Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win64/sirefef.y Trojan Virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 shvidky

shvidky

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 19 June 2012 - 05:08 PM

Hi Guys,

My friend brought a laptop with Live Security Platinum Virus. I was able to remove it and even got a few good clean scans back from Malwarebytes and Spybot, then, all of a sudden, MSE started detecting win64/sirefef.y and it would reboot the computer after 1 minute. It keeps cycling like that in Safe mode as well. MSE detects it, tried to remove it, then it reboots. I can't run any tests or scans or disable it. I tried to use system restore, but it reboots the computer before I can kick start it.

I saw people posting logs here and getting a custom script to fix the issue. Any help would be greatly appreciated. Here is my FRST log. Thank you very much!

Scan result of Farbar Recovery Scan Tool Version: 19-06-2012
Ran by user at 19-06-2012 14:54:23
Running from E:\
Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-06-19 14:54 - 2012-06-19 14:54 - 00000000 ____D C:\FRST
2012-06-19 14:24 - 2012-06-19 14:24 - 00005520 ____A C:\Windows\WindowsUpdate.log
2012-06-19 13:42 - 2012-06-19 14:53 - 00001344 ____A C:\Windows\setupact.log
2012-06-19 13:42 - 2012-06-19 13:42 - 00000000 ____A C:\Windows\setuperr.log
2012-06-16 20:30 - 2012-06-17 11:12 - 00001240 ____A C:\Users\user\Desktop\FixExec.txt
2012-06-16 20:30 - 2012-06-16 20:30 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\user\Downloads\FixExec.exe
2012-06-16 20:21 - 2012-06-16 20:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-16 20:21 - 2012-06-16 20:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-16 20:06 - 2012-05-04 04:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-06-16 20:06 - 2012-05-04 02:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-06-16 19:54 - 2012-06-16 19:54 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-06-16 19:54 - 2012-06-16 19:54 - 00000000 ____D C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com
2012-06-16 19:54 - 2012-06-16 19:54 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-06-16 19:54 - 2012-06-16 19:54 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-06-16 18:58 - 2012-06-19 13:42 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-06-16 18:58 - 2012-06-16 18:59 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-06-16 18:58 - 2012-06-16 18:58 - 00001262 ____A C:\Users\Public\Desktop\Spybot - Search & Destroy.lnk
2012-06-16 18:44 - 2012-06-16 18:44 - 00000000 ____D C:\Users\user\AppData\Roaming\Malwarebytes
2012-06-16 18:40 - 2012-06-16 18:40 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-16 18:40 - 2012-06-16 18:40 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-16 18:40 - 2012-06-16 18:40 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-16 18:40 - 2012-04-04 15:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-16 18:38 - 2012-06-19 13:33 - 00000361 ____A C:\rkill.log
2012-06-16 14:58 - 2012-06-16 14:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-16 14:54 - 2012-06-16 20:21 - 00000000 ____D C:\Users\user\AppData\Roaming\Tuev
2012-06-16 14:54 - 2012-06-16 14:54 - 00000000 ____D C:\Users\user\AppData\Roaming\Ybkayp
2012-06-16 14:54 - 2012-06-16 14:54 - 00000000 ____D C:\Users\user\AppData\Roaming\Tohygi
2012-06-16 14:54 - 2012-06-16 14:54 - 00000000 ____D C:\Users\All Users\F4D55F59000F8CC70060C0B7B4EB2367
2012-06-16 14:54 - 2012-06-16 14:53 - 00128000 __ASH (Duplex Secure Ltd.) C:\Users\user\AppData\Roaming\wiren.dll
2012-06-16 14:52 - 2012-06-16 14:52 - 00000000 ____D C:\Windows\Sun
2012-06-15 19:52 - 2012-06-15 19:52 - 00326893 ____A C:\Users\user\Documents\cruse to Alaska.pdf
2012-06-13 11:45 - 2012-05-17 19:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 11:45 - 2012-05-17 19:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 11:45 - 2012-05-17 19:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 11:45 - 2012-05-17 18:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 11:45 - 2012-05-17 18:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 11:45 - 2012-05-17 18:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 11:45 - 2012-05-17 18:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 11:45 - 2012-05-17 18:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 11:45 - 2012-05-17 18:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 11:45 - 2012-05-17 18:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 11:45 - 2012-05-17 18:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 11:45 - 2012-05-17 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 11:45 - 2012-05-17 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 11:45 - 2012-05-17 18:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 11:45 - 2012-05-17 16:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-13 11:45 - 2012-05-17 15:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 11:45 - 2012-05-17 15:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-13 11:45 - 2012-05-17 15:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-13 11:45 - 2012-05-17 15:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-13 11:45 - 2012-05-17 15:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-13 11:45 - 2012-05-17 15:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-13 11:45 - 2012-05-17 15:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-13 11:45 - 2012-05-17 15:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-13 11:45 - 2012-05-17 15:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-13 11:45 - 2012-05-17 15:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-13 11:45 - 2012-05-17 15:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-13 11:45 - 2012-05-17 15:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-13 11:45 - 2012-05-17 15:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-13 11:32 - 2012-05-14 18:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 11:32 - 2012-05-04 04:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-13 11:32 - 2012-05-04 03:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-13 11:32 - 2012-05-04 03:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-13 11:32 - 2012-04-30 22:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 11:32 - 2012-04-25 22:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 11:32 - 2012-04-25 22:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 11:32 - 2012-04-25 22:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 11:31 - 2012-04-27 20:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 11:31 - 2012-04-23 22:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 11:31 - 2012-04-23 22:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 11:31 - 2012-04-23 22:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 11:31 - 2012-04-23 21:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-13 11:31 - 2012-04-23 21:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-13 11:31 - 2012-04-23 21:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-13 11:31 - 2012-04-07 05:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-13 11:31 - 2012-04-07 04:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-08 15:18 - 2012-06-02 15:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-08 15:18 - 2012-06-02 15:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-08 15:18 - 2012-06-02 15:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-08 15:18 - 2012-06-02 15:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-08 15:18 - 2012-06-02 15:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-08 15:18 - 2012-06-02 15:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-08 15:18 - 2012-06-02 15:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-08 15:18 - 2012-06-02 15:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-08 15:18 - 2012-06-02 15:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-03 13:53 - 2012-06-03 13:53 - 00697961 ____A C:\Users\user\Documents\17hpgreens.pdf
2012-05-26 09:14 - 2012-05-27 13:38 - 00000000 ____D C:\Users\user\AppData\Local\Conduit
2012-05-26 09:14 - 2012-05-26 09:14 - 00000000 ____D C:\Program Files (x86)\Conduit

