Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD after removal of consrv.dll


  • This topic is locked This topic is locked
15 replies to this topic

#1 Ryan Bogan

Ryan Bogan

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 01 May 2012 - 12:31 PM

Hi,

A friend of mine had several viruses on his computer. He removed them, one of which deleted consrv.dll. He could not boot into the computer and I guess found out that copying winsrv.dll to consrv.dll
This allowed him to get to the login screen, but now it gives a BSOD with STOP: C000021a. He left the computer with me to see if I could find some help online. I am unsure of what all he tried, but from searching online it seemed that posting here would be better than trying something that making things worse.

I also cannot enter Safe Mode.

I installed Farbar Recovery Scan Tool x64
from http://download.bleepingcomputer.com/farbar/FRST64.exe
and I obtained the log file FRST.txt which I am attaching here.

I would greatly appreciate any help someone can give.
Thank you sooo much in advance.

Ryan

Attached Files

  • Attached File  FRST.txt   87.83KB   10 downloads


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:38 AM

Posted 01 May 2012 - 04:30 PM

Hello Ryan Bogan,

Welcome to the forum.

Please copy and paste the logs instead of attaching it unless it is requested.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: []  [x]
HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\System32\consrv.dll
2012-04-14 12:26 - 2012-04-14 07:36 - 0000256 ____A C:\Users\All Users\8IykvZTH8tEy9l
2012-04-14 12:26 - 2012-04-14 07:36 - 0000256 ____A C:\ProgramData\8IykvZTH8tEy9l
2012-04-14 12:26 -  - 0000000 ____A C:\Users\All Users\-8IykvZTH8tEy9l
2012-04-14 12:26 -  - 0000000 ____A C:\ProgramData\-8IykvZTH8tEy9l
2012-04-14 07:36 - 2012-04-14 12:26 - 0000000 ____A C:\Users\All Users\-DnIyTIKrZ59WBe
2012-04-14 07:36 - 2012-04-14 12:26 - 0000000 ____A C:\ProgramData\-DnIyTIKrZ59WBe
2012-04-14 07:36 - 2009-07-13 21:08 - 0000256 ____A C:\Users\All Users\DnIyTIKrZ59WBe
2012-04-14 07:36 - 2009-07-13 21:08 - 0000256 ____A C:\ProgramData\DnIyTIKrZ59WBe
2012-04-19 14:37 - 2012-04-14 12:36 - 0000256 ____A C:\Users\All Users\rl9TyRuAaaYp5G
2012-04-19 14:37 - 2012-04-14 12:36 - 0000256 ____A C:\ProgramData\rl9TyRuAaaYp5G
2012-04-19 14:37 - 2012-03-24 06:47 - 0000649 ____A C:\Users\StephFergy\Desktop\SMART_HDD.lnk
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#3 Ryan Bogan

Ryan Bogan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 01 May 2012 - 05:17 PM

Hello,

Thank you so much for the speedy reply and help.

Here is the log you requested:

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 30-04-2012 02
Ran by SYSTEM at 2012-05-01 17:08:24 R:1
Running from G:\

==============================================

HKLM-x32\\\.\.\.\\Run\\HKLM-x32\...\Run: [] [x] Value not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*WerKernelReporting Value deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager\SubSystems\\Windows Value was restored.
C:\Windows\System32\consrv.dll moved successfully.
C:\Users\All Users\8IykvZTH8tEy9l moved successfully.
C:\ProgramData\8IykvZTH8tEy9l not found.
C:\Users\All Users\-8IykvZTH8tEy9l moved successfully.
C:\ProgramData\-8IykvZTH8tEy9l not found.
C:\Users\All Users\-DnIyTIKrZ59WBe moved successfully.
C:\ProgramData\-DnIyTIKrZ59WBe not found.
C:\Users\All Users\DnIyTIKrZ59WBe moved successfully.
C:\ProgramData\DnIyTIKrZ59WBe not found.
C:\Users\All Users\rl9TyRuAaaYp5G moved successfully.
C:\ProgramData\rl9TyRuAaaYp5G not found.
C:\Users\StephFergy\Desktop\SMART_HDD.lnk moved successfully.

==== End of Fixlog ====



Also I restarted normally as requested and am now able to login to the computer.
Is there any more I should do?

Thank you again.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:38 AM

Posted 02 May 2012 - 02:54 AM

Great. :thumbup2:

  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Please download MiniRegTool64.zip and unzip it.
    • Run the tool.
    • Copy and paste the following into the edit box:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
    • Check Export keys radio button.
    • Press Go button and post the result.


#5 Ryan Bogan

Ryan Bogan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 02 May 2012 - 05:33 AM

Okay,
I have done as instructed. Here are the logs:


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.02.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
StephFergy :: STEPHFERGY-PC [administrator]

5/2/2012 5:15:23 AM
mbam-log-2012-05-02 (05-15-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199971
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 4
C:\Users\StephFergy\Local Settings\Application Data\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\StephFergy\Local Settings\Application Data\I Want This\Chrome (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\StephFergy\AppData\Local\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\StephFergy\AppData\Local\I Want This\Chrome (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)


and the other one:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5]
"Num_Catalog_Entries"=dword:0000000a
"Serial_Access_Num"=dword:00000038
"Num_Catalog_Entries64"=dword:0000000a

