07 09:15:03 | 000,000,256 | ---- | C] () -- C:\ProgramData\ARvOixGEGB2tgl
[2012/03/27 16:23:48 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\wklnhst.dat
[2011/12/06 20:36:41 | 000,000,410 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2011/12/06 20:36:41 | 000,000,034 | ---- | C] () -- C:\Windows\System32\BD7040.DAT

========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." /30 >

< C:\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\system32\drivers\MpNWMon.sys

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >
[2012/02/16 21:14:08 | 000,183,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\drivers\rdpwd.sys
[2012/02/16 21:13:22 | 000,024,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\drivers\tdtcp.sys
[2012/02/15 11:01:50 | 000,043,520 | ---- | M] (Apple, Inc.) -- C:\Windows\system32\drivers\usbaapl.sys

< %SYSTEMDRIVE%\*.exe >

< "c:\users\owner\appdata\roaming\microsoft\microsoft\*.* /s >

< MD5 for: AFD.SYS >
[2011/04/24 19:35:40 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=0DB7A48388D54D154EBEC120461A0FCD -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys
[2010/11/20 01:40:03 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=1151FD4FB0216CFED887BFDE29EBD516 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys
[2011/04/24 19:18:03 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=9EBBBA55060F786F0FCAA3893BFA2806 -- C:\Windows\System32\drivers\afd.sys
[2011/04/24 19:18:03 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=9EBBBA55060F786F0FCAA3893BFA2806 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys
[2011/04/24 19:27:23 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=C114AB7A1550D42EA1700FFD4179CF5A -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys
[2011/04/24 20:24:09 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=C427F91A748CD342A2B3F9278D9FD6A5 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
[2009/07/13 16:12:38 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=DDC040FDB01EF1712A6B13E52AFB104C -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_fab873f3e8a3315c\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_df3f92057fcbe7a7\atapi.sys

< MD5 for: EXPLORER.EXE >
[2011/02/25 22:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2009/07/13 18:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2011/02/25 22:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2011/02/25 22:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Users\Owner\AppData\Local\Temp\RarSFX0\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Users\Owner\AppData\Local\Temp\RarSFX1\procs\explorer.exe
[2010/11/20 05:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe
[2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[2009/08/02 22:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Owner\AppData\Local\Temp\RarSFX0\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Owner\AppData\Local\Temp\RarSFX1\h\explorer.exe
[2009/08/02 22:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009/10/30 23:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

< MD5 for: NETBT.SYS >
[2009/07/13 16:12:21 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=DD52A733BF4CA5AF84562A5E2F963B91 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
[2012/04/22 15:24:08 | 000,187,904 | ---- | M] () Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys

< MD5 for: TDX.SYS >
[2010/11/20 01:39:17 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=B459575348C20E8121D6039DA063C704 -- C:\Windows\System32\drivers\tdx.sys
[2010/11/20 01:39:17 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=B459575348C20E8121D6039DA063C704 -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
[2009/07/13 16:12:11 | 000,074,240 | ---- | M] (Microsoft Corporation) MD5=CB39E896A2A83702D1737BFD402B3542 -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys

< MD5 for: VOLSNAP.SYS >
[2009/07/13 18:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys
[2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) MD5=F497F67932C6FA693D7DE2780631CFE7 -- C:\Windows\System32\drivers\volsnap.sys
[2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) MD5=F497F67932C6FA693D7DE2780631CFE7 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys
[2010/11/20 05:30:16 | 000,245,632 | ---- | M] (Microsoft Corporation) MD5=F497F67932C6FA693D7DE2780631CFE7 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys

< MD5 for: WININIT.EXE >
[2009/07/13 18:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009/07/13 18:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

< MD5 for: WINLOGON.EXE >
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/10/27 23:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009/10/27 22:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2010/11/20 05:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010/11/20 05:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2009/07/13 18:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Owner\AppData\Local\Temp\RarSFX0\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Owner\AppData\Local\Temp\RarSFX1\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/08/23 16:31:47 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/08/23 16:31:47 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/08/23 16:31:47 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/08/23 16:31:50 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/08/23 16:31:50 | 000,748,336 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/08/23 16:31:47 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/08/23 16:31:47 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/08/23 16:31:47 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/08/23 16:31:50 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/08/23 16:31:50 | 000,748,336 | ---- | M] (Microsoft Corporation)

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\$NtUninstallKB42357$\systemprofile\AppData\Local\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\$NtUninstallKB42357$\systemprofile\AppData\Local\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\$NtUninstallKB42357$\systemprofile\AppData\Local\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\$NtUninstallKB42357$\systemprofile\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Roaming -> Junction
[C:\Windows\$NtUninstallKB42357$\systemprofile\Cookies] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies -> Junction
[C:\Windows\$NtUninstallKB42357$\systemprofile\Local Settings] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\$NtUninstallKB42357$] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Roaming -> Junction
[C:\Windows\System32\config\systemprofile\Cookies] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies -> Junction
[C:\Windows\System32\config\systemprofile\Local Settings] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction

========== Alternate Data Streams ==========

@Alternate Data Stream - 169 bytes -> C:\ProgramData\Temp:8C35AEA7

< End of report >


4b. Extras.txt

OTL Extras logfile created on: 4/27/2012 12:51:03 AM - Run 1
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Owner\Desktop
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.30 Gb Available Physical Memory | 65.26% Memory free
3.98 Gb Paging File | 3.26 Gb Available in Paging File | 81.77% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 137.51 Gb Total Space | 103.26 Gb Free Space | 75.09% Space Free | Partition Type: NTFS
Drive D: | 11.33 Gb Total Space | 1.89 Gb Free Space | 16.68% Space Free | Partition Type: NTFS
Drive F: | 491.71 Mb Total Space | 11.71 Mb Free Space | 2.38% Space Free | Partition Type: FAT