============ 3 Months Modified Files and Folders =============

2012-06-19 14:54 - 2012-06-19 14:54 - 00000000 ____D C:\FRST
2012-06-19 14:54 - 2011-08-18 00:23 - 00278193 ____A C:\Windows\System32\fastboot.set
2012-06-19 14:54 - 2011-08-18 00:18 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-19 14:54 - 2011-08-18 00:10 - 00000000 ____D C:\Users\All Users\VeriFace
2012-06-19 14:53 - 2012-06-19 13:42 - 00001344 ____A C:\Windows\setupact.log
2012-06-19 14:53 - 2011-08-18 00:10 - 01078955 ____A C:\FaceProv.log
2012-06-19 14:53 - 2009-07-13 22:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-19 14:43 - 2012-01-13 18:27 - 00000000 __SHD C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
2012-06-19 14:32 - 2011-08-18 00:19 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-19 14:26 - 2012-06-19 14:24 - 00005520 ____A C:\Windows\WindowsUpdate.log
2012-06-19 13:42 - 2012-06-19 13:42 - 00000000 ____A C:\Windows\setuperr.log
2012-06-19 13:42 - 2012-06-16 18:58 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-06-19 13:33 - 2012-06-16 18:38 - 00000361 ____A C:\rkill.log
2012-06-17 11:12 - 2012-06-16 20:30 - 00001240 ____A C:\Users\user\Desktop\FixExec.txt
2012-06-16 20:30 - 2012-06-16 20:30 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\user\Downloads\FixExec.exe
2012-06-16 20:22 - 2012-06-16 14:54 - 00000000 ____D C:\Users\user\AppData\Roaming\Tuev
2012-06-16 20:21 - 2012-06-16 20:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-16 20:21 - 2012-06-16 20:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-16 20:21 - 2011-10-31 04:42 - 00748900 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-16 20:21 - 2011-10-31 04:42 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-16 20:20 - 2009-07-13 21:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-16 20:20 - 2009-07-13 21:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-16 20:17 - 2009-07-13 22:13 - 00731314 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-16 20:17 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\System32\NDF
2012-06-16 19:54 - 2012-06-16 19:54 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-06-16 19:54 - 2012-06-16 19:54 - 00000000 ____D C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com
2012-06-16 19:54 - 2012-06-16 19:54 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-06-16 19:54 - 2012-06-16 19:54 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-06-16 18:59 - 2012-06-16 18:58 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-06-16 18:58 - 2012-06-16 18:58 - 00001262 ____A C:\Users\Public\Desktop\Spybot - Search & Destroy.lnk
2012-06-16 18:56 - 2011-12-07 18:36 - 00000000 ____D C:\Windows\Minidump
2012-06-16 18:44 - 2012-06-16 18:44 - 00000000 ____D C:\Users\user\AppData\Roaming\Malwarebytes
2012-06-16 18:40 - 2012-06-16 18:40 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-16 18:40 - 2012-06-16 18:40 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-16 18:40 - 2012-06-16 18:40 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-16 15:04 - 2011-12-29 19:24 - 00000979 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-16 14:58 - 2012-06-16 14:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-16 14:54 - 2012-06-16 14:54 - 00000000 ____D C:\Users\user\AppData\Roaming\Ybkayp
2012-06-16 14:54 - 2012-06-16 14:54 - 00000000 ____D C:\Users\user\AppData\Roaming\Tohygi
2012-06-16 14:54 - 2012-06-16 14:54 - 00000000 ____D C:\Users\All Users\F4D55F59000F8CC70060C0B7B4EB2367
2012-06-16 14:53 - 2012-06-16 14:54 - 00128000 __ASH (Duplex Secure Ltd.) C:\Users\user\AppData\Roaming\wiren.dll
2012-06-16 14:52 - 2012-06-16 14:52 - 00000000 ____D C:\Windows\Sun
2012-06-15 19:52 - 2012-06-15 19:52 - 00326893 ____A C:\Users\user\Documents\cruse to Alaska.pdf
2012-06-13 16:43 - 2009-07-13 21:45 - 00427784 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 16:41 - 2012-01-26 17:44 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-13 16:35 - 2011-11-05 22:46 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-09 11:49 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2012-06-09 11:12 - 2012-04-14 17:04 - 00000000 ____D C:\Users\user\Documents\Youcam
2012-06-03 13:53 - 2012-06-03 13:53 - 00697961 ____A C:\Users\user\Documents\17hpgreens.pdf
2012-06-02 15:19 - 2012-06-08 15:18 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 15:19 - 2012-06-08 15:18 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 15:19 - 2012-06-08 15:18 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 15:19 - 2012-06-08 15:18 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 15:19 - 2012-06-08 15:18 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 15:19 - 2012-06-08 15:18 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 15:15 - 2012-06-08 15:18 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 15:15 - 2012-06-08 15:18 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 15:15 - 2012-06-08 15:18 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-27 13:38 - 2012-05-26 09:14 - 00000000 ____D C:\Users\user\AppData\Local\Conduit
2012-05-26 09:14 - 2012-05-26 09:14 - 00000000 ____D C:\Program Files (x86)\Conduit
2012-05-18 10:04 - 2012-01-26 09:10 - 00000000 ____D C:\Users\user\AppData\Roaming\.purple
2012-05-17 19:47 - 2012-06-13 11:45 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 19:16 - 2012-06-13 11:45 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 19:06 - 2012-06-13 11:45 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 18:59 - 2012-06-13 11:45 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 18:59 - 2012-06-13 11:45 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 18:58 - 2012-06-13 11:45 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 18:58 - 2012-06-13 11:45 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 18:56 - 2012-06-13 11:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 18:55 - 2012-06-13 11:45 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 18:55 - 2012-06-13 11:45 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 18:54 - 2012-06-13 11:45 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 18:51 - 2012-06-13 11:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 18:51 - 2012-06-13 11:45 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 18:47 - 2012-06-13 11:45 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 16:11 - 2012-06-13 11:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 15:48 - 2012-06-13 11:45 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 15:45 - 2012-06-13 11:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 15:36 - 2012-06-13 11:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 15:35 - 2012-06-13 11:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 15:35 - 2012-06-13 11:45 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 15:33 - 2012-06-13 11:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 15:31 - 2012-06-13 11:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 15:29 - 2012-06-13 11:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 15:29 - 2012-06-13 11:45 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 15:27 - 2012-06-13 11:45 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 15:25 - 2012-06-13 11:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 15:24 - 2012-06-13 11:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 15:20 - 2012-06-13 11:45 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 21:17 - 2012-05-14 21:17 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-14 21:17 - 2012-05-14 21:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-14 18:32 - 2012-06-13 11:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-13 06:32 - 2009-07-13 22:08 - 00032614 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-12 21:30 - 2011-02-22 04:42 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-06 08:12 - 2012-05-06 08:12 - 01140740 ____A C:\Users\user\Documents\pdf77712508dpi300.pdf
2012-05-04 04:06 - 2012-06-13 11:32 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 04:00 - 2012-06-16 20:06 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-05-04 03:03 - 2012-06-13 11:32 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 03:03 - 2012-06-13 11:32 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-04 02:59 - 2012-06-16 20:06 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-04-30 22:40 - 2012-06-13 11:32 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-28 09:47 - 2012-04-28 09:47 - 00000000 ____D C:\Users\user\Documents\geneology
2012-04-27 20:55 - 2012-06-13 11:31 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 22:41 - 2012-06-13 11:32 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 22:41 - 2012-06-13 11:32 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 22:34 - 2012-06-13 11:32 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 22:37 - 2012-06-13 11:31 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 22:37 - 2012-06-13 11:31 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 22:37 - 2012-06-13 11:31 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 21:36 - 2012-06-13 11:31 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 21:36 - 2012-06-13 11:31 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 21:36 - 2012-06-13 11:31 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-16 17:31 - 2011-11-21 18:00 - 00000000 ____D C:\Users\user\AppData\Local\EgisTec
2012-04-14 17:04 - 2012-04-14 17:04 - 00000000 ____D C:\Users\user\AppData\Roaming\CyberLink
2012-04-14 17:04 - 2012-04-14 17:04 - 00000000 ____D C:\Users\user\AppData\Local\CyberLink
2012-04-14 17:04 - 2012-04-14 17:04 - 00000000 ____D C:\Users\All Users\CyberLink
2012-04-13 21:29 - 2012-04-13 21:29 - 00000000 ____D C:\Users\user2\AppData\Local\Best Buy pc app
2012-04-13 21:29 - 2012-03-31 08:42 - 00000000 ____D C:\Users\user2\AppData\Local\Deployment
2012-04-13 21:06 - 2009-07-13 19:34 - 00000478 ____A C:\Windows\win.ini
2012-04-07 12:16 - 2010-11-20 19:50 - 00000000 ____D C:\users\Administrator
2012-04-07 05:31 - 2012-06-13 11:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 04:26 - 2012-06-13 11:31 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-04 15:56 - 2012-06-16 18:40 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-31 09:22 - 2012-03-31 08:44 - 00000000 ____D C:\Users\user2\AppData\Local\Google
2012-03-31 08:45 - 2012-03-31 08:45 - 00000000 ____D C:\Users\user2\AppData\Roaming\Google
2012-03-31 08:45 - 2012-03-31 08:45 - 00000000 ____D C:\Users\user2\AppData\Roaming\Adobe
2012-03-31 08:44 - 2012-03-31 08:44 - 00000000 ____D C:\Users\user2\AppData\Local\EgisTec
2012-03-31 08:43 - 2012-03-31 08:43 - 00000398 ____A C:\Users\user2\Desktop\pc app.appref-ms
2012-03-31 08:42 - 2012-03-31 08:42 - 00111648 ____A C:\Users\user2\AppData\Local\GDIPFONTCACHEV1.DAT
2012-03-31 08:42 - 2012-03-31 08:42 - 00002086 ____A C:\Users\user2\Desktop\OneKey Recovery.lnk
2012-03-31 08:42 - 2012-03-31 08:42 - 00001122 ____A C:\Users\user2\Desktop\Cyberlink Power2Go.lnk
2012-03-31 08:42 - 2012-03-31 08:42 - 00000020 ___SH C:\Users\user2\ntuser.ini
2012-03-31 08:42 - 2012-03-31 08:42 - 00000000 ___HD C:\Users\user2\AppData\Roaming\Broderbund
2012-03-31 08:42 - 2012-03-31 08:42 - 00000000 ____D C:\Users\user2\AppData\Local\EgisTec IPS
2012-03-31 08:42 - 2012-03-31 08:42 - 00000000 ____D C:\Users\user2\AppData\Local\BioExcess
2012-03-31 08:42 - 2012-03-31 08:42 - 00000000 ____D C:\Users\user2\AppData\Local\Apps\2.0
2012-03-31 08:42 - 2012-03-31 08:42 - 00000000 ____D C:\users\user2
2012-03-30 04:35 - 2012-05-12 20:39 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-25 16:29 - 2012-03-02 18:24 - 00000000 ____D C:\Users\user\AppData\Local\Windows Live

ZeroAccess:
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\@
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\L
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\n
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U

ZeroAccess:
C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\@
C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\L
C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\n
C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U
C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\00000001.@
C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\80000000.@
C:\Users\user\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\800000cb.@

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 35%
Total physical RAM: 2986.17 MB
Available physical RAM: 1924.08 MB
Total Pagefile: 5970.54 MB
Available Pagefile: 4821.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:254.14 GB) (Free:215.5 GB) NTFS
2 Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:26.8 GB) NTFS
3 Drive e: (KINGSTON) (Removable) (Total:3.74 GB) (Free:0.52 GB) FAT32

DiskPart has encountered an error: The RPC server is unavailable.
See the System Event Log for more information.


==========================================================

Last Boot: 2012-06-09 11:42

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 20 June 2012 - 01:52 AM

Hello shvidky and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running FRST

For x64 bit systems download Farbar Recovery Scan Tool 64-Bit Download Link and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

NEXT:




Running Search in FRST
In Vista or Windows 7: Boot to System Recovery Options and run FRST.
Type the following in the edit box after "Search:".

services.exe

Note: The file names should be separated by semicolon (;)

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. FRST.txt log file.
3. Search.txt log file.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 shvidky

shvidky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 21 June 2012 - 05:23 PM


1. Any comments or questions you may have that you'd like for me to answer in my next post to you.


Hi ST,

Thank you so much for your response. Sorry, I didn't get back sooner, there was a lot going on the last couple of days, so I didn't even have a chance to turn that computer on. Let's try to clean it first and see if we need to reinstall everything after. Again, thank you for your help.


2. FRST.txt log file.


Scan result of Farbar Recovery Scan Tool Version: 19-06-2012
Ran by SYSTEM at 21-06-2012 15:10:47
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11772520 2011-01-04] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2538280 2010-12-22] (Synaptics Incorporated)
HKLM\...\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9769888 2011-08-17] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2011-08-17] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-08-17] (Lenovo)
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [170264 2012-03-19] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [398616 2012-03-19] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [439064 2012-03-19] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [S6000Mnt] C:\windows\SysWOW64\Rundll32.exe S6000Rmv.dll,WinMainRmv /StartStillMnt [x]
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-11-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [202096 2010-11-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] C:\Program Files (x86)\EgisTec BioExcess\EgisTSR.exe /run [383344 2010-12-13] (Egis Technology Inc. )
HKLM-x32\...\Run: [PLTSR] "C:\Program Files (x86)\EgisTec Port Locker\EgisPLTSR.exe" [364400 2010-10-22] (Egis Technology Inc. )
HKLM-x32\...\Run: [VeriFaceManager] C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [329056 2011-08-17] (Lenovo)
HKLM-x32\...\Run: [YouCam Mirage] "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe" [136488 2010-12-24] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] "C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe" /s [224352 2010-12-24] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0" [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)
HKU\user1\...\Run: [Orxofuyk] C:\Users\user1\AppData\Roaming\Ybkayp\tigo.exe [314880 2012-01-28] (Acresso Software Inc.)
HKU\user2\...\Run: [Best Buy pc app] C:\Users\user2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [398 2012-03-31] ()
HKU\user2\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-08-17] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Lsa: [Notification Packages] scecli
EgisPwdFilter
EgisDSPwdFilter
EgisPLPwdFilter
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
ShortcutTarget: Personal Coach.lnk -> C:\Program Files (x86)\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe (TLC Education Properties LLC)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\user1\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
3 cphs; C:\Windows\SysWow64\IntelCpHeciSvc.exe [276248 2012-03-19] (Intel Corporation)
2 EgisTec Service; "C:\Program Files (x86)\EgisTec BioExcess\EgisService.exe" [703856 2010-12-13] (Egis Technology Inc. )
2 EgisTec Service Help; "C:\Program Files (x86)\EgisTec Port Locker\Egishlpsvc.exe" [327024 2010-10-22] (Egis Technology Inc. )
2 EgisTec Ticket Service; "C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe" [650096 2010-12-13] (Egis Technology Inc. )
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2010-12-20] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 ACPIVPC; C:\Windows\System32\Drivers\ACPIVPC.sys [29792 2011-08-17] (Lenovo Corporation)
1 BPntDrv; C:\Windows\System32\Drivers\BPntDrv.sys [13408 2011-08-17] (Lenovo)
3 clwvd; C:\Windows\System32\Drivers\clwvd.sys [31088 2010-12-24] (CyberLink Corporation)
1 EgisTecFF; C:\Windows\System32\Drivers\EgisTecFF.sys [55880 2011-08-17] (Egis Technology Inc.)
0 fbfmon; C:\Windows\System32\Drivers\fbfmon.sys [57952 2011-08-17] (Lenovo)
2 FPSensor; C:\Windows\System32\Drivers\FPSensor.sys [35952 2010-10-31] (Egis Technology Inc.)
0 LHDmgr; C:\Windows\System32\DRIVERS\LhdX64.sys [39008 2011-08-17] (Lenovo.)
3 RSUSBVSTOR; C:\Windows\System32\Drivers\RtsUVStor.sys [307304 2010-11-29] (Realtek Semiconductor Corp.)
3 S6000KNT; C:\Windows\System32\Drivers\S6000KNT.sys [3293272 2010-12-23] (Windows ® Win 7 DDK provider)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 wsvd; C:\Windows\System32\Drivers\wsvd.sys [121840 2009-07-21] (CyberLink)
3 BcmSqlStartupSvc; [x]
2 CLKMSVC10_3A60B698; [x]
2 CLKMSVC10_C3B3B687; [x]
2 DriverService; [x]
2 IAStorDataMgrSvc; [x]
2 iATAgentService; [x]
2 idealife Update Service; [x]
3 IGRS; [x]
2 IviRegMgr; [x]
2 nvUpdatusService; [x]
2 Oasis2Service; [x]
2 PCCarerService; [x]
2 ReadyComm.DirectRouter; [x]
2 RichVideo; [x]
2 RtLedService; [x]
2 SeaPort; [x]
2 SoftwareService; [x]
3 SQLWriter; [x]
2 Stereo Service; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-19 13:54 - 2012-06-21 15:11 - 00000000 ____D C:\FRST
2012-06-19 13:24 - 2012-06-19 13:26 - 00005520 ____A C:\Windows\WindowsUpdate.log
2012-06-19 12:42 - 2012-06-19 14:09 - 00001680 ____A C:\Windows\setupact.log
2012-06-19 12:42 - 2012-06-19 12:42 - 00000000 ____A C:\Windows\setuperr.log
2012-06-16 19:30 - 2012-06-17 10:12 - 00001240 ____A C:\Users\user1\Desktop\FixExec.txt
2012-06-16 19:30 - 2012-06-16 19:30 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\user1\Downloads\FixExec.exe
2012-06-16 19:21 - 2012-06-16 19:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-16 19:21 - 2012-06-16 19:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-16 19:06 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-06-16 19:06 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-06-16 18:54 - 2012-06-16 18:54 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\SUPERAntiSpyware.com
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-06-16 17:58 - 2012-06-19 12:42 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-06-16 17:58 - 2012-06-16 17:59 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-06-16 17:58 - 2012-06-16 17:58 - 00001262 ____A C:\Users\Public\Desktop\Spybot - Search & Destroy.lnk
2012-06-16 17:44 - 2012-06-16 17:44 - 00000000 ____D C:\Users\user1\AppData\Roaming\Malwarebytes
2012-06-16 17:40 - 2012-06-16 17:40 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-16 17:40 - 2012-06-16 17:40 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-16 17:40 - 2012-06-16 17:40 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-16 17:40 - 2012-04-04 14:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-16 17:38 - 2012-06-19 12:33 - 00000361 ____A C:\rkill.log
2012-06-16 13:58 - 2012-06-16 13:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-16 13:54 - 2012-06-16 19:22 - 00000000 ____D C:\Users\user1\AppData\Roaming\Tuev
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Ybkayp
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Tohygi
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\All Users\F4D55F59000F8CC70060C0B7B4EB2367
2012-06-16 13:54 - 2012-06-16 13:53 - 00128000 __ASH (Duplex Secure Ltd.) C:\Users\user1\AppData\Roaming\wiren.dll
2012-06-16 13:52 - 2012-06-16 13:52 - 00000000 ____D C:\Windows\Sun
2012-06-15 18:52 - 2012-06-15 18:52 - 00326893 ____A C:\Users\user1\Documents\cruse to Alaska.pdf
2012-06-13 10:45 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 10:45 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 10:45 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 10:45 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 10:45 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 10:45 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 10:45 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 10:45 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 10:45 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 10:45 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 10:45 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 10:45 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 10:45 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 10:45 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 10:45 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-13 10:45 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 10:45 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-13 10:45 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-13 10:45 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-13 10:45 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-13 10:45 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-13 10:45 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-13 10:45 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-13 10:45 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-13 10:45 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-13 10:45 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-13 10:45 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-13 10:45 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-13 10:32 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 10:32 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-13 10:32 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-13 10:32 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-13 10:32 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 10:32 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 10:32 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 10:32 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 10:31 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 10:31 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 10:31 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 10:31 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 10:31 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-13 10:31 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-13 10:31 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-13 10:31 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-13 10:31 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-08 14:18 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-08 14:18 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-08 14:18 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-08 14:18 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-03 12:53 - 2012-06-03 12:53 - 00697961 ____A C:\Users\user1\Documents\17hpgreens.pdf
2012-05-26 08:14 - 2012-05-27 12:38 - 00000000 ____D C:\Users\user1\AppData\Local\Conduit
2012-05-26 08:14 - 2012-05-26 08:14 - 00000000 ____D C:\Program Files (x86)\Conduit