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005]
"LibraryPath"="%SystemRoot%\\system32\\wshbth.dll"
"DisplayString"="Bluetooth Namespace"
"ProviderId"=hex:e0,63,aa,06,60,7d,ff,41,af,b2,3e,e6,d2,d9,39,2d
"SupportedNameSpace"=dword:00000010
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006]
"LibraryPath"="C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll"
"DisplayString"="mdnsNSP"
"ProviderId"=hex:e9,e6,00,b6,3b,55,19,4a,86,96,33,5e,5c,89,61,53
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000007]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive NSP"
"ProviderId"=hex:e9,dd,77,41,28,60,9e,47,b7,b7,03,59,1a,63,ff,3a
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008]
"LibraryPath"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive Local NSP"
"ProviderId"=hex:2c,2a,9f,22,18,5f,06,4a,8f,89,3a,37,21,70,62,4d
"SupportedNameSpace"=dword:00000013
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000009]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000010]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001]
"LibraryPath"="mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\nlasvc.dll,-1000"
"ProviderId"=hex:3a,24,42,66,a8,3b,a6,4a,ba,a5,2e,0b,d7,1f,dd,83
"SupportedNameSpace"=dword:0000000f
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002]
"LibraryPath"="%SystemRoot%\\system32\\napinsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\napinsp.dll,-1000"
"ProviderId"=hex:a2,cb,4a,96,bc,b2,eb,40,8c,6a,a6,db,40,16,1c,ae
"SupportedNameSpace"=dword:00000025
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1000"
"ProviderId"=hex:ce,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000027
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004]
"LibraryPath"="%SystemRoot%\\system32\\pnrpnsp.dll"
"DisplayString"="@%SystemRoot%\\system32\\pnrpnsp.dll,-1001"
"ProviderId"=hex:cd,89,fe,03,6d,76,76,49,b9,c1,bb,9b,c4,2c,7b,4d
"SupportedNameSpace"=dword:00000026
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005]
"LibraryPath"="%SystemRoot%\\system32\\wshbth.dll"
"DisplayString"="Bluetooth Namespace"
"ProviderId"=hex:e0,63,aa,06,60,7d,ff,41,af,b2,3e,e6,d2,d9,39,2d
"SupportedNameSpace"=dword:00000010
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006]
"LibraryPath"="C:\\Program Files\\Bonjour\\mdnsNSP.dll"
"DisplayString"="mdnsNSP"
"ProviderId"=hex:e9,e6,00,b6,3b,55,19,4a,86,96,33,5e,5c,89,61,53
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000007]
"LibraryPath"="C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive NSP"
"ProviderId"=hex:e9,dd,77,41,28,60,9e,47,b7,b7,03,59,1a,63,ff,3a
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008]
"LibraryPath"="C:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDNSP.DLL"
"DisplayString"="WindowsLive Local NSP"
"ProviderId"=hex:2c,2a,9f,22,18,5f,06,4a,8f,89,3a,37,21,70,62,4d
"SupportedNameSpace"=dword:00000013
"Enabled"=dword:00000001
"Version"=dword:00000001
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000009]
"LibraryPath"="%SystemRoot%\\System32\\mswsock.dll"
"DisplayString"="@%SystemRoot%\\system32\\wshtcpip.dll,-60103"
"ProviderId"=hex:40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b
"SupportedNameSpace"=dword:0000000c
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000000
"ProviderInfo"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000010]
"LibraryPath"="%SystemRoot%\\System32\\winrnr.dll"
"DisplayString"="NTDS"
"ProviderId"=hex:ee,37,26,3b,80,e5,cf,11,a5,55,00,c0,4f,d8,d4,ac
"SupportedNameSpace"=dword:00000020
"Enabled"=dword:00000001
"Version"=dword:00000000
"StoresServiceClassInfo"=dword:00000001
"ProviderInfo"=hex:

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:38 AM

Posted 02 May 2012 - 06:39 AM

We need to restore winsock fully and remove a rootkit folder.
  • Please download Attached File  Fix-64.reg   408bytes   10 downloads
    Double-click and confirm the prompt.
  • Important: Restart the computer.
  • Please download Attached File  fix.bat   553bytes   12 downloads
    Important: Right-click fix.bat and select "Run as administrator".
    A command window and then log file (log.txt) will open.
    Please post the log and restart the computer.


#7 Ryan Bogan

Ryan Bogan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 02 May 2012 - 07:24 AM

okay, here is the log:

Start
C:\Windows\system64 found.
C:\Windows\system64 deleted successfully.
File Not Found

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

End

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:38 AM

Posted 02 May 2012 - 08:38 AM

Now I would like to check the whole system for any eventual leftover. The scan takes some time but it is better to be safe that sorry.



ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats and the option Scan archives are checked.
  • Now click on Advanced Settings and select the following:
  • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

#9 Ryan Bogan

Ryan Bogan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 02 May 2012 - 10:56 AM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0843b3358b70f44ab51675d8d43a6801
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-02 03:36:09
# local_time=2012-05-02 11:36:09 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1024 16777215 100 0 926355 926355 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 66 85 0 87510306 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=258600
# found=11
# cleaned=11
# scan_time=6113
C:\TDSSKiller_Quarantine\20.04.2012_16.02.04\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AYI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\20.04.2012_16.02.04\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\20.04.2012_16.02.04\mbr0000\tdlfs0000\tsk0002.dta a variant of Win32/Rootkit.Kryptik.KS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\20.04.2012_16.02.04\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\20.04.2012_16.02.04\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\20.04.2012_16.02.04\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.X trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\20.04.2012_16.02.04\zaea0000\svc0000\tsk0000.dta Win64/Sirefef.W trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\StephFergy\AppData\Local\Temp\D885.tmp a variant of Win32/Kryptik.AEGV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\StephFergy\AppData\Local\Temp\Main.class a variant of Java/TrojanDownloader.Agent.NEC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\StephFergy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\49a7c249-48cd0605 a variant of Java/Exploit.Agent.NAY trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\lfbegkzq.dll a variant of Win32/Kryptik.AEVS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:38 AM

Posted 02 May 2012 - 12:01 PM

Let's take a look at other vulnerabilities.

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Click Run Scan button.
  • Two reports will open:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Copy and paste OTL.txt and attach Extra.txt to your reply.