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{867B5F99-7F02-456A-9A96-36E02FE040FB}" = lport=2869 | protocol=6 | dir=in | app=system |
"{FB33DB82-D345-4BE4-8C39-69C1D451FD91}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{4D0C4244-872E-419F-B648-40D92A47C632}" = protocol=17 | dir=in | app=c:\program files\aim\aim.exe |
"{5D179389-22BA-4E11-AE83-CA20D23F36E9}" = protocol=6 | dir=in | app=c:\program files\aim\aim.exe |
"{6FB3E3A1-038B-4389-985B-E65A3A3C08E9}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{8081C208-D69B-4816-81DF-773BF9D7BDFB}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{8E424E8F-5224-4AE9-A83E-7EA960CBACBC}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{9F2E2488-476B-45BC-B980-DCC32FF82F95}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{D8743ED1-8E19-4E5A-A2A7-A46E5A0D7031}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{DAB4EC8D-8155-4639-9BEB-6CD8B3C2EC67}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{DDD0CE70-BF1D-4A7D-8DF5-93029A858790}" = dir=in | app=c:\program files\itunes\itunes.exe |
"TCP Query User{105B8344-89E9-4000-938C-95DBF42B994F}C:\users\danielq\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\danielq\appdata\roaming\spotify\spotify.exe |
"TCP Query User{33275A5B-9080-47D6-8839-2CDA961BF655}C:\users\owner\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\owner\appdata\roaming\spotify\spotify.exe |
"TCP Query User{37DCFB63-3803-48F8-96D2-2BDE980C7DE7}C:\users\owner\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\owner\appdata\roaming\spotify\spotify.exe |
"TCP Query User{57EAE1EC-1CEA-44B6-889B-B60791D4F275}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{77AAC7C7-8E4A-4C90-A0F0-3C1CD735DC7D}C:\program files\aim\aim.exe" = protocol=6 | dir=in | app=c:\program files\aim\aim.exe |
"TCP Query User{B396E6D1-B03E-4BD8-8670-FD90DF3A2BA2}C:\program files\hewlett-packard\hp quicksync\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\hewlett-packard\hp quicksync\jre\bin\javaw.exe |
"TCP Query User{C6E71388-644D-4140-93BB-FDA37FBF63AC}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{0BA46D77-8F24-4F8E-BFDA-442E9CEDAC11}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{88B3FFC0-1EA4-4CBD-892C-BF5357219296}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{8B49B5B4-613A-4472-8E19-064FFAA2B002}C:\program files\hewlett-packard\hp quicksync\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\hewlett-packard\hp quicksync\jre\bin\javaw.exe |
"UDP Query User{9CF82F9F-0635-4DB7-ABE7-A4C075B7C7B0}C:\users\owner\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\owner\appdata\roaming\spotify\spotify.exe |
"UDP Query User{DFDC98C1-ACB2-45FA-88F4-1C4A8B452FED}C:\users\danielq\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\danielq\appdata\roaming\spotify\spotify.exe |
"UDP Query User{E92365BD-8BF1-4BB2-BFB4-1427DD4E25C0}C:\users\owner\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\owner\appdata\roaming\spotify\spotify.exe |
"UDP Query User{F42FE697-F647-400C-9B66-800B2D71ED01}C:\program files\aim\aim.exe" = protocol=17 | dir=in | app=c:\program files\aim\aim.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{11B7161D-3461-40CD-B31F-84065AC84A4E}" = HP User Guides 0166
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 30
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
"{34985F59-8F6F-46F4-9AD5-53E2714294D2}" = ArcSoft WebCam Companion 3
"{37F8C732-02B5-41A2-9F5B-D94EAC2226AB}" = Angry Birds Seasons
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = PowerRecover
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{49FC2AEE-5CC2-47F1-8E8A-9000869EDE81}" = Angry Birds
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F46FDB9-B906-47BF-B3D5-C62E01B3C5EE}" = HP Support Assistant
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{54CC7901-804D-4155-B353-21F0CC9112AB}" = HP Wireless Assistant
"{553C904F-57A2-4113-888E-BA0C3D1C69C0}" = Microsoft VC9 runtime libraries
"{5B295588-59C1-4386-9F85-BB4BEDCB0D22}" = HP Customer Experience Enhancements
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{D46D081B-F60E-467E-A7C4-117B70D76731}" = HP Update
"{E0B3F290-186B-46C8-BA95-F3D6542C2407}" = Angry Birds Rio
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EEA95E6C-6847-49BE-83C9-ED92D8E18983}" = HP QuickSync
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F3B912F5-EB57-45AA-B3D1-EB532BCF6EF8}" = HP Setup
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"AIM Toolbar" = AOL Messaging Toolbar
"AIM_7" = AIM 7
"Broadcom 802.11 Wireless LAN Adapter" = Broadcom 802.11 Wireless LAN Adapter
"Foxit Reader_is1" = Foxit Reader 5.1
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"Intel AppUp(SM) center 13747" = Intel AppUp(SM) center
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"OfficeTrial" = Microsoft Office Home and Student 60 day trial
"RealPlayer 15.0" = RealPlayer
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 1.1.5
"WildTangent hp Master Uninstall" = HP Games
"WinLiveSuite_Wave3" = Windows Live Essentials
"YTdetect" = Yahoo! Detect

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-466536345-1373091364-2548406962-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"AOL Messaging Toolbar" = AOL Messaging Toolbar
"Spotify" = Spotify

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/15/2012 10:49:07 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 350784

Error - 4/15/2012 10:49:07 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 350784

Error - 4/15/2012 10:49:15 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/15/2012 10:49:15 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 358100

Error - 4/15/2012 10:49:15 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 358100

Error - 4/15/2012 10:49:23 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/15/2012 10:49:23 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 366852

Error - 4/15/2012 10:49:23 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 366852

Error - 4/15/2012 10:49:31 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/15/2012 10:49:31 PM | Computer Name = Owner-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 374964

[ System Events ]
Error - 4/15/2012 8:10:33 PM | Computer Name = Owner-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%858

Error - 4/15/2012 8:23:43 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7023
Description = The Windows Modules Installer service terminated with the following
error: %%32

Error - 4/15/2012 8:24:34 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 4/15/2012 8:24:34 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7003
Description = The IKE and AuthIP IPsec Keying Modules service depends the following
service: BFE. This service might not be installed.

Error - 4/15/2012 8:24:35 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7003
Description = The IPsec Policy Agent service depends the following service: BFE.
This service might not be installed.

Error - 4/15/2012 8:24:51 PM | Computer Name = Owner-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 4/15/2012 8:27:28 PM | Computer Name = Owner-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070020: Cumulative Security Update for Internet Explorer 9 for Windows
7 (KB2675157).

Error - 4/15/2012 8:27:28 PM | Computer Name = Owner-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070020: Security Update for Windows 7 (KB2653956).

Error - 4/15/2012 8:27:28 PM | Computer Name = Owner-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070020: Update for Windows 7 (KB2679255).

Error - 4/16/2012 8:53:19 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Audiosrv service.


< End of report >


5. Nothing has changed because the malware is preventing Tdskiller from even loading.

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:28 PM

Posted 28 April 2012 - 08:21 AM

Hi!

It looks like we're going to have to repair some things in the registry a little later.

2. malware is killing TDSkiller before the program finishes loading.

Okay, don't worry about that tool for right now.

In this post we'll run an OTL fix, followed by running a more powerful tool.
OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\kaqhhbcs.sys -- (kaqhhbcs)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\S-1-5-21-466536345-1373091364-2548406962-1000..\Run: [ArcSoft] C:\Users\Owner\AppData\Local\Deployment\ArcSoft\qnrxtf.dll (MainConcept GmbH)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    [2012/04/07 09:15:09 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SMART HDD
    [2012/04/07 09:36:16 | 000,000,160 | ---- | M] () -- C:\ProgramData\-ARvOixGEGB2tglr
    [2012/04/07 09:36:16 | 000,000,000 | ---- | M] () -- C:\ProgramData\-ARvOixGEGB2tgl
    [2012/04/07 09:36:03 | 000,000,256 | ---- | M] () -- C:\ProgramData\ARvOixGEGB2tgl
    [2012/04/07 09:15:10 | 000,000,160 | ---- | C] () -- C:\ProgramData\-ARvOixGEGB2tglr
    [2012/04/07 09:15:10 | 000,000,000 | ---- | C] () -- C:\ProgramData\-ARvOixGEGB2tgl
    [2012/04/07 09:15:03 | 000,000,256 | ---- | C] () -- C:\ProgramData\ARvOixGEGB2tgl
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
  • If you get an error message saying: "Illegal operation attempted on a registry key that was marked for deletion." please reboot your computer, and that should take care of that error message.