============ 3 Months Modified Files and Folders =============

2012-06-21 15:11 - 2012-06-19 13:54 - 00000000 ____D C:\FRST
2012-06-19 14:09 - 2012-06-19 12:42 - 00001680 ____A C:\Windows\setupact.log
2012-06-19 14:09 - 2011-08-17 23:10 - 01085968 ____A C:\FaceProv.log
2012-06-19 14:09 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-19 14:08 - 2011-08-17 23:23 - 00278193 ____A C:\Windows\System32\fastboot.set
2012-06-19 14:07 - 2012-01-13 17:27 - 00000000 __SHD C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
2012-06-19 13:54 - 2011-08-17 23:18 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-19 13:54 - 2011-08-17 23:10 - 00000000 ____D C:\Users\All Users\VeriFace
2012-06-19 13:32 - 2011-08-17 23:19 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-19 13:26 - 2012-06-19 13:24 - 00005520 ____A C:\Windows\WindowsUpdate.log
2012-06-19 12:42 - 2012-06-19 12:42 - 00000000 ____A C:\Windows\setuperr.log
2012-06-19 12:42 - 2012-06-16 17:58 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-06-19 12:33 - 2012-06-16 17:38 - 00000361 ____A C:\rkill.log
2012-06-17 10:12 - 2012-06-16 19:30 - 00001240 ____A C:\Users\user1\Desktop\FixExec.txt
2012-06-16 19:30 - 2012-06-16 19:30 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\user1\Downloads\FixExec.exe
2012-06-16 19:22 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Tuev
2012-06-16 19:21 - 2012-06-16 19:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-16 19:21 - 2012-06-16 19:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-16 19:21 - 2011-10-31 03:42 - 00748900 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-16 19:21 - 2011-10-31 03:42 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-16 19:20 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-16 19:20 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-16 19:17 - 2009-07-13 21:13 - 00731314 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-16 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-06-16 18:54 - 2012-06-16 18:54 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\SUPERAntiSpyware.com
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-06-16 17:59 - 2012-06-16 17:58 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-06-16 17:58 - 2012-06-16 17:58 - 00001262 ____A C:\Users\Public\Desktop\Spybot - Search & Destroy.lnk
2012-06-16 17:56 - 2011-12-07 17:36 - 00000000 ____D C:\Windows\Minidump
2012-06-16 17:44 - 2012-06-16 17:44 - 00000000 ____D C:\Users\user1\AppData\Roaming\Malwarebytes
2012-06-16 17:40 - 2012-06-16 17:40 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-16 17:40 - 2012-06-16 17:40 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-16 17:40 - 2012-06-16 17:40 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-16 14:04 - 2011-12-29 18:24 - 00000979 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-16 13:58 - 2012-06-16 13:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Ybkayp
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Tohygi
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\All Users\F4D55F59000F8CC70060C0B7B4EB2367
2012-06-16 13:53 - 2012-06-16 13:54 - 00128000 __ASH (Duplex Secure Ltd.) C:\Users\user1\AppData\Roaming\wiren.dll
2012-06-16 13:52 - 2012-06-16 13:52 - 00000000 ____D C:\Windows\Sun
2012-06-15 18:52 - 2012-06-15 18:52 - 00326893 ____A C:\Users\user1\Documents\cruse to Alaska.pdf
2012-06-13 15:43 - 2009-07-13 20:45 - 00427784 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 15:41 - 2012-01-26 16:44 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-13 15:35 - 2011-11-05 21:46 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-09 10:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-06-09 10:12 - 2012-04-14 16:04 - 00000000 ____D C:\Users\user1\Documents\Youcam
2012-06-03 12:53 - 2012-06-03 12:53 - 00697961 ____A C:\Users\user1\Documents\17hpgreens.pdf
2012-06-02 14:19 - 2012-06-08 14:18 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 14:18 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 14:18 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-08 14:18 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 14:18 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 14:18 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-08 14:18 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-08 14:18 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-08 14:18 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-27 12:38 - 2012-05-26 08:14 - 00000000 ____D C:\Users\user1\AppData\Local\Conduit
2012-05-26 08:14 - 2012-05-26 08:14 - 00000000 ____D C:\Program Files (x86)\Conduit
2012-05-18 09:04 - 2012-01-26 08:10 - 00000000 ____D C:\Users\user1\AppData\Roaming\.purple
2012-05-17 18:47 - 2012-06-13 10:45 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-13 10:45 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-13 10:45 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-13 10:45 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-13 10:45 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-13 10:45 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-13 10:45 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-13 10:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-13 10:45 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-13 10:45 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-13 10:45 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-13 10:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-13 10:45 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-13 10:45 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-13 10:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-13 10:45 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-13 10:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-13 10:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-13 10:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 10:45 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-13 10:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-13 10:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 10:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-13 10:45 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 10:45 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-13 10:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 10:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 10:45 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 20:17 - 2012-05-14 20:17 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-14 20:17 - 2012-05-14 20:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-14 17:32 - 2012-06-13 10:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-13 05:32 - 2009-07-13 21:08 - 00032614 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-12 20:30 - 2011-02-22 03:42 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-06 07:12 - 2012-05-06 07:12 - 01140740 ____A C:\Users\user1\Documents\pdf77712508dpi300.pdf
2012-05-04 03:06 - 2012-06-13 10:32 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 03:00 - 2012-06-16 19:06 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-05-04 02:03 - 2012-06-13 10:32 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 10:32 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-04 01:59 - 2012-06-16 19:06 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-04-30 21:40 - 2012-06-13 10:32 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-28 08:47 - 2012-04-28 08:47 - 00000000 ____D C:\Users\user1\Documents\geneology
2012-04-27 19:55 - 2012-06-13 10:31 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:41 - 2012-06-13 10:32 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-13 10:32 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-13 10:32 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 21:37 - 2012-06-13 10:31 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-13 10:31 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-13 10:31 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-13 10:31 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-13 10:31 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-13 10:31 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-16 16:31 - 2011-11-21 17:00 - 00000000 ____D C:\Users\user1\AppData\Local\EgisTec
2012-04-14 16:04 - 2012-04-14 16:04 - 00000000 ____D C:\Users\user1\AppData\Roaming\CyberLink
2012-04-14 16:04 - 2012-04-14 16:04 - 00000000 ____D C:\Users\user1\AppData\Local\CyberLink
2012-04-14 16:04 - 2012-04-14 16:04 - 00000000 ____D C:\Users\All Users\CyberLink
2012-04-13 20:29 - 2012-04-13 20:29 - 00000000 ____D C:\Users\user2\AppData\Local\Best Buy pc app
2012-04-13 20:29 - 2012-03-31 07:42 - 00000000 ____D C:\Users\user2\AppData\Local\Deployment
2012-04-13 20:06 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-04-07 11:16 - 2010-11-20 18:50 - 00000000 ____D C:\users\Administrator
2012-04-07 04:31 - 2012-06-13 10:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 03:26 - 2012-06-13 10:31 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-04 14:56 - 2012-06-16 17:40 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-31 08:22 - 2012-03-31 07:44 - 00000000 ____D C:\Users\user2\AppData\Local\Google
2012-03-31 07:45 - 2012-03-31 07:45 - 00000000 ____D C:\Users\user2\AppData\Roaming\Google
2012-03-31 07:45 - 2012-03-31 07:45 - 00000000 ____D C:\Users\user2\AppData\Roaming\Adobe
2012-03-31 07:44 - 2012-03-31 07:44 - 00000000 ____D C:\Users\user2\AppData\Local\EgisTec
2012-03-31 07:43 - 2012-03-31 07:43 - 00000398 ____A C:\Users\user2\Desktop\pc app.appref-ms
2012-03-31 07:42 - 2012-03-31 07:42 - 00111648 ____A C:\Users\user2\AppData\Local\GDIPFONTCACHEV1.DAT
2012-03-31 07:42 - 2012-03-31 07:42 - 00002086 ____A C:\Users\user2\Desktop\OneKey Recovery.lnk
2012-03-31 07:42 - 2012-03-31 07:42 - 00001122 ____A C:\Users\user2\Desktop\Cyberlink Power2Go.lnk
2012-03-31 07:42 - 2012-03-31 07:42 - 00000020 ___SH C:\Users\user2\ntuser.ini
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ___HD C:\Users\user2\AppData\Roaming\Broderbund
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ____D C:\Users\user2\AppData\Local\EgisTec IPS
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ____D C:\Users\user2\AppData\Local\BioExcess
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ____D C:\Users\user2\AppData\Local\Apps\2.0
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ____D C:\users\user2
2012-03-30 03:35 - 2012-05-12 19:39 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-25 15:29 - 2012-03-02 17:24 - 00000000 ____D C:\Users\user1\AppData\Local\Windows Live