#11 Ryan Bogan

Ryan Bogan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 02 May 2012 - 12:44 PM

OTL logfile created on: 5/2/2012 1:10:29 PM - Run 1
OTL by OldTimer - Version 3.2.42.2 Folder = C:\Users\StephFergy\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.86 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 57.53% Memory free
7.73 Gb Paging File | 5.89 Gb Available in Paging File | 76.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 58.59 Gb Total Space | 2.67 Gb Free Space | 4.56% Space Free | Partition Type: NTFS
Drive D: | 229.62 Gb Total Space | 229.52 Gb Free Space | 99.95% Space Free | Partition Type: NTFS
Drive E: | 79.25 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: STEPHFERGY-PC | User Name: StephFergy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/02 13:09:14 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\StephFergy\Desktop\OTL.exe
PRC - [2012/04/08 12:27:14 | 005,158,992 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
PRC - [2012/04/05 06:12:34 | 002,587,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
PRC - [2012/02/14 05:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 05:52:56 | 000,493,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe
PRC - [2012/02/08 16:13:49 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2012/01/03 18:31:34 | 001,391,272 | ---- | M] (Ask) -- C:\Program Files (x86)\Ask.com\Updater\Updater.exe
PRC - [2011/10/07 11:40:43 | 000,123,320 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.9.24\SymcPCCULaunchSvc.exe
PRC - [2011/03/28 13:21:16 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
PRC - [2010/09/13 12:48:14 | 000,097,384 | R--- | M] (Amazon.com) -- C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
PRC - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) -- C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
PRC - [2009/12/29 17:35:38 | 000,140,520 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2009/12/15 22:14:56 | 001,169,904 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
PRC - [2009/12/15 22:14:22 | 000,498,160 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2009/09/30 08:01:32 | 002,320,920 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2009/09/30 08:01:30 | 000,268,824 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2009/08/24 18:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.9.24\ccSvcHst.exe
PRC - [2009/08/17 22:09:54 | 000,013,600 | ---- | M] (Broadcom Corporation.) -- c:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
PRC - [2009/06/24 17:21:38 | 000,409,744 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
PRC - [2009/06/09 10:11:14 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/01 22:18:10 | 012,432,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
MOD - [2012/05/01 22:17:48 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
MOD - [2012/05/01 22:17:34 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll
MOD - [2012/05/01 22:17:29 | 007,963,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
MOD - [2012/05/01 22:17:22 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
MOD - [2012/04/19 22:25:43 | 008,797,344 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll
MOD - [2012/02/08 16:13:49 | 001,911,768 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2011/02/06 13:32:14 | 000,067,872 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/12/15 22:14:56 | 001,169,904 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
MOD - [2009/12/15 22:14:22 | 000,498,160 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
MOD - [2009/12/15 22:13:56 | 000,588,272 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\BBEngineAS.dll
MOD - [2009/11/15 22:58:50 | 000,375,280 | ---- | M] () -- c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\SQLite352.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe /McCoreSvc -- (McMPFSvc)
SRV:64bit: - [2010/09/22 20:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/10/09 08:52:16 | 000,092,160 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2009/09/08 11:56:00 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/08/17 22:09:52 | 000,868,128 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV:64bit: - [2009/07/17 12:06:00 | 000,033,280 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE -- (wltrysvc)
SRV:64bit: - [2009/06/09 10:11:14 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2012/04/19 22:25:43 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/08 12:27:14 | 005,158,992 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/02/14 05:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2011/10/07 11:40:43 | 000,123,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.9.24\SymcPCCULaunchSvc.exe -- (Norton PC Checkup Application Launcher)
SRV - [2011/04/01 13:14:30 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/03/28 13:21:16 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) [Auto | Running] -- C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/17 19:35:59 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/09/30 08:01:32 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2009/09/30 08:01:30 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2009/08/24 18:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.9.24\ccSvcHst.exe -- (PCCUJobMgr)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- c:\program files\dell support center\pcdsrvc_x64.pkms -- (PCDSRVC{1E208CE0-FB7451FF-06020101}_0)
DRV:64bit: - [2012/04/19 05:50:26 | 000,028,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\avgidsha.sys -- (AVGIDSHA)
DRV:64bit: - [2012/03/19 06:17:26 | 000,383,808 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)
DRV:64bit: - [2012/03/08 19:40:52 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/22 06:25:32 | 000,289,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)
DRV:64bit: - [2012/01/31 05:46:48 | 000,036,944 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)
DRV:64bit: - [2011/12/23 14:32:14 | 000,047,696 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)
DRV:64bit: - [2011/12/23 14:32:04 | 000,029,776 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\avgidsfiltera.sys -- (AVGIDSFilter)
DRV:64bit: - [2011/12/23 14:31:58 | 000,124,496 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\avgidsdrivera.sys -- (AVGIDSDriver)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/18 18:36:58 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2009/09/17 15:54:00 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel®
DRV:64bit: - [2009/09/16 09:47:00 | 000,267,312 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2009/09/08 12:31:00 | 006,204,928 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/08/22 22:02:00 | 000,120,336 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/08/20 12:05:00 | 000,239,616 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/07/17 12:06:00 | 002,769,400 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2009/07/17 12:06:00 | 000,022,520 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bcm42rly.sys -- (BCM42RLY)
DRV:64bit: - [2009/07/16 23:14:00 | 000,220,672 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/09 04:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/07/01 16:46:52 | 000,098,344 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwaudio.sys -- (btwaudio)
DRV:64bit: - [2009/07/01 16:46:48 | 000,132,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
DRV:64bit: - [2009/07/01 16:46:40 | 000,021,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)
DRV:64bit: - [2009/06/15 14:06:42 | 000,172,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 15:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/04/07 19:33:08 | 000,035,104 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwl2cap.sys -- (btwl2cap)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{4F6FC0B9-E4B6-4381-9401-A77042FA8DCA}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{99B3F8D2-1137-4806-B91C-C9D00BF0CB9D}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox