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. OTL fix log.
3. ComboFix.txt log.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 thelaw

thelaw
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 28 April 2012 - 11:09 PM

1. I have disabled the only active anti-malware product on this system: Microsoft Security Essentials.

2. OTL fix log

========== SERVICES/DRIVERS ==========
========== OTL ==========
Error: No service named kaqhhbcs was found to stop!
Service\Driver key kaqhhbcs not found.
File C:\Windows\system32\drivers\kaqhhbcs.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_USERS\S-1-5-21-466536345-1373091364-2548406962-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ArcSoft not found.
File C:\Users\Owner\AppData\Local\Deployment\ArcSoft\qnrxtf.dll not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Folder C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SMART HDD\ not found.
File C:\ProgramData\-ARvOixGEGB2tglr not found.
File C:\ProgramData\-ARvOixGEGB2tgl not found.
File C:\ProgramData\ARvOixGEGB2tgl not found.
File C:\ProgramData\-ARvOixGEGB2tglr not found.
File C:\ProgramData\-ARvOixGEGB2tgl not found.
File C:\ProgramData\ARvOixGEGB2tgl not found.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Owner\Desktop\cmd.bat deleted successfully.
C:\Users\Owner\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.42.1 log created on 04282012_205114


3. ComboFix.txt log. - none created

Popup when running Combofix: "The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive?" Note that this message also pops up after I rebooted the system.

Combofix continues but never gets past: "Scanning for infected files.. This typically doesn't take for more than 10 minutes. However, scan times for badly infected machines may easily double". Because this system is a slower netbook, I just let the machine run, but this process never goes further than this even after multiple hours. Hence, it never completes any of the 50 stages or produces a log.


4. No change in the computer from what I can tell as the malware seems to be blocking these anti-malware programs from functioning properly.

Edited by thelaw, 28 April 2012 - 11:10 PM.


#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:28 PM

Posted 29 April 2012 - 01:04 AM

Hi thelaw!

Thanks for the OTL fix log file.

It seems this infection is preventing our tools from running.

Can you please attempt to rename ComboFix to svchost and see if it'll run for you then?

You can do this by clicking on the ComboFix file on your Desktop, press F2, and then type in svchost followed by enter.

Let me know if you have better luck then.

-ST.

Edited by SweetTech, 29 April 2012 - 01:14 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 thelaw

thelaw
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 29 April 2012 - 03:54 AM

Renaming Combofix to Svchost made no difference. Combofix still does not complete after waiting multiple hours. In addition to the:

"The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive?"

message, I have seen this error:

"Freeware implementation of XCACLS has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

Let me add that after I close Svchost because it never finishes, the application is somehow renamed back to Combofix even though I did not did not change it back.

Edited by thelaw, 29 April 2012 - 05:02 AM.


#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:28 PM

Posted 29 April 2012 - 10:14 AM

Hi!

Any chance you could try booting up into Safe Mode and trying to run ComboFix from there?

If that still won't work, run this tool below:


Running aswMBR.exe

Download aswMBR.exe (4.5mb) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:


If the above scan won't work either, open up OTL and press the Quick Scan button.

Provide me with that log file in your next reply.

Let me know how it goes.

-ST.

Edited by SweetTech, 29 April 2012 - 10:14 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 thelaw

thelaw
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 30 April 2012 - 12:38 AM

1. Ran Combofix in Safemode. After multiple hours, it did detect and attempted to remove a rootkit. After a reboot, Combofix was able to produce this log. There were a couple times when some part stopped working and I had to click on a dialog box to continue the process.


ComboFix 12-04-28.01 - Owner 04/29/2012 15:13:38.1.2 - x86
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.2039.1520 [GMT -7:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\HP\HPBTWD.exe
c:\users\Owner\AppData\Roaming\Microsoft\Microsoft
c:\users\Owner\AppData\Roaming\Microsoft\Microsoft\arroibs.dll
c:\users\Owner\AppData\Roaming\Microsoft\Microsoft\fptjnmg.dll
c:\users\Owner\AppData\Roaming\Microsoft\Microsoft\hqsysrld.dll
c:\users\Owner\AppData\Roaming\Microsoft\Microsoft\kmzkybj.dll
c:\windows\$NtUninstallKB42357$
c:\windows\$NtUninstallKB42357$\4200934047
c:\windows\system32\bdaplgin.ax
c:\windows\system32\cero.rs
c:\windows\system32\csrr.rs
c:\windows\system32\esrb.rs
c:\windows\system32\g711codc.ax
c:\windows\system32\grb.rs
c:\windows\system32\iac25_32.ax
c:\windows\system32\ir41_32.ax
c:\windows\system32\ivfsrc.ax
c:\windows\system32\ksproxy.ax
c:\windows\system32\kstvtune.ax
c:\windows\system32\Kswdmcap.ax
c:\windows\system32\ksxbar.ax
c:\windows\system32\Mpeg2Data.ax
c:\windows\system32\mpg2splt.ax
c:\windows\system32\MSDvbNP.ax
c:\windows\system32\MSNP.ax
c:\windows\system32\oflc.rs
c:\windows\system32\pegi-fi.rs
c:\windows\system32\pegi-pt.rs
c:\windows\system32\pegi.rs
c:\windows\system32\pegibbfc.rs
c:\windows\system32\psisrndr.ax
c:\windows\system32\usk.rs
c:\windows\system32\VBICodec.ax
c:\windows\system32\vbisurf.ax
c:\windows\system32\vidcap.ax
c:\windows\system32\WEB.rs
c:\windows\system32\WSTPager.ax
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-29 )))))))))))))))))))))))))))))))
.
.
2012-04-29 23:24 . 2012-04-29 23:36 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-04-29 23:24 . 2012-04-29 23:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-29 23:23 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-04-29 17:57 . 2012-04-29 17:57 -------- d-----w- C:\test
2012-04-28 18:12 . 2012-04-28 18:12 -------- d-----w- C:\_OTL
2012-04-27 05:43 . 2012-02-09 20:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DF4186A9-065D-4D27-8BF6-453295DCD2FA}\gapaengine.dll
2012-04-27 05:39 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{483311EA-52F8-47B1-90DB-4A8AE498754F}\mpengine.dll
2012-04-27 05:27 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2012-04-25 04:51 . 2012-04-27 07:29 -------- d-----w- c:\windows\system32\MpEngineStore
2012-04-25 04:50 . 2012-04-25 04:50 -------- d-----w- C:\69213ef1eff039a5abea
2012-04-24 23:03 . 2012-04-24 23:03 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2012-04-24 23:03 . 2012-04-24 23:03 -------- d-----w- c:\programdata\Malwarebytes
2012-04-24 23:02 . 2012-04-24 23:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-14 23:04 . 2012-04-14 23:04 -------- d-----w- c:\users\Owner\AppData\Local\Google
2012-04-14 06:06 . 2012-04-14 23:04 -------- d-----w- c:\program files\Google
2012-04-14 00:05 . 2012-04-14 00:05 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-11 04:22 . 2012-04-14 23:07 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-07 17:32 . 2012-04-07 17:32 -------- d-----w- c:\program files\AIM Toolbar
2012-04-07 17:32 . 2012-04-07 17:32 -------- d-----w- c:\programdata\AIM Toolbar
2012-04-07 17:31 . 2012-04-07 17:31 -------- d-----w- c:\program files\Common Files\Software Update Utility
2012-04-07 16:54 . 2012-04-14 06:16 -------- d-----w- c:\users\DanielQ
2012-04-07 16:51 . 2012-04-07 16:51 -------- d-----w- c:\users\Owner\AppData\Local\Apps
2012-04-07 16:51 . 2012-04-27 06:36 -------- d-----w- c:\users\Owner\AppData\Local\Deployment
2012-04-04 06:47 . 2012-04-04 06:47 -------- d-----w- c:\program files\iPod
2012-04-04 06:47 . 2012-04-04 06:48 -------- d-----w- c:\program files\iTunes
2012-04-04 06:43 . 2012-04-04 06:43 -------- d-----w- c:\program files\Bonjour
2012-04-04 06:35 . 2012-04-04 06:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-04-04 06:35 . 2012-04-04 06:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-04-04 06:35 . 2012-04-04 06:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-04-04 06:35 . 2012-04-04 06:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-04-04 06:35 . 2012-04-04 06:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-04-04 06:35 . 2012-04-04 06:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-04-04 06:35 . 2012-04-04 06:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-04-04 06:34 . 2012-04-04 06:35 -------- d-----w- c:\program files\QuickTime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 23:07 . 2011-08-23 23:47 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-13 07:36 . 2010-12-24 08:31 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-17 05:34 . 2012-03-19 00:53 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-19 00:53 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-19 00:53 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 18:01 . 2012-02-15 18:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 18:01 . 2012-02-15 18:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-10 05:38 . 2012-03-19 01:13 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-03 03:54 . 2012-03-19 01:14 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-12-23 06:02 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-08-14 467036]
"Intel AppUp(SM) center"="c:\program files\Intel\IntelAppStore\bin\serviceManager.lnk" [2011-02-01 1260]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2012-02-29 20:29 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 04:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP]
2009-07-14 10:54 589104 ----a-w- c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 21:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 12:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 21:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-01-13 06:03 296056 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePRCShortCut]
2009-05-20 05:16 222504 ----a-w- c:\program files\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WirelessAssistant]
2009-07-23 18:04 498744 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-04-14 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-04-14 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 167424]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 UCORESYS;UCORESYS;c:\users\Owner\AppData\Local\Temp\pftF07A.tmp\UCORESYS.SYS [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\aestsrv.exe [2009-03-03 81920]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-04-28 50688]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 23:07]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-14 06:06]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-14 06:06]
.
2012-04-14 c:\windows\Tasks\HPCeeScheduleForDanielQ.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-09-08 21:38]
.
2012-04-22 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-09-08 21:38]
.
.
------- Supplementary Scan -------
.
uStart Page = about:Tabs
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HP BTW Detect Program - c:\program files\HP\HPBTWD.exe
MSConfigStartUp-Update - c:\users\Owner\AppData\Roaming\Microsoft\Microsoft\arroibs.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\STacSV.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Intel\IntelAppStore\bin\serviceManager.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2012-04-29 16:54:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-29 23:54
.
Pre-Run: 109,654,175,744 bytes free
Post-Run: 110,932,393,984 bytes free
.
- - End Of File - - C57D81FCC36DBDE4CA55286F0504962A