ZeroAccess:
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\@
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\L
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\n
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U

ZeroAccess:
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\@
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\L
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\n
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\00000001.@
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\80000000.@
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\800000cb.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 18%
Total physical RAM: 2986.17 MB
Available physical RAM: 2430.68 MB
Total Pagefile: 2984.37 MB
Available Pagefile: 2417.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:254.14 GB) (Free:215.43 GB) NTFS
2 Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:26.8 GB) NTFS
4 Drive g: (KINGSTON) (Removable) (Total:3.74 GB) (Free:0.52 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: () (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 3836 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 200 MB 1024 KB
Partition 2 Primary 254 GB 201 MB
Partition 0 Extended 28 GB 254 GB
Partition 4 Logical 28 GB 254 GB
Partition 3 OEM 14 GB 283 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y NTFS Partition 200 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 254 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D LENOVO NTFS Partition 28 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 LENOVO_PART NTFS Partition 14 GB Healthy Hidden

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3835 MB 4096 B

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G KINGSTON FAT32 Removable 3835 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-09 10:42

#4 shvidky

shvidky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 21 June 2012 - 05:26 PM

3. Search.txt log file.

Farbar Recovery Scan Tool Version: 19-06-2012
Ran by SYSTEM at 2012-06-21 15:14:30
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

4. An update on how your computer is currently running.

Just checked and it is running exactly the same, continues to reboot every minute, regardless whether I am logged in or not. Reboots in Safe Mode as well.

#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 23 June 2012 - 03:46 AM

Hi shvidky!

Thank you so much for your response. Sorry, I didn't get back sooner, there was a lot going on the last couple of days, so I didn't even have a chance to turn that computer on. Let's try to clean it first and see if we need to reinstall everything after. Again, thank you for your help.

No problem, I'm glad to be of assistance. No worries, I completely understand. Life has a funny way of working.

Running FRST Fix

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [S6000Mnt] C:\windows\SysWOW64\Rundll32.exe S6000Rmv.dll,WinMainRmv /StartStillMnt [x]
2012-06-16 13:58 - 2012-06-16 13:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-16 13:54 - 2012-06-16 19:22 - 00000000 ____D C:\Users\user1\AppData\Roaming\Tuev
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Ybkayp
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Tohygi
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\All Users\F4D55F59000F8CC70060C0B7B4EB2367
2012-06-16 13:54 - 2012-06-16 13:53 - 00128000 __ASH (Duplex Secure Ltd.) C:\Users\user1\AppData\Roaming\wiren.dll
2012-06-19 14:07 - 2012-01-13 17:27 - 00000000 __SHD C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
2012-06-16 19:22 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Tuev
2012-06-16 13:58 - 2012-06-16 13:58 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Ybkayp
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\user1\AppData\Roaming\Tohygi
2012-06-16 13:54 - 2012-06-16 13:54 - 00000000 ____D C:\Users\All Users\F4D55F59000F8CC70060C0B7B4EB2367
2012-06-16 13:53 - 2012-06-16 13:54 - 00128000 __ASH (Duplex Secure Ltd.) C:\Users\user1\AppData\Roaming\wiren.dll
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\@
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\L
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\n
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\@
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\L
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\n
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\00000001.@
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\80000000.@
C:\Users\user1\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\800000cb.@
REPLACE: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
  • If you get an error message saying: "Illegal operation attempted on a registry key that was marked for deletion." please reboot your computer, and that should take care of that error message.


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. Fixlog.txt log file.
3. ComboFix.txt log file.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#6 shvidky

shvidky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 23 June 2012 - 11:23 PM

1. First of all, thank you for the script. It worked great, the computer doesn't reboot anymore.

2. Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 19-06-2012
Ran by SYSTEM at 2012-06-23 20:45:39 Run:1
Running from G:\

==============================================

HKLM-x32\\\.\.\.\\Run\\S6000Mnt Value deleted successfully.
C:\Windows\System32\%APPDATA% moved successfully.
C:\Users\jackson\AppData\Roaming\Tuev not found.
C:\Users\jackson\AppData\Roaming\Ybkayp not found.
C:\Users\jackson\AppData\Roaming\Tohygi not found.
C:\Users\All Users\F4D55F59000F8CC70060C0B7B4EB2367 moved successfully.
C:\Users\jackson\AppData\Roaming\wiren.dll moved successfully.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117} moved successfully.
C:\Users\jackson\AppData\Roaming\Tuev not found.
C:\Windows\System32\%APPDATA% not found.
C:\Users\jackson\AppData\Roaming\Ybkayp not found.
C:\Users\jackson\AppData\Roaming\Tohygi not found.
C:\Users\All Users\F4D55F59000F8CC70060C0B7B4EB2367 not found.
C:\Users\jackson\AppData\Roaming\wiren.dll not found.
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117} moved successfully.
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\@ not found.
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\L not found.
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\n not found.
C:\Windows\Installer\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U not found.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117} not found.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\@ not found.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\L not found.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\n not found.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U not found.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\00000001.@ not found.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\80000000.@ not found.
C:\Users\jackson\AppData\Local\{0a390887-8483-5e19-2ad2-ffe7ec68d117}\U\800000cb.@ not found.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

3. Here is ComboFix log

ComboFix 12-06-23.06 - jackson 06/23/2012 20:54:42.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2986.1723 [GMT -7:00]
Running from: c:\users\jackson\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\users\jackson\AppData\Roaming\Ymlii
c:\users\jackson\AppData\Roaming\Ymlii\okgy.exe
c:\windows\gt.exe
c:\windows\s.bat
c:\windows\SysWow64\devil.dll
c:\windows\version.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-24 03:25 . 2012-06-24 03:48 -------- d-----w- c:\users\jackson\AppData\Roaming\Daixe
2012-06-24 03:25 . 2012-06-24 03:25 -------- d-----w- c:\users\jackson\AppData\Roaming\Husowu
2012-06-19 21:54 . 2012-06-21 23:11 -------- d-----w- C:\FRST
2012-06-17 03:29 . 2012-06-17 03:29 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C60C45ED-5C89-423B-9E79-DC93E6AFE803}\gapaengine.dll
2012-06-17 03:29 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{765EDE84-B6CA-4968-96CD-3D64699A0D24}\mpengine.dll
2012-06-17 03:21 . 2012-06-17 03:21 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-06-17 03:21 . 2012-06-17 03:21 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-17 03:06 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-06-17 03:06 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-06-17 02:54 . 2012-06-17 02:54 -------- d-----w- c:\users\jackson\AppData\Roaming\SUPERAntiSpyware.com
2012-06-17 02:54 . 2012-06-17 02:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-17 02:54 . 2012-06-17 02:54 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-06-17 01:58 . 2012-06-19 20:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-06-17 01:58 . 2012-06-17 01:59 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-06-17 01:44 . 2012-06-17 01:44 -------- d-----w- c:\users\jackson\AppData\Roaming\Malwarebytes
2012-06-17 01:40 . 2012-06-17 01:40 -------- d-----w- c:\programdata\Malwarebytes
2012-06-17 01:40 . 2012-06-17 01:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-17 01:40 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 21:52 . 2012-06-16 21:52 -------- d-----w- c:\windows\Sun
2012-06-13 18:32 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 18:32 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 18:32 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 18:32 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 18:32 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-13 18:32 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-13 18:32 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-13 18:32 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 18:31 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 18:31 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
2012-06-13 18:31 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-13 18:31 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 18:31 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-13 18:31 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 18:31 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 18:31 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-13 18:31 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-08 22:18 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-08 22:18 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-08 22:18 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-08 22:18 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-08 22:18 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-08 22:18 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-08 22:18 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-08 22:18 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-08 22:18 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-26 16:14 . 2012-05-26 16:14 -------- d-----w- c:\program files (x86)\Conduit
2012-05-26 16:14 . 2012-05-27 20:38 -------- d-----w- c:\users\jackson\AppData\Local\Conduit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 11:35 . 2012-05-13 03:39 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-11-05 407920]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-11-05 202096]
"VitaKeyTSR"="c:\program files (x86)\EgisTec BioExcess\EgisTSR.exe" [2010-12-13 383344]
"PLTSR"="c:\program files (x86)\EgisTec Port Locker\EgisPLTSR.exe" [2010-10-22 364400]
"VeriFaceManager"="c:\program files (x86)\Lenovo\VeriFace\PManage.exe" [2011-08-18 329056]
"YouCam Mirage"="c:\program files (x86)\Lenovo\YouCam\YCMMirage.exe" [2010-12-24 136488]
"YouCam Tray"="c:\program files (x86)\Lenovo\YouCam\YouCam.exe" [2010-12-24 224352]
"UpdateP2GShortCut"="c:\program files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2010-07-26 222504]
"UpdatePRCShortCut"="c:\program files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-13 222504]
.
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Personal Coach.lnk - c:\program files (x86)\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2012-1-26 2392064]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2011-2-25 15776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 136176]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
R3 cphs;Intel® Content Protection HECI Service;c:\windows\SysWow64\IntelCpHeciSvc.exe [2012-03-20 276248]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 136176]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 fbfmon;fbfmon;c:\windows\system32\drivers\fbfmon.sys [x]
S0 LHDmgr;LHDmgr;c:\windows\System32\DRIVERS\LhdX64.sys [x]
S1 BPntDrv;BPntDrv;c:\windows\system32\drivers\BPntDrv.sys [x]
S1 EgisTecFF;EgisTecFF;c:\windows\system32\DRIVERS\EgisTecFF.sys [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 EgisTec Service Help;EgisTec Service Help;c:\program files (x86)\EgisTec Port Locker\Egishlpsvc.exe [2010-10-22 327024]
S2 EgisTec Service;EgisTec Service;c:\program files (x86)\EgisTec BioExcess\EgisService.exe [2010-12-13 703856]
S2 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-12-13 650096]
S2 FPSensor;EgisTec-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\Drivers\FPSensor.sys [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-20 2656280]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 S6000KNT;S6000KNT_WebCam Driver;c:\windows\system32\Drivers\S6000KNT.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 07:18]
.
2012-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 07:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2011-08-18 07:10 1508192 ----a-w- c:\windows\System32\IcnOvrly.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-04 11772520]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2011-08-18 9769888]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\Utility.exe" [2011-08-18 5908928]
"Lenovo EE Boot Optimizer"="c:\program files (x86)\Lenovo\Boot Optimizer\PopWnd.exe" [2011-08-18 114688]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-20 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-20 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-20 439064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
"combofix"="c:\combofix\CF31419.3XE" [2010-11-21 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig
mStart Page = hxxp://lenovo.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\jackson\AppData\Roaming\Mozilla\Firefox\Profiles\0egacim5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Udotwuudq - c:\users\jackson\AppData\Roaming\Ymlii\okgy.exe
Toolbar-Locked - (no file)
WebBrowser-{B2BF7B3F-BF0B-4C48-AEC6-F92C51BE63E1} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-06-23 21:07:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-24 04:07
.
Pre-Run: 231,367,376,896 bytes free
Post-Run: 230,629,732,352 bytes free
.
- - End Of File - - 7E6E874B49ABC642D78298E6AD94EA78

4. Computer seems to be running well. However, I am unable to download updates for MSE or download and install available windows updates. Says to check my Internet or network connection, though everything else is working fine. Thanks again!