IE - HKU\.DEFAULT\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value found
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {56256A51-B582-467e-B8D4-7786EDA79AE0}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value found
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {56256A51-B582-467e-B8D4-7786EDA79AE0}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZKxdm1435DUS&ptb=C7a7LBNE9IgPM_ygDmBhCA
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\..\SearchScopes\{409DD3B4-D1F8-EC6E-EDBD-2367FDA78762}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z015&form=ZGAIDF
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_en
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\..\SearchScopes\{9B51FB9A-27B8-4F1F-8744-EBCA67631A5D}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000TNUS&apn_uid=F24B573F-8FCB-4A4F-AD64-A3D362D08A07&apn_sauid=A5F1C4A8-BF69-4344-BBC0-16C8AF85C607
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=100000031&locale=en_US&apn_uid=F24B573F-8FCB-4A4F-AD64-A3D362D08A07&apn_ptnrs=TV&apn_sauid=A5F1C4A8-BF69-4344-BBC0-16C8AF85C607&apn_dtid=OSJ000TNUS&&q="
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_233.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMyWebS.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files (x86)\MyWebSearch\bar\1.bin
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG2012\Firefox4\ [2012/05/01 18:19:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\ [2012/05/01 18:19:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/04/19 22:30:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/02/13 19:41:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\StephFergy\AppData\Roaming\Mozilla\Extensions
[2012/05/02 06:16:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\StephFergy\AppData\Roaming\Mozilla\Firefox\Profiles\phkbloe1.default\extensions
[2012/04/20 09:23:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/04/20 09:23:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/02/08 16:13:49 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/02/22 20:08:53 | 000,002,310 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2012/02/08 13:12:58 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/02/08 13:12:58 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Adobe Acrobat (Enabled) = c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U31 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - Extension: AVG Safe Search = C:\Users\StephFergy\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2111_0\
CHR - Extension: AVG Do-Not-Track = C:\Users\StephFergy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\12.0.0.2126_0\