2. I tried to run both aswMBR.exe and TDSSKiller in Normal Mode, but both programs were terminated before they finished loading. I did not try to run either in Safe Mode.


3. OTL Log:


OTL logfile created on: 4/29/2012 8:32:44 PM - Run 2
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Owner\Desktop
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.16 Gb Available Physical Memory | 58.02% Memory free
3.98 Gb Paging File | 3.21 Gb Available in Paging File | 80.52% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 137.51 Gb Total Space | 102.93 Gb Free Space | 74.85% Space Free | Partition Type: NTFS
Drive D: | 11.33 Gb Total Space | 1.89 Gb Free Space | 16.68% Space Free | Partition Type: NTFS
Drive F: | 491.71 Mb Total Space | 2.75 Mb Free Space | 0.56% Space Free | Partition Type: FAT

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/27 00:28:00 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 05:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/09/03 09:05:34 | 000,566,024 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
PRC - [2009/08/13 18:09:38 | 000,467,036 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2009/08/13 18:09:38 | 000,221,266 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\stacsv.exe
PRC - [2009/03/02 19:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\AEstSrv.exe


========== Modules (No Company Name) ==========

MOD - [2010/10/13 12:45:55 | 003,928,304 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\plugin\libbizlplugin.dll
MOD - [2010/09/03 09:05:30 | 000,400,384 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\sqlite3.dll
MOD - [2010/09/03 09:05:30 | 000,322,048 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\log4cplus.dll
MOD - [2010/09/03 09:05:30 | 000,194,048 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\libgsoap.dll
MOD - [2010/09/03 09:05:30 | 000,013,312 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\featureController.dll
MOD - [2010/09/03 09:05:28 | 002,202,624 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\QtCore4.dll
MOD - [2010/09/03 09:05:28 | 000,959,488 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\QtNetwork4.dll
MOD - [2010/09/03 09:05:28 | 000,377,856 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\QtXml4.dll
MOD - [2010/09/03 09:05:28 | 000,062,464 | ---- | M] () -- C:\Program Files\Intel\IntelAppStore\bin\zlib1.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/04/14 16:07:46 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/08/13 18:09:38 | 000,221,266 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\stacsv.exe -- (STacSV)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/05/22 11:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/03/02 19:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fa0513b7754bf240\AEstSrv.exe -- (AESTFilters)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\RtsUCcid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Owner\AppData\Local\Temp\pftF07A.tmp\UCORESYS.SYS -- (UCORESYS)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts516xIR.sys -- (RtsUIR)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Owner\AppData\Local\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Owner\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010/11/20 03:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 02:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/04/14 02:01:48 | 000,045,736 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)
DRV - [2009/08/13 18:09:38 | 000,409,088 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2009/07/13 16:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 16:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 15:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)
DRV - [2009/06/24 11:59:10 | 000,167,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2009/04/27 17:26:44 | 000,050,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C) NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20)
DRV - [2005/08/17 08:47:48 | 000,073,696 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM)
DRV - [2005/08/17 08:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 08:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/08/17 08:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
IE - HKLM\..\SearchScopes,DefaultScope = {309B6E7A-5F40-4B69-B6F7-77B1634D9911}
IE - HKLM\..\SearchScopes\{15565EC0-EEBD-4452-BF6B-2C7ADB97C322}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKLM\..\SearchScopes\{309B6E7A-5F40-4B69-B6F7-77B1634D9911}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aimright-chromesbox-en-us&tb_uuid=20120407173136285&tb_oid=07-04-2012&tb_mrud=07-04-2012

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {309B6E7A-5F40-4B69-B6F7-77B1634D9911}
IE - HKCU\..\SearchScopes\{15565EC0-EEBD-4452-BF6B-2C7ADB97C322}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKCU\..\SearchScopes\{309B6E7A-5F40-4B69-B6F7-77B1634D9911}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aimright-chromesbox-en-us&tb_uuid=20120407173136285&tb_oid=07-04-2012&tb_mrud=07-04-2012
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8064.0206: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/12 23:04:32 | 000,000,000 | ---D | M]