#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 24 June 2012 - 08:46 AM

Hi!

Computer seems to be running well. However, I am unable to download updates for MSE or download and install available windows updates. Says to check my Internet or network connection, though everything else is working fine. Thanks again!

Okay. We'll see what we can do about that.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
ClearJavaCache::
Folder::
c:\users\jackson\AppData\Roaming\Daixe
c:\users\jackson\AppData\Roaming\Husowu
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. New ComboFix.txt log file.
3. FSS.txt log file.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 shvidky

shvidky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 24 June 2012 - 11:00 PM

1. Again, thank you very much for your help. MSE somehow started working today before I did any of your steps. One Windows update is failing, encounters an unknown error, but I am not sure if the issue lies in the virus now. It seems to be running pretty well!

2. New Combofix Log

ComboFix 12-06-23.06 - jackson 06/24/2012 20:23:03.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2986.1824 [GMT -7:00]
Running from: c:\users\jackson\Desktop\ComboFix.exe
Command switches used :: c:\users\jackson\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jackson\AppData\Roaming\Daixe
c:\users\jackson\AppData\Roaming\Daixe\obmaw.ife
c:\users\jackson\AppData\Roaming\Husowu
c:\users\jackson\AppData\Roaming\Husowu\woezh.qee
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-25 03:30 . 2012-06-25 03:30 -------- d-----w- c:\users\Sherry\AppData\Local\temp
2012-06-25 03:30 . 2012-06-25 03:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-25 03:30 . 2012-06-25 03:30 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-06-24 16:41 . 2012-06-24 16:41 -------- d-----w- c:\users\jackson\AppData\Local\Lenovo Security Suite
2012-06-24 15:29 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C5005E45-77A3-4199-B121-6F36D5E61857}\mpengine.dll
2012-06-19 21:54 . 2012-06-21 23:11 -------- d-----w- C:\FRST
2012-06-17 03:29 . 2012-06-17 03:29 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C60C45ED-5C89-423B-9E79-DC93E6AFE803}\gapaengine.dll
2012-06-17 03:29 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-17 03:21 . 2012-06-17 03:21 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-06-17 03:21 . 2012-06-17 03:21 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-17 03:06 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-06-17 03:06 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-06-17 02:54 . 2012-06-17 02:54 -------- d-----w- c:\users\jackson\AppData\Roaming\SUPERAntiSpyware.com
2012-06-17 02:54 . 2012-06-17 02:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-17 02:54 . 2012-06-17 02:54 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-06-17 01:58 . 2012-06-24 04:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-06-17 01:58 . 2012-06-17 01:59 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-06-17 01:44 . 2012-06-17 01:44 -------- d-----w- c:\users\jackson\AppData\Roaming\Malwarebytes
2012-06-17 01:40 . 2012-06-17 01:40 -------- d-----w- c:\programdata\Malwarebytes
2012-06-17 01:40 . 2012-06-17 01:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-17 01:40 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 21:52 . 2012-06-16 21:52 -------- d-----w- c:\windows\Sun
2012-06-13 18:32 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 18:32 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 18:32 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 18:32 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 18:32 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-13 18:32 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-13 18:32 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-13 18:32 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 18:31 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 18:31 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
2012-06-13 18:31 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-13 18:31 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 18:31 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-13 18:31 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 18:31 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 18:31 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-13 18:31 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-08 22:18 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-08 22:18 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-08 22:18 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-08 22:18 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-08 22:18 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-08 22:18 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-08 22:18 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-08 22:18 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-08 22:18 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-26 16:14 . 2012-05-26 16:14 -------- d-----w- c:\program files (x86)\Conduit
2012-05-26 16:14 . 2012-05-27 20:38 -------- d-----w- c:\users\jackson\AppData\Local\Conduit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 11:35 . 2012-05-13 03:39 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-24_04.02.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-06-24 15:21 44990 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-24 21:05 52888 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-11-01 16:59 . 2012-06-24 21:05 11576 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3954081212-4147110348-2042991131-1000_UserData.bin
+ 2012-06-25 03:27 . 2012-06-25 03:27 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\2b97ccae44726f13c418f1406180c3e8\System.Web.DynamicData.Design.ni.dll
+ 2012-06-25 03:31 . 2012-06-25 03:31 2111 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-06-24 04:01 . 2012-06-24 04:01 2111 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-06-24 04:01 . 2012-06-24 04:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-25 03:32 . 2012-06-25 03:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-24 04:01 . 2012-06-24 04:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-25 03:32 . 2012-06-25 03:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-10-31 22:00 . 2012-06-25 03:13 226976 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2011-10-31 12:48 . 2012-06-24 22:15 233094 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-06-24 03:54 629888 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-25 03:20 629888 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-25 03:20 108814 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-06-24 03:54 108814 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-06-24 04:01 399916 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-06-25 03:31 399916 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-06-25 03:28 . 2012-06-25 03:28 253952 c:\windows\assembly\NativeImages_v4.0.30319_32\WindowsFormsIntegra#\44752ffa92ebb7170951a41898d8b9c6\WindowsFormsIntegration.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 221696 c:\windows\assembly\NativeImages_v4.0.30319_32\System.ServiceProce#\5552b27237c3dbe4f21a10e97adf2edc\System.ServiceProcess.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 626176 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\a730931e386537e3c229e049c9a6d271\System.Messaging.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 148480 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Configuratio#\c7d60a49e43964b1ae17e9a080376c6d\System.Configuration.Install.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 708608 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualStu#\f120c1f17850a7b8d105f22907a09dd0\Microsoft.VisualStudio.Tools.Office.Runtime.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 177152 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualStu#\740410269afdf2276525e1dfd870fee8\Microsoft.VisualStudio.Tools.Office.ContainerControl.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 210432 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualStu#\39817a23777554d968852971b91a4f78\Microsoft.VisualStudio.Tools.Office.Runtime.Internal.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 303104 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas#\8cc4dd9babffe370cf375925fba15f84\Microsoft.VisualBasic.Compatibility.Data.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 864768 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Office.To#\ec9a55a16c6613554d1a7409811b7a2c\Microsoft.Office.Tools.Common.Implementation.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 312320 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Office.To#\d51301867ee19df0d8d5c193bd645afd\Microsoft.Office.Tools.Outlook.Implementation.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 336384 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Office.To#\54ab02cb617ed9070723032361c72de6\Microsoft.Office.Tools.Common.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 152064 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Office.To#\42a5e49641bff019e55a8228560fc541\Microsoft.Office.Tools.Outlook.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 730624 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Office.To#\282f3b9bd8dc8a67787e210a9b0e78e3\Microsoft.Office.Tools.Excel.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 676864 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Office.To#\14ae412fbc10916dda33ce1616a63cf1\Microsoft.Office.Tools.Word.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 783360 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Messaging\d5d612f7d372f500e3062e3814e79d75\System.Messaging.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 305664 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fda2f68162063c54d2e669e85de7dfb1\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 311296 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d0e1409da1ca8d7033145e5802027bb4\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 215040 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\68ba45419e13d1da32fadcb17fea3ebb\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 253952 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\795e07cc078bee3396f1d946f734c871\Microsoft.Office.Tools.v9.0.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 389120 c:\windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\08c9aa18b306aa47ddc0ae4a63b05d04\ehExtHost.ni.exe
+ 2012-06-25 03:27 . 2012-06-25 03:27 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\f2f8201dd3453250dfd9ed1afce630a0\WindowsFormsIntegration.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 245248 c:\windows\assembly\NativeImages_v2.0.50727_32\TaskScheduler\f3e052584df9c614407da662dd3c3df3\TaskScheduler.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\06e4119a0a3484bb0ca667a16145ce74\System.Web.Routing.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 860160 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\4f13c2c06fb97f6659473f02802b377b\System.Web.Extensions.Design.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 328192 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\bc239944bca7cc6b6ddb473259183c7d\System.Web.Entity.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 301568 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\3701488fb9e601ebe963db25b784d684\System.Web.Entity.Design.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a09cc9877f51f16a4610b702155e8b70\System.Web.DynamicData.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\c6aad1edcc51862ceb26b6b65dad1490\System.Web.Abstractions.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 723456 c:\windows\assembly\NativeImages_v2.0.50727_32\napsnap\acfafa161ea232928cb02b01c50acf1c\napsnap.ni.dll
+ 2012-06-25 03:13 . 2012-06-25 03:13 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\napinit\0abec246c5ca6ec4858bfd3ab84da0ec\napinit.ni.dll
+ 2012-06-24 19:06 . 2012-06-24 19:06 617472 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e439c12c9e047a5252fc0870a0edad57\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.ni.dll
+ 2012-06-24 19:06 . 2012-06-24 19:06 161280 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\787f2a870ba9d0895455ccd8578f1a20\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.ni.dll
+ 2012-06-24 19:06 . 2012-06-24 19:06 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\54aa66ae5ce18ece1133102c5de4a105\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 4587008 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Form#\7f0476e4df01ca2219f7db531408e91c\System.Windows.Forms.DataVisualization.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 1060864 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Printing\f87f8bc0bc9563096150f23f6c220e7b\System.Printing.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 1880064 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\e899cda47704280f54949c69b78c55cc\System.Deployment.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 3757568 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Activities.P#\36299fad6b7b591cfb6bd9e50dbd33df\System.Activities.Presentation.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 2906624 c:\windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\442af6f7c8b447bdec3ad8d23da89c5a\ReachFramework.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 1641984 c:\windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\cf455da9b8fedf66767c1a7ab3eea9c9\PresentationUI.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 1139712 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas#\2ed0173a2e75b1a3943bd2d96649a50c\Microsoft.VisualBasic.Compatibility.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 1838080 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas#\09c2f8f606e09d85cfe6e0ad89fbe729\Microsoft.VisualBasic.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 1117696 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Office.To#\9656b126c1cc951302d0c6e6f95cab7d\Microsoft.Office.Tools.Word.Implementation.ni.dll
+ 2012-06-25 03:28 . 2012-06-25 03:28 1551872 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Office.To#\7cfb808ac13b9432c5b771d64ff37f8d\Microsoft.Office.Tools.Excel.Implementation.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 1516544 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\b2afc0af3d89ae00e973b4e6e9db382c\Microsoft.MediaCenter.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 8979456 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\653e1ee01f10d658d52ca42e17e74283\Microsoft.MediaCenter.UI.ni.dll
+ 2012-06-24 19:49 . 2012-06-24 19:49 2801664 c:\windows\assembly\NativeImages_v2.0.50727_64\mcstore\cc4844e7242c1e35d145bf2439f944c5\mcstore.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 1358336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\e3e5aa45736b95804bf6bb7eca08a57b\System.WorkflowServices.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 2209792 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\4a90802e36dee6e10d9bf54832cbf549\System.Web.Mobile.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 2404352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c45efc7ec92c1da8e67eb597559ec39c\System.Web.Extensions.ni.dll
+ 2012-06-25 03:27 . 2012-06-25 03:27 2623488 c:\windows\assembly\NativeImages_v2.0.50727_32\Narrator\17add09c98fa34255142d42697db53df\Narrator.ni.exe
+ 2012-06-24 19:06 . 2012-06-24 19:06 1545216 c:\windows\assembly\NativeImages_v2.0.50727_32\MMCEx\21abde8efab609732b2ade3f05234e79\MMCEx.ni.dll
+ 2012-06-24 19:06 . 2012-06-24 19:06 1670144 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6c59a14a23f734093e80d6093e25302a\Microsoft.VisualBasic.ni.dll
+ 2011-12-25 04:20 . 2012-06-25 03:31 25250240 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3954081212-4147110348-2042991131-1000-12288.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-11-05 407920]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-11-05 202096]
"VitaKeyTSR"="c:\program files (x86)\EgisTec BioExcess\EgisTSR.exe" [2010-12-13 383344]
"PLTSR"="c:\program files (x86)\EgisTec Port Locker\EgisPLTSR.exe" [2010-10-22 364400]
"VeriFaceManager"="c:\program files (x86)\Lenovo\VeriFace\PManage.exe" [2011-08-18 329056]
"YouCam Mirage"="c:\program files (x86)\Lenovo\YouCam\YCMMirage.exe" [2010-12-24 136488]
"YouCam Tray"="c:\program files (x86)\Lenovo\YouCam\YouCam.exe" [2010-12-24 224352]
"UpdateP2GShortCut"="c:\program files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2010-07-26 222504]
"UpdatePRCShortCut"="c:\program files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-13 222504]
.
c:\users\jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Personal Coach.lnk - c:\program files (x86)\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2012-1-26 2392064]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2011-2-25 15776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 136176]
R3 cphs;Intel® Content Protection HECI Service;c:\windows\SysWow64\IntelCpHeciSvc.exe [2012-03-20 276248]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 136176]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 fbfmon;fbfmon;c:\windows\system32\drivers\fbfmon.sys [x]
S0 LHDmgr;LHDmgr;c:\windows\System32\DRIVERS\LhdX64.sys [x]
S1 BPntDrv;BPntDrv;c:\windows\system32\drivers\BPntDrv.sys [x]
S1 EgisTecFF;EgisTecFF;c:\windows\system32\DRIVERS\EgisTecFF.sys [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 EgisTec Service Help;EgisTec Service Help;c:\program files (x86)\EgisTec Port Locker\Egishlpsvc.exe [2010-10-22 327024]
S2 EgisTec Service;EgisTec Service;c:\program files (x86)\EgisTec BioExcess\EgisService.exe [2010-12-13 703856]
S2 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-12-13 650096]
S2 FPSensor;EgisTec-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\Drivers\FPSensor.sys [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-20 2656280]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 S6000KNT;S6000KNT_WebCam Driver;c:\windows\system32\Drivers\S6000KNT.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 07:18]
.
2012-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 07:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2011-08-18 07:10 1508192 ----a-w- c:\windows\System32\IcnOvrly.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-04 11772520]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2011-08-18 9769888]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\Utility.exe" [2011-08-18 5908928]
"Lenovo EE Boot Optimizer"="c:\program files (x86)\Lenovo\Boot Optimizer\PopWnd.exe" [2011-08-18 114688]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-20 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-20 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-20 439064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig
mStart Page = hxxp://lenovo.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\jackson\AppData\Roaming\Mozilla\Firefox\Profiles\0egacim5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{B2BF7B3F-BF0B-4C48-AEC6-F92C51BE63E1} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-06-24 20:46:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-25 03:46
ComboFix2.txt 2012-06-24 04:07
.
Pre-Run: 231,047,159,808 bytes free
Post-Run: 230,948,859,904 bytes free
.
- - End Of File - - 873569ED760A1C55B657DF70F8BE6A9C