O1 HOSTS File: ([2012/04/20 14:05:22 | 000,000,828 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll (AVG Technologies CZ, s.r.o.)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3:64bit: - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-1470158620-3697858059-2603717565-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE (Dell Inc.)
O4:64bit: - HKLM..\Run: [QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter File not found
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [StartCCC] c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [Update] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\sgpeue.dll",DllRegisterServer File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Update] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Microsoft\sgpeue.dll",DllRegisterServer File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O8:64bit: - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8:64bit: - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)
O9:64bit: - Extra Button: @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:64bit: - Extra 'Tools' menuitem : @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E12EBAFC-94FF-4380-A701-752DA17BFC4D}: DhcpNameServer = 10.0.0.1
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{bc62153b-322a-11df-ae07-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{bc62153b-322a-11df-ae07-806e6f6e6963}\Shell\AutoRun\command - "" = E:\install.EXE id= ver=1.0.0.0
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/02 13:09:14 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Users\StephFergy\Desktop\OTL.exe
[2012/05/02 09:45:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/05/02 06:12:37 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{401E14BF-DC0D-4B79-9D78-C15F2BC00AF8}
[2012/05/02 06:12:25 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{ED4BD32B-849A-488B-AC56-0EF5696F49B8}
[2012/05/01 21:30:01 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview
[2012/05/01 21:29:00 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2012/05/01 21:28:29 | 005,559,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2012/05/01 21:28:29 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2012/05/01 21:28:28 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2012/05/01 18:19:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
[2012/05/01 18:11:56 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{F9792E36-9823-492C-95C6-A456B6AEFDDA}
[2012/05/01 18:11:44 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{0FE5A00A-9A2B-4C8B-9E19-F941ACBAC9BB}
[2012/05/01 15:10:46 | 000,000,000 | ---D | C] -- C:\FRST
[2012/04/20 20:50:44 | 002,072,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\StephFergy\Desktop\TDSSKiller.exe
[2012/04/20 17:03:36 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/04/20 16:39:38 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Roaming\AVG2012
[2012/04/20 16:37:38 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2012/04/20 16:37:26 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\AVG
[2012/04/20 16:36:40 | 000,000,000 | -H-D | C] -- C:\$AVG
[2012/04/20 16:36:40 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2012
[2012/04/20 16:36:40 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\AVG
[2012/04/20 16:35:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
[2012/04/20 16:31:52 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2012/04/20 16:27:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows Genuine Advantage
[2012/04/20 11:20:41 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{6F1E2C5F-A02B-4419-B092-AD5247ABB480}
[2012/04/20 11:20:29 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{2B815BFC-4149-4FEE-8047-B5C2B0DA160D}
[2012/04/20 10:53:07 | 000,000,000 | ---D | C] -- C:\Windows\en
[2012/04/20 10:48:54 | 000,048,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\fssfltr.sys
[2012/04/20 10:29:10 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{F6F1FBA2-2D5F-4A4B-A60B-1DCD2846A9CE}
[2012/04/20 10:28:55 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{488418B9-B91B-42E0-A6DE-E7BA8E61848A}
[2012/04/20 09:54:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/04/20 09:23:46 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/04/20 09:23:46 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/04/20 09:23:46 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/04/20 09:03:41 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{D4532A2D-5184-4284-8CC2-888C5C85296A}
[2012/04/20 09:03:25 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{E42708DD-B0E5-4C05-8BC5-7821BAAFFD5D}
[2012/04/19 22:25:34 | 008,741,536 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerInstaller.exe
[2012/04/19 22:19:48 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{92ED8F72-4AD3-4903-AD95-1FE60EB5615A}
[2012/04/19 22:19:32 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{6E1A2278-15CA-4F01-BA3E-079D7F5662AF}
[2012/04/19 21:48:32 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/04/19 21:48:21 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{5946A809-0E59-4EE9-BF64-AD831D0CDB3B}
[2012/04/19 21:48:06 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{649589EC-6190-4A99-9729-6BB1338088E6}
[2012/04/19 18:56:33 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Roaming\Malwarebytes
[2012/04/19 18:56:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/19 18:56:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/04/19 18:56:28 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/04/19 18:56:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/04/19 18:36:23 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{84C51D8C-037B-4931-B3AB-7AED7F3F59DF}
[2012/04/19 05:50:26 | 000,028,480 | ---- | C] (AVG Technologies CZ, s.r.o. ) -- C:\Windows\SysNative\drivers\avgidsha.sys
[2012/04/17 18:35:55 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{547A0583-E32D-41B2-98B6-C4651E88CC22}
[2012/04/17 18:35:26 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{AB148F35-A15F-4314-B276-8A676EA2FEFF}
[2012/04/17 18:32:18 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{8F382600-A2BC-4458-8B34-EA4C7E3B2AB5}
[2012/04/14 17:01:03 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{F174DDFB-5167-4720-8BE1-887833491A7D}
[2012/04/14 17:00:50 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{931F3A6D-DAF7-4050-9D85-ED25C747216A}
[2012/04/14 16:53:03 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{7C924ADE-D465-4097-A51D-D5B3EDCA34EC}
[2012/04/14 16:52:33 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{3E26667B-DB71-49EF-ABE4-ADD5E2E9A2F9}
[2012/04/14 16:21:41 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{01CE6201-7786-4FB6-AF87-16D9C82A6FB8}
[2012/04/14 16:21:18 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{E3316E2C-F1EF-4269-ADBF-F14B375720A6}
[2012/04/14 12:08:49 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{BFFDB0AC-8591-43B0-B346-30382F9726FA}
[2012/04/14 12:08:35 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{2846D9DC-34E3-411D-9BE1-BE2925374E52}
[2012/04/14 11:52:10 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{E1E0B231-AAA6-4765-A287-6CB41379C9FE}
[2012/04/14 11:36:55 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SMART HDD
[2012/04/14 11:30:57 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{2A31B872-6579-4C6B-8423-815BD972B1B7}
[2012/04/13 16:27:36 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{6AD39E1E-A1D3-40D0-B29A-C2B9CEDA2DC5}
[2012/04/13 16:27:23 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{E4CF15F8-2634-40FE-AB10-3E0A98E29754}
[2012/04/13 07:42:33 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{765BF5AC-5387-480A-BAD2-4C03ED902568}
[2012/04/13 07:42:22 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{B522CA44-3FEC-4B24-BE3B-15E69D90D743}
[2012/04/13 04:01:58 | 000,096,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/04/13 04:01:58 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/04/13 04:01:56 | 002,311,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/04/13 04:01:56 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/04/13 04:01:56 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/04/13 04:01:56 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/04/13 04:01:55 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/04/13 04:01:54 | 001,493,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/04/13 04:01:54 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/04/13 04:01:54 | 000,818,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/04/13 04:01:54 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/04/13 04:01:18 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\imagehlp.dll
[2012/04/13 04:01:18 | 000,023,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\fs_rec.sys
[2012/04/13 04:01:17 | 000,220,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2012/04/13 03:22:51 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{EFBB0594-5092-45C8-AF65-B0170EC7A1A9}
[2012/04/12 10:57:05 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{433D932E-3655-4409-B276-8F9063C072B4}
[2012/04/11 15:59:13 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{26149A8C-F78A-490E-A8EB-6E6ED8C77759}
[2012/04/11 03:26:47 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{AC773B13-0237-4134-A359-5D2C3EEF8FBC}
[2012/04/10 14:35:19 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\Desktop\steph
[2012/04/10 11:18:26 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{BC84086E-9F8D-4A10-A630-3D9324E04A08}
[2012/04/09 23:18:01 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{974437A2-E776-4427-8064-8BE908996534}
[2012/04/09 11:17:26 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{A947A0F0-86D0-4807-9463-68CADBCF5C7F}
[2012/04/08 22:54:18 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{81695267-DEFD-4E60-8AF3-C76CEB145258}
[2012/04/08 10:53:53 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{1FE186B8-BEEF-4583-A6D0-0EC67258DDAB}
[2012/04/07 20:08:01 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{859B3345-4541-4D5A-A7D7-BBD63559841A}
[2012/04/06 19:43:14 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{08295C42-E822-43CA-8254-1E950896F2DB}
[2012/04/06 07:42:39 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{082A65BA-AB5A-410A-A10D-226947D73E47}
[2012/04/05 18:55:58 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\Desktop\New folder (5)
[2012/04/05 18:47:33 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\Desktop\movie
[2012/04/05 17:23:52 | 000,000,000 | ---D | C] -- C:\Program Files\Dell Support Center
[2012/04/05 17:14:32 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\Desktop\New folder (4)
[2012/04/04 23:08:02 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{7D4EF7D2-D9E5-45C5-ADEB-00D8D26FC86D}
[2012/04/04 21:29:57 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\Desktop\New folder (3)
[2012/04/04 10:46:44 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{82DDCEC1-D92B-4C38-A938-09665C259075}
[2012/04/03 21:24:19 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\Desktop\New folder (2)
[2012/04/03 21:06:27 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{08D24D09-8F96-4134-9A1D-32C566F0037C}
[2012/04/03 07:44:51 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{696CBBC2-19A7-4716-8DC7-6221BCCB4A17}
[2012/04/02 18:25:09 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\Desktop\celebcloset