========== Chrome ==========


O1 HOSTS File: ([2012/04/29 16:35:08 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AOL Messaging Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKLM\..\Toolbar: (AOL Messaging Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O4 - HKLM..\Run: [Intel AppUp(SM) center] C:\Program Files\Intel\IntelAppStore\bin\serviceManager.lnk ()
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C175AE8F-8D9A-4439-AB02-F4F30C15DA90}: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/03/12 12:48:06 | 000,000,090 | ---- | M] () - F:\AUTORUN.INF -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/04/29 20:30:42 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Owner\Desktop\aswMBR.exe
[2012/04/29 16:55:16 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/04/29 16:51:26 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/04/29 16:24:00 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\temp
[2012/04/29 11:08:47 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/04/29 10:57:32 | 000,000,000 | ---D | C] -- C:\test
[2012/04/28 11:30:24 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/04/28 11:30:24 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/04/28 11:30:24 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/04/28 11:29:12 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/04/28 11:20:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/04/28 11:19:14 | 004,478,552 | R--- | C] (Swearware) -- C:\Users\Owner\Desktop\ComboFix.exe
[2012/04/28 11:12:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/04/27 00:46:28 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2012/04/26 22:28:15 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/04/25 01:10:44 | 000,883,616 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Owner\Desktop\FixExec.exe
[2012/04/25 01:10:44 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Owner\Desktop\unhide.exe
[2012/04/24 21:51:56 | 000,000,000 | ---D | C] -- C:\Windows\System32\MpEngineStore
[2012/04/24 21:50:42 | 000,000,000 | ---D | C] -- C:\69213ef1eff039a5abea
[2012/04/24 20:59:47 | 002,073,648 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Owner\Desktop\tdsskiller.exe
[2012/04/24 16:03:34 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Malwarebytes
[2012/04/24 16:03:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/24 16:03:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/04/24 16:02:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/04/14 16:04:04 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Google
[2012/04/13 23:06:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2012/04/13 23:06:52 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/04/07 10:32:10 | 000,000,000 | ---D | C] -- C:\ProgramData\AIM Toolbar
[2012/04/07 10:32:10 | 000,000,000 | ---D | C] -- C:\Program Files\AIM Toolbar
[2012/04/07 10:31:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2012/04/07 10:31:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AIM
[2012/04/07 09:51:14 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Apps
[2012/04/07 09:51:13 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Deployment
[2012/04/03 23:49:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/04/03 23:47:41 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/04/03 23:47:39 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/04/03 23:43:21 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2012/04/03 23:35:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/04/03 23:34:55 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime

========== Files - Modified Within 30 Days ==========

[2012/04/29 20:31:41 | 000,626,278 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/29 20:31:41 | 000,107,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/29 20:28:12 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Owner\Desktop\aswMBR.exe
[2012/04/29 20:23:55 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/29 20:23:43 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/29 20:23:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/29 16:42:30 | 000,014,128 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/29 16:42:30 | 000,014,128 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/29 16:35:08 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/04/29 16:34:43 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/29 16:34:16 | 1603,772,416 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/28 11:15:18 | 004,478,552 | R--- | M] (Swearware) -- C:\Users\Owner\Desktop\ComboFix.exe
[2012/04/27 00:28:00 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2012/04/26 22:36:56 | 000,002,113 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/04/25 01:08:42 | 000,883,616 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Owner\Desktop\FixExec.exe
[2012/04/25 01:08:24 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Owner\Desktop\unhide.exe
[2012/04/24 20:55:48 | 002,073,648 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Owner\Desktop\tdsskiller.exe
[2012/04/24 20:55:12 | 000,302,592 | ---- | M] () -- C:\Users\Owner\Desktop\xu6pqvio.exe
[2012/04/24 20:54:22 | 001,008,141 | ---- | M] () -- C:\Users\Owner\Desktop\rkill.com
[2012/04/21 18:37:34 | 000,000,322 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForOwner.job
[2012/04/14 12:32:42 | 000,000,330 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForDanielQ.job
[2012/04/09 18:27:23 | 000,001,767 | ---- | M] () -- C:\Users\Owner\Desktop\Spotify.lnk
[2012/04/07 10:31:13 | 000,001,094 | ---- | M] () -- C:\IPH.PH
[2012/04/07 10:31:04 | 000,001,881 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
[2012/04/03 23:49:02 | 000,001,753 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/04/03 23:35:35 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk

========== Files Created - No Company Name ==========

[2012/04/28 11:30:24 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/04/28 11:30:24 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/04/28 11:30:24 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/04/28 11:30:24 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/04/28 11:30:24 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/04/26 22:36:12 | 000,001,897 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/04/25 01:15:35 | 000,002,141 | ---- | C] () -- C:\Users\Public\Desktop\Intel AppUp(SM) center.lnk
[2012/04/25 01:15:35 | 000,002,075 | ---- | C] () -- C:\Users\Public\Desktop\Angry Birds Seasons.lnk
[2012/04/25 01:15:35 | 000,002,019 | ---- | C] () -- C:\Users\Public\Desktop\Angry Birds Rio.lnk
[2012/04/25 01:15:35 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/04/25 01:15:35 | 000,001,753 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/04/25 01:15:35 | 000,001,234 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2012/04/25 01:15:35 | 000,000,940 | ---- | C] () -- C:\Users\Public\Desktop\Angry Birds.lnk
[2012/04/25 01:15:34 | 000,002,557 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2012/04/25 01:15:34 | 000,001,562 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Try Microsoft Office for 60 days.lnk
[2012/04/25 01:15:34 | 000,001,515 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/04/25 01:15:34 | 000,001,352 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
[2012/04/25 01:15:34 | 000,001,330 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2012/04/25 01:15:34 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2012/04/25 01:15:34 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2012/04/25 01:15:34 | 000,000,182 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pandora Internet Radio.url
[2012/04/25 01:15:33 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2012/04/24 21:02:03 | 000,302,592 | ---- | C] () -- C:\Users\Owner\Desktop\xu6pqvio.exe
[2012/04/24 21:00:46 | 001,008,141 | ---- | C] () -- C:\Users\Owner\Desktop\rkill.com
[2012/04/13 23:16:32 | 000,000,330 | ---- | C] () -- C:\Windows\tasks\HPCeeScheduleForDanielQ.job
[2012/04/13 23:07:17 | 000,000,888 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/13 23:07:16 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/11 16:26:42 | 000,001,105 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2012/04/10 21:22:30 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/07 10:31:04 | 000,001,855 | ---- | C] () -- C:\Users\Public\Desktop\AIM.lnk
[2012/03/27 16:23:48 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\wklnhst.dat
[2011/12/06 20:36:41 | 000,000,410 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2011/12/06 20:36:41 | 000,000,034 | ---- | C] () -- C:\Windows\System32\BD7040.DAT

========== LOP Check ==========

[2010/12/24 19:23:48 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\acccore
[2011/08/30 21:22:57 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Foxit Software
[2011/12/22 16:39:56 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Rovio
[2012/04/24 15:51:52 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Spotify
[2012/03/27 16:23:49 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Template
[2011/06/10 21:36:09 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\WildTangent
[2012/04/24 15:14:47 | 000,032,586 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 169 bytes -> C:\ProgramData\Temp:8C35AEA7

< End of report >

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:28 PM

Posted 30 April 2012 - 03:05 AM

Hi!