3. FSS log

Scan result of Farbar Recovery Scan Tool Version: 19-06-2012
Ran by SYSTEM at 24-06-2012 20:51:33
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11772520 2011-01-04] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2538280 2010-12-22] (Synaptics Incorporated)
HKLM\...\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9769888 2011-08-17] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2011-08-17] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-08-17] (Lenovo)
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [170264 2012-03-19] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [398616 2012-03-19] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [439064 2012-03-19] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-11-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [202096 2010-11-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] C:\Program Files (x86)\EgisTec BioExcess\EgisTSR.exe /run [383344 2010-12-13] (Egis Technology Inc. )
HKLM-x32\...\Run: [PLTSR] "C:\Program Files (x86)\EgisTec Port Locker\EgisPLTSR.exe" [364400 2010-10-22] (Egis Technology Inc. )
HKLM-x32\...\Run: [VeriFaceManager] C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [329056 2011-08-17] (Lenovo)
HKLM-x32\...\Run: [YouCam Mirage] "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe" [136488 2010-12-24] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] "C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe" /s [224352 2010-12-24] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0" [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)
HKU\Sherry\...\Run: [Best Buy pc app] C:\Users\Sherry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms [398 2012-03-31] ()
HKU\Sherry\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-08-17] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
ShortcutTarget: Personal Coach.lnk -> C:\Program Files (x86)\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe (TLC Education Properties LLC)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\jackson\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
3 cphs; C:\Windows\SysWow64\IntelCpHeciSvc.exe [276248 2012-03-19] (Intel Corporation)
2 EgisTec Service; "C:\Program Files (x86)\EgisTec BioExcess\EgisService.exe" [703856 2010-12-13] (Egis Technology Inc. )
2 EgisTec Service Help; "C:\Program Files (x86)\EgisTec Port Locker\Egishlpsvc.exe" [327024 2010-10-22] (Egis Technology Inc. )
2 EgisTec Ticket Service; "C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe" [650096 2010-12-13] (Egis Technology Inc. )
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2010-12-20] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 ACPIVPC; C:\Windows\System32\Drivers\ACPIVPC.sys [29792 2011-08-17] (Lenovo Corporation)
1 BPntDrv; C:\Windows\System32\Drivers\BPntDrv.sys [13408 2011-08-17] (Lenovo)
3 clwvd; C:\Windows\System32\Drivers\clwvd.sys [31088 2010-12-24] (CyberLink Corporation)
1 EgisTecFF; C:\Windows\System32\Drivers\EgisTecFF.sys [55880 2011-08-17] (Egis Technology Inc.)
0 fbfmon; C:\Windows\System32\Drivers\fbfmon.sys [57952 2011-08-17] (Lenovo)
2 FPSensor; C:\Windows\System32\Drivers\FPSensor.sys [35952 2010-10-31] (Egis Technology Inc.)
0 LHDmgr; C:\Windows\System32\DRIVERS\LhdX64.sys [39008 2011-08-17] (Lenovo.)
3 RSUSBVSTOR; C:\Windows\System32\Drivers\RtsUVStor.sys [307304 2010-11-29] (Realtek Semiconductor Corp.)
3 S6000KNT; C:\Windows\System32\Drivers\S6000KNT.sys [3293272 2010-12-23] (Windows ® Win 7 DDK provider)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 wsvd; C:\Windows\System32\Drivers\wsvd.sys [121840 2009-07-21] (CyberLink)
3 BcmSqlStartupSvc; [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
2 CLKMSVC10_3A60B698; [x]
2 CLKMSVC10_C3B3B687; [x]
2 DriverService; [x]
2 IAStorDataMgrSvc; [x]
2 iATAgentService; [x]
2 idealife Update Service; [x]
3 IGRS; [x]
2 IviRegMgr; [x]
2 nvUpdatusService; [x]
2 Oasis2Service; [x]
2 PCCarerService; [x]
2 ReadyComm.DirectRouter; [x]
2 RichVideo; [x]
2 RtLedService; [x]
2 SeaPort; [x]
2 SoftwareService; [x]
3 SQLWriter; [x]
2 Stereo Service; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-24 19:15 - 2012-06-23 19:51 - 04566424 ____R (Swearware) C:\Users\jackson\Desktop\ComboFix.exe
2012-06-24 08:41 - 2012-06-24 08:41 - 00000000 ____D C:\Users\jackson\AppData\Local\Lenovo Security Suite
2012-06-23 20:01 - 2012-06-24 19:32 - 00001098 ____A C:\Windows\PFRO.log
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\COMPONENTS.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\COMPONENTS.tmp.LOG1
2012-06-23 19:52 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-23 19:52 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-23 19:52 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-23 19:52 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-23 19:52 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-23 19:52 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-23 19:52 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-23 19:52 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-23 19:51 - 2012-06-24 19:46 - 00000000 ____D C:\Qoobox
2012-06-23 19:51 - 2012-06-23 20:05 - 00000000 ____D C:\Windows\erdnt
2012-06-23 19:50 - 2012-06-23 19:51 - 04566424 ____R (Swearware) C:\Users\jackson\Downloads\ComboFix.exe
2012-06-19 13:54 - 2012-06-24 20:51 - 00000000 ____D C:\FRST
2012-06-19 13:24 - 2012-06-24 19:49 - 00241083 ____A C:\Windows\WindowsUpdate.log
2012-06-19 12:42 - 2012-06-24 19:32 - 00003214 ____A C:\Windows\setupact.log
2012-06-19 12:42 - 2012-06-19 12:42 - 00000000 ____A C:\Windows\setuperr.log
2012-06-16 19:30 - 2012-06-17 10:12 - 00001240 ____A C:\Users\jackson\Desktop\FixExec.txt
2012-06-16 19:30 - 2012-06-16 19:30 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\jackson\Downloads\FixExec.exe
2012-06-16 19:21 - 2012-06-16 19:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-16 19:21 - 2012-06-16 19:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-16 19:06 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-06-16 19:06 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-06-16 18:54 - 2012-06-16 18:54 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Users\jackson\AppData\Roaming\SUPERAntiSpyware.com
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-06-16 17:58 - 2012-06-23 20:34 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-06-16 17:58 - 2012-06-16 17:59 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-06-16 17:58 - 2012-06-16 17:58 - 00001262 ____A C:\Users\Public\Desktop\Spybot - Search & Destroy.lnk
2012-06-16 17:44 - 2012-06-16 17:44 - 00000000 ____D C:\Users\jackson\AppData\Roaming\Malwarebytes
2012-06-16 17:40 - 2012-06-16 17:40 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-16 17:40 - 2012-06-16 17:40 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-16 17:40 - 2012-06-16 17:40 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-16 17:40 - 2012-04-04 14:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-16 17:38 - 2012-06-19 12:33 - 00000361 ____A C:\rkill.log
2012-06-16 13:52 - 2012-06-16 13:52 - 00000000 ____D C:\Windows\Sun
2012-06-15 18:52 - 2012-06-15 18:52 - 00326893 ____A C:\Users\jackson\Documents\cruse to Alaska.pdf
2012-06-13 10:45 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 10:45 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 10:45 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 10:45 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 10:45 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 10:45 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 10:45 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 10:45 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 10:45 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 10:45 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 10:45 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 10:45 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 10:45 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 10:45 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 10:45 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-13 10:45 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 10:45 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-13 10:45 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-13 10:45 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-13 10:45 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-13 10:45 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-13 10:45 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-13 10:45 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-13 10:45 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-13 10:45 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-13 10:45 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-13 10:45 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-13 10:45 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-13 10:32 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 10:32 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-13 10:32 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-13 10:32 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-13 10:32 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-13 10:32 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 10:32 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 10:32 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 10:31 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 10:31 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-13 10:31 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-13 10:31 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-13 10:31 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-13 10:31 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-13 10:31 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-13 10:31 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-13 10:31 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-08 14:18 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-08 14:18 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-08 14:18 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-08 14:18 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-08 14:18 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-03 12:53 - 2012-06-03 12:53 - 00697961 ____A C:\Users\jackson\Documents\17hpgreens.pdf
2012-05-26 08:14 - 2012-05-27 12:38 - 00000000 ____D C:\Users\jackson\AppData\Local\Conduit
2012-05-26 08:14 - 2012-05-26 08:14 - 00000000 ____D C:\Program Files (x86)\Conduit