========== Files - Modified Within 30 Days ==========

[2012/05/02 13:09:14 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\StephFergy\Desktop\OTL.exe
[2012/05/02 13:08:00 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/02 12:25:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/02 08:33:18 | 000,014,016 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/02 08:33:18 | 000,014,016 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/02 08:30:25 | 000,726,444 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/05/02 08:30:25 | 000,624,412 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/05/02 08:30:25 | 000,106,756 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/05/02 08:26:57 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/02 08:26:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/02 08:25:59 | 3111,546,880 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/02 06:31:42 | 001,647,920 | ---- | M] () -- C:\Users\StephFergy\Desktop\MiniRegTool64.exe
[2012/05/02 06:14:45 | 000,001,115 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/01 22:08:58 | 000,319,072 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/05/01 21:59:57 | 000,175,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msclmd.dll
[2012/05/01 21:59:57 | 000,152,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msclmd.dll
[2012/05/01 18:19:32 | 000,000,967 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk
[2012/05/01 18:14:09 | 096,854,148 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
[2012/04/21 12:59:28 | 222,778,028 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/04/20 17:01:59 | 002,072,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\StephFergy\Desktop\TDSSKiller.exe
[2012/04/20 16:37:26 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm
[2012/04/20 16:37:26 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm
[2012/04/20 14:05:22 | 000,000,828 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/04/20 09:23:37 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2012/04/20 09:23:37 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/04/20 09:23:37 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/04/20 09:23:37 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/04/19 22:25:43 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/04/19 22:25:43 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/04/19 22:25:34 | 008,741,536 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerInstaller.exe
[2012/04/19 22:10:39 | 000,002,346 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/04/19 21:55:20 | 000,000,129 | ---- | M] () -- C:\Windows\SysNative\MRT.INI
[2012/04/19 18:37:10 | 000,000,673 | ---- | M] () -- C:\Users\StephFergy\Application Data\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk
[2012/04/19 05:50:26 | 000,028,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) -- C:\Windows\SysNative\drivers\avgidsha.sys
[2012/04/13 15:05:22 | 000,000,882 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.1
[2012/04/12 20:23:34 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd
[2012/04/11 16:51:10 | 000,089,600 | ---- | M] () -- C:\Users\StephFergy\Desktop\Jamey.wps
[2012/04/11 16:51:10 | 000,001,184 | ---- | M] () -- C:\Users\StephFergy\AppData\Roaming\wklnhst.dat
[2012/04/11 12:42:05 | 000,044,222 | ---- | M] () -- C:\Users\StephFergy\Desktop\ShowClassStoreLogo.jpg
[2012/04/11 12:31:09 | 002,031,119 | ---- | M] () -- C:\Users\StephFergy\Desktop\yug.jpg
[2012/04/11 12:30:18 | 002,396,521 | ---- | M] () -- C:\Users\StephFergy\Desktop\get-attachment.aspx.jpg
[2012/04/11 12:29:43 | 001,920,986 | ---- | M] () -- C:\Users\StephFergy\Desktop\s.jpg
[2012/04/08 12:08:43 | 071,096,074 | ---- | M] () -- C:\Users\StephFergy\Desktop\2108 ShowClass_proof.pdf
[2012/04/06 08:03:52 | 002,506,206 | ---- | M] () -- C:\Users\StephFergy\Desktop\DSC01722.JPG
[2012/04/06 00:26:42 | 341,511,314 | ---- | M] () -- C:\Users\StephFergy\Desktop\movie1.wmv
[2012/04/06 00:01:15 | 000,012,642 | ---- | M] () -- C:\Users\StephFergy\Desktop\movie1.wlmp
[2012/04/06 00:01:02 | 000,012,646 | ---- | M] () -- C:\Users\StephFergy\Desktop\My Movie23.wlmp
[2012/04/04 16:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/04/02 21:19:55 | 016,254,307 | ---- | M] () -- C:\Users\StephFergy\Desktop\Harley service manual - 1940 - 1947 knucklehead.pdf

========== Files Created - No Company Name ==========

[2012/05/01 18:14:09 | 096,854,148 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
[2012/04/21 12:59:28 | 222,778,028 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/04/20 16:37:29 | 000,000,967 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2012.lnk
[2012/04/20 16:37:26 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm
[2012/04/20 16:37:26 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm
[2012/04/19 21:55:20 | 000,000,129 | ---- | C] () -- C:\Windows\SysNative\MRT.INI
[2012/04/19 21:48:47 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/19 21:19:16 | 000,002,346 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/04/19 21:19:16 | 000,001,547 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/04/19 21:19:16 | 000,001,376 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk
[2012/04/19 21:19:16 | 000,001,307 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk
[2012/04/19 21:19:16 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2012/04/19 21:19:16 | 000,001,136 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/04/19 21:19:15 | 000,002,557 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2012/04/19 21:19:15 | 000,002,488 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Messenger.lnk
[2012/04/19 21:19:15 | 000,002,084 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerDVD DX.lnk
[2012/04/19 21:19:15 | 000,002,030 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Amazon Unbox.lnk
[2012/04/19 21:19:15 | 000,001,979 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Help Documentation.lnk
[2012/04/19 21:19:15 | 000,001,460 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
[2012/04/19 21:19:15 | 000,001,352 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
[2012/04/19 21:19:15 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2012/04/19 21:19:15 | 000,001,330 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2012/04/19 21:19:15 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2012/04/19 21:19:15 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2012/04/19 21:19:15 | 000,001,149 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2012/04/19 21:19:15 | 000,001,148 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/04/19 21:19:15 | 000,000,834 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
[2012/04/19 21:19:14 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2012/04/19 21:19:14 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2012/04/19 18:56:30 | 000,001,115 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/19 18:37:10 | 000,000,673 | ---- | C] () -- C:\Users\StephFergy\Application Data\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk
[2012/04/11 16:51:10 | 000,089,600 | ---- | C] () -- C:\Users\StephFergy\Desktop\Jamey.wps
[2012/04/11 12:42:04 | 000,044,222 | ---- | C] () -- C:\Users\StephFergy\Desktop\ShowClassStoreLogo.jpg
[2012/04/11 12:28:43 | 002,031,119 | ---- | C] () -- C:\Users\StephFergy\Desktop\yug.jpg
[2012/04/11 12:28:33 | 001,920,986 | ---- | C] () -- C:\Users\StephFergy\Desktop\s.jpg
[2012/04/11 12:28:12 | 002,396,521 | ---- | C] () -- C:\Users\StephFergy\Desktop\get-attachment.aspx.jpg
[2012/04/10 14:35:48 | 003,597,350 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01774.JPG
[2012/04/08 12:06:29 | 071,096,074 | ---- | C] () -- C:\Users\StephFergy\Desktop\2108 ShowClass_proof.pdf
[2012/04/06 00:20:41 | 341,511,314 | ---- | C] () -- C:\Users\StephFergy\Desktop\movie1.wmv
[2012/04/06 00:01:15 | 000,012,642 | ---- | C] () -- C:\Users\StephFergy\Desktop\movie1.wlmp
[2012/04/05 23:12:31 | 000,012,646 | ---- | C] () -- C:\Users\StephFergy\Desktop\My Movie23.wlmp
[2012/04/05 17:29:35 | 003,061,509 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01755.JPG
[2012/04/05 17:29:33 | 003,981,252 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01749.JPG
[2012/04/05 17:29:24 | 002,506,206 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01722.JPG
[2012/04/05 17:29:23 | 004,122,694 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01720.JPG
[2012/04/02 19:20:31 | 004,595,282 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01687.JPG
[2012/04/02 19:20:31 | 004,459,243 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01686.JPG
[2012/04/02 19:02:59 | 004,749,250 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01334.JPG
[2012/04/02 19:02:59 | 004,717,687 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01333.JPG
[2012/04/02 19:02:59 | 004,672,351 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01336.JPG
[2012/04/02 19:02:59 | 004,404,961 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC00214.JPG
[2012/04/02 19:02:59 | 003,991,019 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC00215.JPG
[2012/04/02 19:02:59 | 003,687,344 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC00213.JPG
[2012/04/02 19:02:59 | 003,687,061 | ---- | C] () -- C:\Users\StephFergy\Desktop\DSC01335.JPG
[2010/11/25 21:23:17 | 000,001,184 | ---- | C] () -- C:\Users\StephFergy\AppData\Roaming\wklnhst.dat
[2010/08/22 20:18:05 | 000,006,144 | ---- | C] () -- C:\Users\StephFergy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