Thanks for those logs!

Please do the following:

I would also like to see a list of files quarantined by ComboFix, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Post the contents of that file in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 thelaw

thelaw
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 30 April 2012 - 05:07 AM

2012-04-29 23:48:22 . 2012-04-29 23:48:22 986 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Update.reg.dat
2012-04-29 23:48:17 . 2012-04-29 23:48:17 904 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-HP BTW Detect Program.reg.dat
2012-04-29 23:00:13 . 2012-04-29 23:00:13 17,873 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-04-29 22:37:42 . 2012-01-13 06:05:11 1,234 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\RealPlayer.lnk
2012-04-29 22:37:42 . 2012-04-04 06:35:35 1,815 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\QuickTime Player.lnk
2012-04-29 22:37:42 . 2012-04-04 06:49:02 1,753 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\iTunes.lnk
2012-04-29 22:37:42 . 2010-03-17 23:08:27 564 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\desktop.ini
2012-04-29 22:37:42 . 2011-02-01 00:04:10 2,141 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\Intel AppUp(SM) center.lnk
2012-04-29 22:37:42 . 2012-03-22 22:11:37 940 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\Angry Birds.lnk
2012-04-29 22:37:42 . 2011-12-22 23:31:20 2,075 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\Angry Birds Seasons.lnk
2012-04-29 22:37:42 . 2011-12-22 23:39:45 2,019 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\Angry Birds Rio.lnk
2012-04-29 22:37:42 . 2011-02-21 08:08:55 1,855 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\4\AIM.lnk
2012-04-29 22:37:42 . 2010-03-17 22:26:34 2,186 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Windows Live\Windows Live Photo Gallery.lnk
2012-04-29 22:37:42 . 2009-07-14 04:41:57 174 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Startup\desktop.ini
2012-04-29 22:37:42 . 2009-09-08 01:34:15 1,929 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Windows Live\Windows Live Call.lnk
2012-04-29 22:37:42 . 2009-09-08 01:34:59 2,078 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Windows Live\Windows Live Messenger .lnk
2012-04-29 22:37:42 . 2011-12-22 23:31:20 2,099 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Rovio\Angry Birds Seasons\Angry Birds Seasons.lnk
2012-04-29 22:37:42 . 2011-12-22 23:39:45 2,043 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Rovio\Angry Birds Rio\Angry Birds Rio.lnk
2012-04-29 22:37:42 . 2012-03-22 22:11:37 940 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Rovio\Angry Birds\Angry Birds.lnk
2012-04-29 22:37:42 . 2012-01-13 06:03:21 1,036 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Real\RealPlayer.lnk
2012-04-29 22:37:42 . 2012-01-13 06:04:40 1,103 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Real\RealPlayer Trimmer.lnk
2012-04-29 22:37:42 . 2012-01-13 06:05:10 1,161 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Real\RealPlayer Converter.lnk
2012-04-29 22:37:41 . 2012-04-04 06:35:35 1,816 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\QuickTime\Uninstall QuickTime.lnk
2012-04-29 22:37:41 . 2012-04-04 06:35:35 2,471 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\QuickTime\PictureViewer.lnk
2012-04-29 22:37:41 . 2012-04-04 06:35:35 2,441 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\QuickTime\QuickTime Player.lnk
2012-04-29 22:37:41 . 2012-04-04 06:35:35 2,441 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\QuickTime\About QuickTime.lnk
2012-04-29 22:37:41 . 2009-09-08 04:13:28 1,885 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Online Services\United States\Juno Dial-up.lnk
2012-04-29 22:37:41 . 2009-09-08 04:13:54 2,220 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Online Services\United States\MSN.lnk
2012-04-29 22:37:41 . 2009-09-08 04:14:04 1,933 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Online Services\United States\Netzero Dial-up.lnk
2012-04-29 22:37:41 . 2009-09-08 03:31:50 2,020 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Online Services\Skype.lnk
2012-04-29 22:37:41 . 2009-09-08 02:58:51 2,637 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works\Microsoft Works Word Processor.lnk
2012-04-29 22:37:41 . 2010-03-17 22:56:02 156 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Online Services\desktop.ini
2012-04-29 22:37:41 . 2010-03-17 22:24:52 2,068 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Online Services\getonline.lnk
2012-04-29 22:37:41 . 2010-12-23 06:11:30 1,111 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works\Microsoft Works Task Launcher.lnk
2012-04-29 22:37:41 . 2009-09-08 02:58:51 2,635 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works\Microsoft Works Portfolio.lnk
2012-04-29 22:37:41 . 2010-12-23 06:11:29 2,617 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works\Microsoft Works Spreadsheet.lnk
2012-04-29 22:37:41 . 2009-09-08 02:58:51 2,585 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works\Microsoft Works Calendar.lnk
2012-04-29 22:37:41 . 2009-09-08 02:58:51 2,593 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works\Microsoft Works Database.lnk
2012-04-29 22:37:41 . 2009-09-08 02:58:51 2,565 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works\Getting Started.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:29 1,212 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Maintenance\Remote Assistance.lnk
2012-04-29 22:37:41 . 2012-03-22 01:52:11 2,225 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Silverlight\Microsoft Silverlight.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:30 1,248 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Maintenance\Create Recovery Disc.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:30 606 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Maintenance\Desktop.ini
2012-04-29 22:37:41 . 2012-04-04 06:49:02 1,771 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\iTunes\iTunes.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:28 1,304 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Maintenance\Backup and Restore Center.lnk
2012-04-29 22:37:41 . 2012-04-04 06:49:02 2,075 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\iTunes\About iTunes.lnk
2012-04-29 22:37:41 . 2011-02-01 00:04:10 1,983 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Intel AppUp(SM) center\Uninstall Intel AppUp(SM) center.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,188 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\World of Goo.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,108 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Zuma Deluxe.lnk
2012-04-29 22:37:41 . 2011-02-01 00:04:10 2,095 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Intel AppUp(SM) center\Intel AppUp(SM) center.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,186 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Totem Tribe.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,330 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Virtual Villagers - The Secret City.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,224 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Wheel of Fortune 2.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,172 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\The Hidden Object Game Show.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,116 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Penguins!.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,116 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Polar Bowler.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,112 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Polar Golfer.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,114 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Scrabble.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,124 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Slingo Deluxe.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,196 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Mah Jong Medley.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,306 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Mortimer Beckett and the Time Paradox.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,258 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Mystery P.I. - The New York Fortune.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,224 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Mystery P.I. - The Vegas Heist.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,096 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Peggle.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,260 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Farm Frenzy - Pizza Party.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,160 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\FATE Undiscovered Realms.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,236 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Jewel Quest Solitaire 2.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,230 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\John Deere Drive Green.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,228 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Liong - The Lost Amulets.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,192 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Build-a-lot 3.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,132 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Chuzzle Deluxe.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,228 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Dora's Carnival Adventure.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,260 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Eighteen Wheels of Steel Haulin'.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,194 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Family Feud 3.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,154 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Blasterball 2 Revolution.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,258 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Bob the Builder Can-Do-Zoo.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,172 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\- HP Game Console -.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,148 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Bejeweled 2 Deluxe.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:35 2,164 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP Games\Blackhawk Striker 2.lnk
2012-04-29 22:37:41 . 2009-09-08 02:33:39 2,056 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP\HP QuickSync\HP QuickSync.lnk
2012-04-29 22:37:41 . 2009-09-08 04:40:37 2,067 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP\HP Update.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,162 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\World of Goo.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,134 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Zuma Deluxe.lnk
2012-04-29 22:37:41 . 2009-09-08 04:26:45 120 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP\desktop.ini
2012-04-29 22:37:41 . 2009-09-08 04:26:45 2,195 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\HP\HP Support Assistant.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,198 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\The Hidden Object Game Show.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,162 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Totem Tribe.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,354 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Virtual Villagers - The Secret City.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,210 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Wheel of Fortune 2.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:31 378 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Purble Place.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,146 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Scrabble.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,150 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Slingo Deluxe.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:26 368 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Solitaire.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:31 392 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Spider Solitaire.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,142 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Polar Bowler.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,138 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Polar Golfer.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,298 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Mortimer Beckett and the Time Paradox.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,278 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Mystery P.I. - The New York Fortune.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,250 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Mystery P.I. - The Vegas Heist.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,122 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Peggle.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,142 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Penguins!.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,166 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Mah Jong Medley.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:31 376 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Minesweeper.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:49 2,379 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\More Games from HP Games.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:25 258 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\GameExplorer.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:31 356 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Hearts.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,214 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Jewel Quest Solitaire 2.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,206 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\John Deere Drive Green.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,194 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Liong - The Lost Amulets.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,170 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Family Feud 3.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,254 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Farm Frenzy - Pizza Party.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,186 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\FATE Undiscovered Realms.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:26 364 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\FreeCell.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,166 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Build-a-lot 3.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,158 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Chuzzle Deluxe.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:31 936 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Desktop.ini