============ 3 Months Modified Files and Folders =============

2012-06-24 20:51 - 2012-06-19 13:54 - 00000000 ____D C:\FRST
2012-06-24 19:49 - 2012-06-19 13:24 - 00241083 ____A C:\Windows\WindowsUpdate.log
2012-06-24 19:49 - 2011-08-17 23:10 - 01115132 ____A C:\FaceProv.log
2012-06-24 19:46 - 2012-06-24 19:46 - 00032520 ____A C:\ComboFix.txt
2012-06-24 19:46 - 2012-06-23 19:51 - 00000000 ____D C:\Qoobox
2012-06-24 19:40 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-24 19:40 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-24 19:39 - 2009-07-13 21:13 - 00734750 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-24 19:33 - 2011-08-17 23:23 - 00283109 ____A C:\Windows\System32\fastboot.set
2012-06-24 19:33 - 2011-08-17 23:10 - 00000000 ____D C:\Users\All Users\VeriFace
2012-06-24 19:33 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-06-24 19:33 - 2009-07-13 18:34 - 00000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-06-24 19:32 - 2012-06-23 20:01 - 00001098 ____A C:\Windows\PFRO.log
2012-06-24 19:32 - 2012-06-19 12:42 - 00003214 ____A C:\Windows\setupact.log
2012-06-24 19:32 - 2011-08-17 23:18 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-24 19:32 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-24 19:31 - 2011-08-17 23:19 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-24 08:41 - 2012-06-24 08:41 - 00000000 ____D C:\Users\jackson\AppData\Local\Lenovo Security Suite
2012-06-23 20:34 - 2012-06-16 17:58 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-06-23 20:07 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
2012-06-23 20:05 - 2012-06-23 19:51 - 00000000 ____D C:\Windows\erdnt
2012-06-23 20:02 - 2009-07-13 21:08 - 00032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-23 20:01 - 2009-07-13 18:34 - 61603840 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-06-23 20:01 - 2009-07-13 18:34 - 44040192 ____A C:\Windows\System32\config\COMPONENTS.bak
2012-06-23 20:01 - 2009-07-13 18:34 - 23068672 ____A C:\Windows\System32\config\SYSTEM.bak
2012-06-23 20:01 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-06-23 20:01 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2012-06-23 20:01 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bak
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\COMPONENTS.tmp.LOG2
2012-06-23 20:00 - 2012-06-23 20:00 - 00000000 __ASH C:\Windows\System32\config\COMPONENTS.tmp.LOG1
2012-06-23 19:51 - 2012-06-24 19:15 - 04566424 ____R (Swearware) C:\Users\jackson\Desktop\ComboFix.exe
2012-06-23 19:51 - 2012-06-23 19:50 - 04566424 ____R (Swearware) C:\Users\jackson\Downloads\ComboFix.exe
2012-06-19 12:42 - 2012-06-19 12:42 - 00000000 ____A C:\Windows\setuperr.log
2012-06-19 12:33 - 2012-06-16 17:38 - 00000361 ____A C:\rkill.log
2012-06-17 10:12 - 2012-06-16 19:30 - 00001240 ____A C:\Users\jackson\Desktop\FixExec.txt
2012-06-16 19:30 - 2012-06-16 19:30 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\jackson\Downloads\FixExec.exe
2012-06-16 19:21 - 2012-06-16 19:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-16 19:21 - 2012-06-16 19:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-16 19:21 - 2011-10-31 03:42 - 00748900 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-16 19:21 - 2011-10-31 03:42 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-16 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-06-16 18:54 - 2012-06-16 18:54 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Users\jackson\AppData\Roaming\SUPERAntiSpyware.com
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-06-16 18:54 - 2012-06-16 18:54 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-06-16 17:59 - 2012-06-16 17:58 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-06-16 17:58 - 2012-06-16 17:58 - 00001262 ____A C:\Users\Public\Desktop\Spybot - Search & Destroy.lnk
2012-06-16 17:56 - 2011-12-07 17:36 - 00000000 ____D C:\Windows\Minidump
2012-06-16 17:44 - 2012-06-16 17:44 - 00000000 ____D C:\Users\jackson\AppData\Roaming\Malwarebytes
2012-06-16 17:40 - 2012-06-16 17:40 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-16 17:40 - 2012-06-16 17:40 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-16 17:40 - 2012-06-16 17:40 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-16 14:04 - 2011-12-29 18:24 - 00000979 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-16 13:52 - 2012-06-16 13:52 - 00000000 ____D C:\Windows\Sun
2012-06-15 18:52 - 2012-06-15 18:52 - 00326893 ____A C:\Users\jackson\Documents\cruse to Alaska.pdf
2012-06-13 15:43 - 2009-07-13 20:45 - 00427784 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 15:41 - 2012-01-26 16:44 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-13 15:35 - 2011-11-05 21:46 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-09 10:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-06-09 10:12 - 2012-04-14 16:04 - 00000000 ____D C:\Users\jackson\Documents\Youcam
2012-06-03 12:53 - 2012-06-03 12:53 - 00697961 ____A C:\Users\jackson\Documents\17hpgreens.pdf
2012-06-02 14:19 - 2012-06-08 14:18 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 14:18 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 14:18 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-08 14:18 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 14:18 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 14:18 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-08 14:18 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-08 14:18 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-08 14:18 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-27 12:38 - 2012-05-26 08:14 - 00000000 ____D C:\Users\jackson\AppData\Local\Conduit
2012-05-26 08:14 - 2012-05-26 08:14 - 00000000 ____D C:\Program Files (x86)\Conduit
2012-05-18 09:04 - 2012-01-26 08:10 - 00000000 ____D C:\Users\jackson\AppData\Roaming\.purple
2012-05-17 18:47 - 2012-06-13 10:45 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-13 10:45 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-13 10:45 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-13 10:45 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-13 10:45 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-13 10:45 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-13 10:45 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-13 10:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-13 10:45 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-13 10:45 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-13 10:45 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-13 10:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-13 10:45 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-13 10:45 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-13 10:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-13 10:45 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-13 10:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-13 10:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-13 10:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 10:45 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-13 10:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-13 10:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 10:45 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-13 10:45 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 10:45 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-13 10:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 10:45 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 10:45 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 20:17 - 2012-05-14 20:17 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-14 20:17 - 2012-05-14 20:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-14 17:32 - 2012-06-13 10:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-12 20:30 - 2011-02-22 03:42 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-06 07:12 - 2012-05-06 07:12 - 01140740 ____A C:\Users\jackson\Documents\pdf77712508dpi300.pdf
2012-05-04 03:06 - 2012-06-13 10:32 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 03:00 - 2012-06-16 19:06 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-05-04 02:03 - 2012-06-13 10:32 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 10:32 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-04 01:59 - 2012-06-16 19:06 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-04-30 21:40 - 2012-06-13 10:32 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-28 08:47 - 2012-04-28 08:47 - 00000000 ____D C:\Users\jackson\Documents\geneology
2012-04-27 19:55 - 2012-06-13 10:31 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:41 - 2012-06-13 10:32 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-13 10:32 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-13 10:32 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 21:37 - 2012-06-13 10:31 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-13 10:31 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-13 10:31 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-13 10:31 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-13 10:31 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-13 10:31 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-16 16:31 - 2011-11-21 17:00 - 00000000 ____D C:\Users\jackson\AppData\Local\EgisTec
2012-04-14 16:04 - 2012-04-14 16:04 - 00000000 ____D C:\Users\jackson\AppData\Roaming\CyberLink
2012-04-14 16:04 - 2012-04-14 16:04 - 00000000 ____D C:\Users\jackson\AppData\Local\CyberLink
2012-04-14 16:04 - 2012-04-14 16:04 - 00000000 ____D C:\Users\All Users\CyberLink
2012-04-13 20:29 - 2012-04-13 20:29 - 00000000 ____D C:\Users\Sherry\AppData\Local\Best Buy pc app
2012-04-13 20:29 - 2012-03-31 07:42 - 00000000 ____D C:\Users\Sherry\AppData\Local\Deployment
2012-04-13 20:06 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-04-07 11:16 - 2010-11-20 18:50 - 00000000 ____D C:\users\Administrator
2012-04-07 04:31 - 2012-06-13 10:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 03:26 - 2012-06-13 10:31 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-04 14:56 - 2012-06-16 17:40 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-31 08:22 - 2012-03-31 07:44 - 00000000 ____D C:\Users\Sherry\AppData\Local\Google
2012-03-31 07:45 - 2012-03-31 07:45 - 00000000 ____D C:\Users\Sherry\AppData\Roaming\Google
2012-03-31 07:45 - 2012-03-31 07:45 - 00000000 ____D C:\Users\Sherry\AppData\Roaming\Adobe
2012-03-31 07:44 - 2012-03-31 07:44 - 00000000 ____D C:\Users\Sherry\AppData\Local\EgisTec
2012-03-31 07:43 - 2012-03-31 07:43 - 00000398 ____A C:\Users\Sherry\Desktop\pc app.appref-ms
2012-03-31 07:42 - 2012-03-31 07:42 - 00111648 ____A C:\Users\Sherry\AppData\Local\GDIPFONTCACHEV1.DAT
2012-03-31 07:42 - 2012-03-31 07:42 - 00002086 ____A C:\Users\Sherry\Desktop\OneKey Recovery.lnk
2012-03-31 07:42 - 2012-03-31 07:42 - 00001122 ____A C:\Users\Sherry\Desktop\Cyberlink Power2Go.lnk
2012-03-31 07:42 - 2012-03-31 07:42 - 00000020 ___SH C:\Users\Sherry\ntuser.ini
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ___HD C:\Users\Sherry\AppData\Roaming\Broderbund
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ____D C:\Users\Sherry\AppData\Local\EgisTec IPS
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ____D C:\Users\Sherry\AppData\Local\BioExcess
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ____D C:\Users\Sherry\AppData\Local\Apps\2.0
2012-03-31 07:42 - 2012-03-31 07:42 - 00000000 ____D C:\users\Sherry
2012-03-30 03:35 - 2012-05-12 19:39 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 18%
Total physical RAM: 2986.17 MB
Available physical RAM: 2425.95 MB
Total Pagefile: 2984.37 MB
Available Pagefile: 2413.44 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:254.14 GB) (Free:215.18 GB) NTFS
2 Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:26.8 GB) NTFS
4 Drive g: (KINGSTON) (Removable) (Total:3.74 GB) (Free:1.55 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: () (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 3836 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 200 MB 1024 KB
Partition 2 Primary 254 GB 201 MB
Partition 0 Extended 28 GB 254 GB
Partition 4 Logical 28 GB 254 GB
Partition 3 OEM 14 GB 283 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y NTFS Partition 200 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 254 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D LENOVO NTFS Partition 28 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 LENOVO_PART NTFS Partition 14 GB Healthy Hidden

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3835 MB 4096 B

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G KINGSTON FAT32 Removable 3835 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-09 10:42

======================= End Of Log ==========================

4. I am not seeing any issues with the laptop now, except for that Windows update. Seems to be working pretty well! :)

#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 25 June 2012 - 12:49 AM

Hello again!

1. Again, thank you very much for your help. MSE somehow started working today before I did any of your steps. One Windows update is failing, encounters an unknown error, but I am not sure if the issue lies in the virus now. It seems to be running pretty well!

Glad to be of assistance. :)

Do you happen to have the error code Windows Updated is failing with?

It looks like you posted the FRST log file.

I needed the one that's from the Farbar Service Scanner tool.

Try the following:

Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. Farbar Service Scanner log file.
3. MalwareBytes' Anti-Malware log file.
4. ESET Online Virus Scan log file.
5. SecurityCheck log file.
6. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 shvidky

shvidky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 30 June 2012 - 02:54 AM

1. Hi there. Sorry it took so long to respond. Had to get a hold of the laptop again.

2. Farbar Service Scanner log file.
Farbar Service Scanner Version: 25-06-2012 01
Ran by jackson (administrator) on 29-06-2012 at 19:43:47
Running from "E:\"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

3. MalwareBytes' Anti-Malware log file.
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
jackson :: JACKSON-PC [administrator]

6/29/2012 8:10:33 PM
mbam-log-2012-06-29 (20-10-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249204
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

4. ESET Online Virus Scan log file.
ESET didn't detect anything and it didn't provide me with the log file to export.

5. SecurityCheck log file.
Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 29
Java version out of Date!
Adobe Reader X (10.1.3)
Mozilla Firefox (7.0.1)
Google Chrome 19.0.1084.52
Google Chrome 19.0.1084.56
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

6. An update on how your computer is currently running.

I think it is running pretty well, I don't think there are any issues right now. Code for the Windows update error is 800B0100

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 30 June 2012 - 07:05 AM

Hi shvidky!