< End of report >

Attached Files



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:38 AM

Posted 02 May 2012 - 01:05 PM

  • Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      :otl
      [2012/02/22 20:08:53 | 000,002,310 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
      FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files (x86)\MyWebSearch\bar\1.bin
      O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
      O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
      O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
      O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      [2012/05/01 18:11:44 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{0FE5A00A-9A2B-4C8B-9E19-F941ACBAC9BB}
      [2012/04/20 11:20:41 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{6F1E2C5F-A02B-4419-B092-AD5247ABB480}
      [2012/04/20 11:20:29 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{2B815BFC-4149-4FEE-8047-B5C2B0DA160D}
      [2012/04/20 10:29:10 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{F6F1FBA2-2D5F-4A4B-A60B-1DCD2846A9CE}
      [2012/04/20 10:28:55 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{488418B9-B91B-42E0-A6DE-E7BA8E61848A}
      [2012/04/20 09:03:41 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{D4532A2D-5184-4284-8CC2-888C5C85296A}
      [2012/04/20 09:03:25 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{E42708DD-B0E5-4C05-8BC5-7821BAAFFD5D}
      [2012/04/19 22:19:48 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{92ED8F72-4AD3-4903-AD95-1FE60EB5615A}
      [2012/04/19 22:19:32 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{6E1A2278-15CA-4F01-BA3E-079D7F5662AF}
      [2012/04/19 21:48:21 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{5946A809-0E59-4EE9-BF64-AD831D0CDB3B}
      [2012/04/19 21:48:06 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{649589EC-6190-4A99-9729-6BB1338088E6}
      [2012/04/19 18:36:23 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{84C51D8C-037B-4931-B3AB-7AED7F3F59DF}
      [2012/04/17 18:35:55 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{547A0583-E32D-41B2-98B6-C4651E88CC22}
      [2012/04/17 18:35:26 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{AB148F35-A15F-4314-B276-8A676EA2FEFF}
      [2012/04/17 18:32:18 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{8F382600-A2BC-4458-8B34-EA4C7E3B2AB5}
      [2012/04/14 17:01:03 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{F174DDFB-5167-4720-8BE1-887833491A7D}
      [2012/04/14 17:00:50 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{931F3A6D-DAF7-4050-9D85-ED25C747216A}
      [2012/04/14 16:53:03 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{7C924ADE-D465-4097-A51D-D5B3EDCA34EC}
      [2012/04/14 16:52:33 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{3E26667B-DB71-49EF-ABE4-ADD5E2E9A2F9}
      [2012/04/14 16:21:41 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{01CE6201-7786-4FB6-AF87-16D9C82A6FB8}
      [2012/04/14 16:21:18 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{E3316E2C-F1EF-4269-ADBF-F14B375720A6}
      [2012/04/14 12:08:49 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{BFFDB0AC-8591-43B0-B346-30382F9726FA}
      [2012/04/14 12:08:35 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{2846D9DC-34E3-411D-9BE1-BE2925374E52}
      [2012/04/14 11:52:10 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{E1E0B231-AAA6-4765-A287-6CB41379C9FE}
      [2012/04/14 11:30:57 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{2A31B872-6579-4C6B-8423-815BD972B1B7}
      [2012/04/13 16:27:36 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{6AD39E1E-A1D3-40D0-B29A-C2B9CEDA2DC5}
      [2012/04/13 16:27:23 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{E4CF15F8-2634-40FE-AB10-3E0A98E29754}
      [2012/04/13 07:42:33 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{765BF5AC-5387-480A-BAD2-4C03ED902568}
      [2012/04/13 07:42:22 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{B522CA44-3FEC-4B24-BE3B-15E69D90D743}
      [2012/04/13 03:22:51 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{EFBB0594-5092-45C8-AF65-B0170EC7A1A9}
      [2012/04/12 10:57:05 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{433D932E-3655-4409-B276-8F9063C072B4}
      [2012/04/11 15:59:13 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{26149A8C-F78A-490E-A8EB-6E6ED8C77759}
      [2012/04/11 03:26:47 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{AC773B13-0237-4134-A359-5D2C3EEF8FBC}
      [2012/04/10 11:18:26 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{BC84086E-9F8D-4A10-A630-3D9324E04A08}
      [2012/04/09 23:18:01 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{974437A2-E776-4427-8064-8BE908996534}
      [2012/04/09 11:17:26 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{A947A0F0-86D0-4807-9463-68CADBCF5C7F}
      [2012/04/08 22:54:18 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{81695267-DEFD-4E60-8AF3-C76CEB145258}
      [2012/04/08 10:53:53 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{1FE186B8-BEEF-4583-A6D0-0EC67258DDAB}
      [2012/04/07 20:08:01 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{859B3345-4541-4D5A-A7D7-BBD63559841A}
      [2012/04/06 19:43:14 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{08295C42-E822-43CA-8254-1E950896F2DB}
      [2012/04/06 07:42:39 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{082A65BA-AB5A-410A-A10D-226947D73E47}
      [2012/04/04 23:08:02 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{7D4EF7D2-D9E5-45C5-ADEB-00D8D26FC86D}
      [2012/04/04 10:46:44 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{82DDCEC1-D92B-4C38-A938-09665C259075}
      [2012/04/03 21:06:27 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{08D24D09-8F96-4134-9A1D-32C566F0037C}
      [2012/04/03 07:44:51 | 000,000,000 | ---D | C] -- C:\Users\StephFergy\AppData\Local\{696CBBC2-19A7-4716-8DC7-6221BCCB4A17}
      [2012/04/12 20:23:34 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd
      