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,190 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Dora's Carnival Adventure.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:37 2,226 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Eighteen Wheels of Steel Haulin'.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,190 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Blackhawk Striker 2.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,182 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Blasterball 2 Revolution.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,246 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Bob the Builder Can-Do-Zoo.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:47 2,397 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\All MMO Games.lnk
2012-04-29 22:37:41 . 2011-12-22 23:39:49 218 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Angry Birds Rio.lnk
2012-04-29 22:37:41 . 2011-12-22 23:31:26 226 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Angry Birds Seasons.lnk
2012-04-29 22:37:41 . 2012-03-22 22:11:38 212 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Angry Birds.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,174 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\Bejeweled 2 Deluxe.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:48 2,397 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\All Family Games.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:47 2,397 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\All Kids Games.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:36 2,172 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\- HP Game Console -.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:47 2,397 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\All Casual Games.lnk
2012-04-29 22:37:41 . 2009-09-08 02:32:47 2,397 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Games\All Enthusiast Games.lnk
2012-04-29 22:37:41 . 2012-01-13 19:58:57 1,094 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Foxit Reader 5.1\Uninstall Foxit Reader 5.1.lnk
2012-04-29 22:37:41 . 2012-01-13 19:58:56 1,114 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Foxit Reader 5.1\Foxit Reader 5.1.lnk
2012-04-29 22:37:41 . 2009-09-08 02:01:10 2,663 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\ArcSoft WebCam Companion 3\WebCam Companion 3.lnk
2012-04-29 22:37:41 . 2009-09-08 03:50:47 2,044 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\CyberLink DVD Suite\CyberLink DVD Suite.lnk
2012-04-29 22:37:41 . 2009-09-08 03:49:43 2,007 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\CyberLink DVD Suite\Power2Go.lnk
2012-04-29 22:37:41 . 2011-02-21 08:08:55 1,014 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\AIM\Uninstall AIM.lnk
2012-04-29 22:37:41 . 2011-02-21 08:08:55 44 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\AIM\Visit AIM on the Web.url
2012-04-29 22:37:41 . 2009-07-14 04:42:01 1,262 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Task Scheduler.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:40 1,274 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Windows Firewall with Advanced Security.lnk
2012-04-29 22:37:41 . 2009-07-14 04:52:25 2,741 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Windows PowerShell Modules.lnk
2012-04-29 22:37:41 . 2011-02-21 08:08:54 1,873 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\AIM\AIM.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:55 1,274 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\iSCSI Initiator.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:20 1,268 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Memory Diagnostics Tool.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:33 1,232 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Performance Monitor.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:45 1,288 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\services.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:20 1,246 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\System Configuration.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:55 1,294 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Computer Management.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:35 1,270 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Data Sources (ODBC).lnk
2012-04-29 22:37:41 . 2009-07-14 04:46:36 1,674 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\desktop.ini
2012-04-29 22:37:41 . 2009-07-14 04:42:01 1,298 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Event Viewer.lnk
2012-04-29 22:37:41 . 2009-07-14 04:46:36 116 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Windows PowerShell\desktop.ini
2012-04-29 22:37:41 . 2009-07-14 04:46:36 1,468 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk
2012-04-29 22:37:41 . 2009-07-14 04:52:25 1,899 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
2012-04-29 22:37:41 . 2009-07-14 04:46:36 1,242 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools\Component Services.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:01 1,268 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\Task Scheduler.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:29 1,320 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:29 1,316 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\Windows Easy Transfer.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:58 1,290 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\dfrgui.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:24 1,252 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\Disk Cleanup.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:33 1,242 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\Resource Monitor.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:20 1,250 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\System Information.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:23 1,246 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\System Restore.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:30 370 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Accessibility\Desktop.ini
2012-04-29 22:37:41 . 2009-07-14 04:42:30 1,388 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Accessibility\Speech Recognition.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:26 1,248 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\Character Map.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:29 1,338 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools\Desktop.ini
2012-04-29 22:37:41 . 2009-07-14 04:42:29 1,330 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Sound Recorder.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:23 1,254 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Sync Center.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:29 1,579 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Welcome Center.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:23 1,322 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Wordpad.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:56 1,266 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\displayswitch.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:04 1,242 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Paint.lnk
2012-04-29 22:37:41 . 2009-07-14 04:41:37 1,367 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Remote Desktop Connection.lnk
2012-04-29 22:37:41 . 2010-12-23 06:54:33 1,895 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Bluetooth File Transfer Wizard.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:26 1,230 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Calculator.lnk
2012-04-29 22:37:41 . 2010-12-23 06:54:33 1,346 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Accessories\Desktop.ini
2012-04-29 22:37:41 . 2009-07-14 04:42:30 1,352 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Windows Anytime Upgrade.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:24 1,210 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Windows Fax and Scan.lnk
2012-04-29 22:37:41 . 2009-07-24 16:07:30 1,515 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Windows Media Player.lnk
2012-04-29 22:37:41 . 2009-07-14 04:42:30 1,246 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\XPS Viewer.lnk
2012-04-29 22:37:41 . 2007-04-18 14:23:28 1,562 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Try Microsoft Office for 60 days.lnk
2012-04-29 22:37:41 . 2009-09-08 04:14:12 182 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Pandora Internet Radio.url
2012-04-29 22:37:41 . 2009-07-14 04:42:29 1,330 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Sidebar.lnk
2012-04-29 22:37:41 . 2010-12-23 06:11:30 1,105 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works Task Launcher.lnk
2012-04-29 22:37:40 . 2009-09-08 02:59:30 2,557 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
2012-04-29 22:37:40 . 2011-08-23 16:36:34 1,897 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Microsoft Security Essentials.lnk
2012-04-29 22:37:40 . 2012-01-13 06:18:49 2,519 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\Apple Software Update.lnk
2012-04-29 22:37:40 . 2009-07-24 16:07:30 886 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Programs\desktop.ini
2012-04-29 22:37:40 . 2009-07-14 04:46:35 442 --sha-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\desktop.ini
2012-04-29 22:37:40 . 2009-07-14 04:37:43 1,266 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Windows Update.lnk
2012-04-29 22:37:40 . 2009-07-14 04:46:35 1,282 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Default Programs.lnk
2012-04-29 22:37:40 . 2011-12-22 23:31:20 2,081 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Angry Birds Seasons.lnk
2012-04-29 22:37:40 . 2012-03-22 22:11:37 940 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Angry Birds.lnk
2012-04-29 22:37:40 . 2011-12-22 23:39:45 2,025 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\Temp\smtmp\1\Angry Birds Rio.lnk
2012-04-28 18:29:19 . 2012-04-29 22:13:33 419 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-04-14 20:31:15 . 2012-04-14 20:31:18 558,592 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Roaming\Microsoft\Microsoft\fptjnmg.dll.vir
2012-04-14 20:31:12 . 2012-04-14 20:31:15 558,592 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Roaming\Microsoft\Microsoft\kmzkybj.dll.vir
2012-04-14 00:22:20 . 2012-04-14 00:22:20 0 -c--a-we C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB42357$\4200934047.vir
2012-04-10 03:36:31 . 2012-04-10 03:36:34 543,336 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Roaming\Microsoft\Microsoft\hqsysrld.dll.vir
2012-04-10 03:36:29 . 2012-04-10 03:36:31 208,896 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\AppData\Roaming\Microsoft\Microsoft\arroibs.dll.vir
2011-11-21 08:02:59 . 2011-08-17 04:19:27 75,776 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\psisrndr.ax.vir
2011-08-12 22:43:53 . 2010-11-20 12:16:53 68,608 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\WSTPager.ax.vir
2011-08-12 22:43:53 . 2010-11-20 12:16:52 153,600 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\VBICodec.ax.vir
2011-08-12 22:43:50 . 2010-11-20 12:16:52 204,288 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\MSNP.ax.vir
2011-08-12 22:43:50 . 2010-11-20 12:16:52 59,904 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\MSDvbNP.ax.vir
2011-08-12 22:43:50 . 2010-11-20 12:16:52 72,704 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Mpeg2Data.ax.vir
2011-08-12 22:43:43 . 2010-11-20 12:16:52 45,568 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\g711codc.ax.vir
2011-08-12 22:41:51 . 2010-11-20 12:16:52 33,792 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\vbisurf.ax.vir
2011-08-12 22:41:51 . 2010-11-20 12:16:52 48,640 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\ksxbar.ax.vir
2011-08-12 22:41:51 . 2010-11-20 12:16:52 84,480 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\kstvtune.ax.vir
2011-08-12 22:41:16 . 2010-11-20 12:16:52 107,008 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Kswdmcap.ax.vir
2011-08-12 22:40:00 . 2010-11-20 12:16:52 193,536 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\ksproxy.ax.vir
2011-03-21 04:21:28 . 2010-12-23 05:50:23 199,680 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\mpg2splt.ax.vir
2009-09-08 01:59:31 . 2009-03-30 23:02:08 319,488 ----a-w- C:\Qoobox\Quarantine\C\Program Files\HP\HPBTWD.exe.vir
2009-07-14 00:06:47 . 2009-07-14 01:14:10 74,240 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\bdaplgin.ax.vir
2009-07-13 23:51:18 . 2009-07-14 01:14:11 23,040 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\vidcap.ax.vir
2009-07-13 23:40:05 . 2009-07-13 23:40:04 31,232 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\usk.rs.vir
2009-07-13 23:40:04 . 2009-07-13 23:40:04 7,680 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\csrr.rs.vir
2009-07-13 23:40:04 . 2009-07-13 23:40:04 4,096 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\WEB.rs.vir
2009-07-13 23:40:04 . 2009-07-13 23:40:04 23,552 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\oflc.rs.vir
2009-07-13 23:40:03 . 2009-07-13 23:40:03 53,760 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\pegibbfc.rs.vir
2009-07-13 23:40:03 . 2009-07-13 23:40:02 20,480 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\pegi-pt.rs.vir
2009-07-13 23:40:01 . 2009-07-13 23:40:01 20,480 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\pegi-fi.rs.vir
2009-07-13 23:40:00 . 2009-07-13 23:40:00 37,376 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\pegi.rs.vir
2009-07-13 23:40:00 . 2009-07-13 23:40:00 16,896 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\grb.rs.vir
2009-07-13 23:40:00 . 2009-07-13 23:40:00 55,296 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\cero.rs.vir
2009-07-13 23:39:57 . 2009-07-13 23:39:56 51,712 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\esrb.rs.vir
2009-07-13 22:25:04 . 2009-07-14 01:14:10 146,944 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\ivfsrc.ax.vir
2009-07-13 22:25:04 . 2009-07-14 01:14:10 197,632 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\iac25_32.ax.vir
2009-07-13 22:25:04 . 2009-07-14 01:14:10 839,680 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\ir41_32.ax.vir