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.
  • Please uninstall Java™ 6 Update 17 (64-bit).
  • To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
    • Make sure all the options are checked.
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.
  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

Please tell me how is the system running now.

#13 Ryan Bogan

Ryan Bogan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 02 May 2012 - 01:24 PM

========== OTL ==========
C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml moved successfully.
File HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files (x86)\MyWebSearch\bar\1.bin not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
C:\Users\StephFergy\AppData\Local\{0FE5A00A-9A2B-4C8B-9E19-F941ACBAC9BB} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{6F1E2C5F-A02B-4419-B092-AD5247ABB480} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{2B815BFC-4149-4FEE-8047-B5C2B0DA160D} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{F6F1FBA2-2D5F-4A4B-A60B-1DCD2846A9CE} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{488418B9-B91B-42E0-A6DE-E7BA8E61848A} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{D4532A2D-5184-4284-8CC2-888C5C85296A} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{E42708DD-B0E5-4C05-8BC5-7821BAAFFD5D} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{92ED8F72-4AD3-4903-AD95-1FE60EB5615A} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{6E1A2278-15CA-4F01-BA3E-079D7F5662AF} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{5946A809-0E59-4EE9-BF64-AD831D0CDB3B} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{649589EC-6190-4A99-9729-6BB1338088E6} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{84C51D8C-037B-4931-B3AB-7AED7F3F59DF} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{547A0583-E32D-41B2-98B6-C4651E88CC22} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{AB148F35-A15F-4314-B276-8A676EA2FEFF} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{8F382600-A2BC-4458-8B34-EA4C7E3B2AB5} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{F174DDFB-5167-4720-8BE1-887833491A7D} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{931F3A6D-DAF7-4050-9D85-ED25C747216A} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{7C924ADE-D465-4097-A51D-D5B3EDCA34EC} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{3E26667B-DB71-49EF-ABE4-ADD5E2E9A2F9} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{01CE6201-7786-4FB6-AF87-16D9C82A6FB8} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{E3316E2C-F1EF-4269-ADBF-F14B375720A6} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{BFFDB0AC-8591-43B0-B346-30382F9726FA} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{2846D9DC-34E3-411D-9BE1-BE2925374E52} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{E1E0B231-AAA6-4765-A287-6CB41379C9FE} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{2A31B872-6579-4C6B-8423-815BD972B1B7} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{6AD39E1E-A1D3-40D0-B29A-C2B9CEDA2DC5} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{E4CF15F8-2634-40FE-AB10-3E0A98E29754} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{765BF5AC-5387-480A-BAD2-4C03ED902568} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{B522CA44-3FEC-4B24-BE3B-15E69D90D743} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{EFBB0594-5092-45C8-AF65-B0170EC7A1A9} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{433D932E-3655-4409-B276-8F9063C072B4} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{26149A8C-F78A-490E-A8EB-6E6ED8C77759} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{AC773B13-0237-4134-A359-5D2C3EEF8FBC} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{BC84086E-9F8D-4A10-A630-3D9324E04A08} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{974437A2-E776-4427-8064-8BE908996534} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{A947A0F0-86D0-4807-9463-68CADBCF5C7F} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{81695267-DEFD-4E60-8AF3-C76CEB145258} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{1FE186B8-BEEF-4583-A6D0-0EC67258DDAB} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{859B3345-4541-4D5A-A7D7-BBD63559841A} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{08295C42-E822-43CA-8254-1E950896F2DB} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{082A65BA-AB5A-410A-A10D-226947D73E47} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{7D4EF7D2-D9E5-45C5-ADEB-00D8D26FC86D} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{82DDCEC1-D92B-4C38-A938-09665C259075} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{08D24D09-8F96-4134-9A1D-32C566F0037C} folder moved successfully.
C:\Users\StephFergy\AppData\Local\{696CBBC2-19A7-4716-8DC7-6221BCCB4A17} folder moved successfully.
C:\Windows\SysNative\dds_trash_log.cmd moved successfully.

OTL by OldTimer - Version 3.2.42.2 log created on 05022012_141327


I have uninstalled Java™ 6 Update 17 (64-bit).

I have cleared the Java Runtime Environment (JRE) cache as instructed.

I have installed and ran CCleaner as instructed.

The system seems to run great.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:38 AM

Posted 02 May 2012 - 02:32 PM

It looks good. :thumbup2:

  • Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
  • Please run OTL.
    • Click Clean Up button.
    • Accept any prompts.
    • This will remove OTL, and will require a reboot.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
    • Go to Start => Right-click "Computer" and select "Properties".
    • In the left pane select "System Protection".
    • Press "Configure".
    • Select "Delete". Then press "Continue" close and "OK".
    • Select your drive (drive C) and press "Create".
      Fill in a name for the restore point and press "Create".
      After finished press "Close".
  • You may delete any tool or log we used from your computer.
Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.
Happy Surfing Ryan Bogan. :)

#15 Ryan Bogan

Ryan Bogan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 02 May 2012 - 04:34 PM

It runs great.
Thank you soooo much for all your help and fast replies. My friend will be very happy.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users