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:28 PM

Posted 30 April 2012 - 05:12 AM

Hi!

Please delete the current copy of ComboFix from your Desktop and download a new copy from one of the previous links provided.

Run this script:

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
ClearJavaCache::
DeQuarantine::
C:\Qoobox\Quarantine\C\Windows\System32\psisrndr.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\WSTPager.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\VBICodec.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\MSNP.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\MSDvbNP.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\Mpeg2Data.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\g711codc.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\vbisurf.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\ksxbar.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\kstvtune.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\Kswdmcap.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\ksproxy.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\mpg2splt.ax.vir
C:\Qoobox\Quarantine\C\Program Files\HP\HPBTWD.exe.vir
C:\Qoobox\Quarantine\C\Windows\System32\bdaplgin.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\vidcap.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\usk.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\csrr.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\WEB.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\oflc.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\pegibbfc.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\pegi-pt.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\pegi-fi.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\pegi.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\grb.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\cero.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\esrb.rs.vir
C:\Qoobox\Quarantine\C\Windows\System32\ivfsrc.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\iac25_32.ax.vir
C:\Qoobox\Quarantine\C\Windows\System32\ir41_32.ax.vir 

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 thelaw

thelaw
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 01 May 2012 - 12:57 AM

Nothing happens. I drag CFScript.txt file to Combofix.exe and it starts to extract some files. After that, there is no evidence of activity. I never even reach:

------------------------------------------------
Please wait.
ComboFix is preparing to run.

Attempting to create a new System Restore Point.
------------------------------------------------

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:28 PM

Posted 01 May 2012 - 01:05 AM

Can you try and run the ComboFix script in Safe Mode and see if you have better luck running it there?

-ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 thelaw

thelaw
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 01 May 2012 - 11:10 PM

Tried dragging the script file onto ComboFix while in Safe Mode. Same result as in Normal Mode in that it starts and then seems to disappear before anything is done.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users