No worries on the delay.

I think it is running pretty well, I don't think there are any issues right now. Code for the Windows update error is 800B0100

Please see the suggestion in this link here:

http://windows.microsoft.com/en-US/windows-vista/Windows-Update-error-800B0100

____________________________________________________
From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Java Outdated

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform:
    • 32-bit Select: Windows x86 Offline.
    • 64-bit Select: Windows x64.
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u4-windows-i586-s.exe (or jre-7u4-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT



Update FireFox
You're currently using an outdated version of Firefox. The latest version of Firefox is 13.0.1

You can get the latest version of Firefox by accessing the Posted Image menu in Firefox and then selecting About.

Please make sure that you check for updates again by selecting the Aboutmenu after updating to the latest version to make sure that you have in fact received the latest version.


NEXT:


OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    :Commands
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %systemroot%\*. /rp /s
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Edited by SweetTech, 30 June 2012 - 07:07 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 shvidky

shvidky
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 06 July 2012 - 05:23 PM

Hi SweetTech,

1. Updated Java and FF
2. OTL Fix Log

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56475 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: jackson
->Temp folder emptied: 153390 bytes
->Temporary Internet Files folder emptied: 7490115 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 42254108 bytes
->Google Chrome cache emptied: 12778765 bytes
->Flash cache emptied: 57419 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Sherry
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4995 bytes
->Flash cache emptied: 57316 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 179042 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 52367032 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 110.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: jackson
->Flash cache emptied: 0 bytes

User: Public

User: Sherry
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.53.1 log created on 07062012_141658

Files\Folders moved on Reboot...
C:\Users\jackson\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\jackson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\jackson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3PW3NAXJ\ads[1].htm moved successfully.
C:\Users\jackson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3PW3NAXJ\search[1].htm moved successfully.

PendingFileRenameOperations files...
File C:\Users\jackson\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\jackson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat not found!
File C:\Users\jackson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3PW3NAXJ\ads[1].htm not found!
File C:\Users\jackson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3PW3NAXJ\search[1].htm not found!

Registry entries deleted on Reboot...

3. OTL Custom Scan Log
OTL logfile created on: 7/6/2012 2:28:44 PM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\jackson\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.92 Gb Total Physical Memory | 1.72 Gb Available Physical Memory | 58.96% Memory free
5.83 Gb Paging File | 4.54 Gb Available in Paging File | 77.84% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 254.14 Gb Total Space | 215.50 Gb Free Space | 84.80% Space Free | Partition Type: NTFS
Drive D: | 29.00 Gb Total Space | 26.80 Gb Free Space | 92.43% Space Free | Partition Type: NTFS
Drive E: | 3.74 Gb Total Space | 1.55 Gb Free Space | 41.39% Space Free | Partition Type: FAT32

Computer Name: JACKSON-PC | User Name: jackson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/06 14:13:20 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\jackson\Downloads\OTL.exe
PRC - [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/10/01 08:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 08:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/08/18 00:10:10 | 000,329,056 | ---- | M] (Lenovo) -- C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
PRC - [2010/12/24 04:19:36 | 000,136,488 | ---- | M] (CyberLink) -- C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
PRC - [2010/12/20 03:30:38 | 002,656,280 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2010/12/20 03:30:36 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2010/12/13 16:59:28 | 000,703,856 | ---- | M] (Egis Technology Inc. ) -- C:\Program Files (x86)\EgisTec BioExcess\EgisService.exe
PRC - [2010/12/13 16:58:32 | 000,650,096 | ---- | M] (Egis Technology Inc. ) -- C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
PRC - [2010/12/13 16:58:20 | 000,383,344 | ---- | M] (Egis Technology Inc. ) -- C:\Program Files (x86)\EgisTec BioExcess\EgisTSR.exe
PRC - [2010/11/05 11:54:36 | 000,407,920 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
PRC - [2010/11/05 11:54:24 | 000,202,096 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
PRC - [2010/10/22 07:37:42 | 000,364,400 | ---- | M] (Egis Technology Inc. ) -- C:\Program Files (x86)\EgisTec Port Locker\EgisPLTSR.exe
PRC - [2010/10/22 07:37:24 | 000,327,024 | ---- | M] (Egis Technology Inc. ) -- C:\Program Files (x86)\EgisTec Port Locker\Egishlpsvc.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2002/08/30 12:02:58 | 002,392,064 | ---- | M] (TLC Education Properties LLC) -- C:\Program Files (x86)\Broderbund\Mavis Beacon Teaches Typing 15\MiniMavis.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/18 00:10:10 | 000,013,664 | ---- | M] () -- C:\Program Files (x86)\Lenovo\VeriFace\ChooseLang.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011/08/11 16:38:04 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:64bit: - [2010/09/22 11:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/07/06 14:13:12 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/19 23:44:20 | 000,276,248 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs) Intel®
SRV - [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/10/01 08:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 08:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2010/12/20 03:30:38 | 002,656,280 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2010/12/20 03:30:36 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2010/12/13 16:59:28 | 000,703,856 | ---- | M] (Egis Technology Inc. ) [Auto | Running] -- C:\Program Files (x86)\EgisTec BioExcess\EgisService.exe -- (EgisTec Service)
SRV - [2010/12/13 16:58:32 | 000,650,096 | ---- | M] (Egis Technology Inc. ) [Auto | Running] -- C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe -- (EgisTec Ticket Service)
SRV - [2010/10/22 07:37:24 | 000,327,024 | ---- | M] (Egis Technology Inc. ) [Auto | Running] -- C:\Program Files (x86)\EgisTec Port Locker\Egishlpsvc.exe -- (EgisTec Service Help)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/03/19 23:32:04 | 014,745,600 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2012/02/29 23:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/10/01 08:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 08:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 08:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 08:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/08/18 00:23:30 | 000,057,952 | ---- | M] (Lenovo) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\fbfmon.sys -- (fbfmon)
DRV:64bit: - [2011/08/18 00:23:30 | 000,013,408 | ---- | M] (Lenovo) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\BPntDrv.sys -- (BPntDrv)
DRV:64bit: - [2011/08/18 00:21:33 | 000,039,008 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LhdX64.sys -- (LHDmgr)
DRV:64bit: - [2011/08/18 00:21:30 | 000,029,792 | ---- | M] (Lenovo Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AcpiVpc.sys -- (ACPIVPC)
DRV:64bit: - [2011/08/18 00:09:55 | 000,055,880 | ---- | M] (Egis Technology Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\EgisTecFF.sys -- (EgisTecFF)
DRV:64bit: - [2011/08/18 00:04:03 | 000,062,584 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk)
DRV:64bit: - [2011/08/18 00:04:03 | 000,022,912 | ---- | M] (Egis Technology Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDFilter.sys -- (mwlPSDFilter)
DRV:64bit: - [2011/08/18 00:04:03 | 000,020,328 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDNserv.sys -- (mwlPSDNServ)
DRV:64bit: - [2011/07/22 09:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 14:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/06/10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/03/10 23:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 23:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/18 01:11:54 | 000,439,320 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/12/24 04:19:56 | 000,031,088 | ---- | M] (CyberLink Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\clwvd.sys -- (clwvd)
DRV:64bit: - [2010/12/23 09:45:58 | 003,293,272 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\S6000KNT.sys -- (S6000KNT)
DRV:64bit: - [2010/12/22 05:19:58 | 001,407,024 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010/11/29 23:40:04 | 000,307,304 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rtsuvstor.sys -- (RSUSBVSTOR)
DRV:64bit: - [2010/11/24 04:33:26 | 002,673,664 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2010/11/20 20:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 20:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 20:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/31 03:36:56 | 000,035,952 | ---- | M] (Egis Technology Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\FPSensor.sys -- (FPSensor) EgisTec-Corp Fingerprint Reader Driver (FPSensor.sys)
DRV:64bit: - [2010/10/19 01:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel®
DRV:64bit: - [2010/10/14 10:28:16 | 000,317,440 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) Intel®
DRV:64bit: - [2009/07/21 07:20:06 | 000,121,840 | ---- | M] (CyberLink) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wsvd.sys -- (wsvd)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2008/04/16 14:49:34 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{29DC8356-26E4-4EB2-9B2A-CF9336C5A442}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3209604
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\windows\system32\npDeployJava1.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@hulu.com/Hulu Desktop: C:\Users\jackson\AppData\Local\HuluDesktop\instances\0.9.14.1\npHDPlg.dll (Hulu LLC)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{41ecbc0b-34d5-4cd4-935f-253a30e2cb7e}: C:\Program Files (x86)\EgisTec BioExcess\FFExt [2011/08/18 00:03:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/06 14:13:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/11/20 21:50:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jackson\AppData\Roaming\mozilla\Extensions
[2012/07/06 12:30:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/07/06 14:13:12 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/07/06 14:13:09 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/07/06 14:13:09 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.40.135.1_0\McChPlg.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Best Buy pc app Detector (Enabled) = C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll
CHR - plugin: Hulu Desktop (Enabled) = C:\Users\jackson\AppData\Local\HuluDesktop\instances\0.9.14.1\npHDPlg.dll
CHR - plugin: Roblox Launcher Plugin (Enabled) = C:\Users\jackson\AppData\Local\Roblox\Versions\version-09a201d8e5f247c7\\NPRobloxProxy.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~2\mcafee\msc\npmcsn~1.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/06/24 20:33:01 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (EgisPBIE Class) - {7B51CCBE-4AF9-44A6-BDAB-D7F7E4C4E6F9} - C:\Program Files (x86)\EgisTec BioExcess\x64\EgisPBIE.dll (Egis Technology Inc.)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (EgisPBIE Class) - {7B51CCBE-4AF9-44A6-BDAB-D7F7E4C4E6F9} - C:\Program Files (x86)\EgisTec BioExcess\EgisPBIE.dll (Egis Technology Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe (Lenovo (Beijing) Limited)
O4:64bit: - HKLM..\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\utility.exe (Lenovo(beijing) Limited)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe (Lenovo)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [EgisTecPMMUpdate] C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe (Egis Technology Inc.)
O4 - HKLM..\Run: [EgisUpdate] C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe (Egis Technology Inc.)
O4 - HKLM..\Run: [PLTSR] C:\Program Files (x86)\EgisTec Port Locker\EgisPLTSR.exe (Egis Technology Inc. )
O4 - HKLM..\Run: [UpdateP2GShortCut] C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePRCShortCut] C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [VeriFaceManager] C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe (Lenovo)
O4 - HKLM..\Run: [VitaKeyTSR] C:\Program Files (x86)\EgisTec BioExcess\EgisTSR.exe (Egis Technology Inc. )
O4 - HKLM..\Run: [YouCam Mirage] C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe (CyberLink)
O4 - HKLM..\Run: [YouCam Tray] C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe (CyberLink Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Add to Wish List - {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - C:\Program Files (x86)\Amazon\Add to Wish List IE Extension\run.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000010 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.4 10.0.1.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5FD767B6-1A6B-42CF-829E-F7E8EBF0E657}: DhcpNameServer = 10.0.1.4 10.0.1.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E9C3B8FD-0E19-408E-9A7E-115D35A66E69}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\windows\SysNative\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)


Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.clmp3enc - C:\Program Files (x86)\Lenovo\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\windows\SysWow64\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/06 14:16:58 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/06 14:13:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/07/06 14:13:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/07/06 14:05:43 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/07/06 13:31:52 | 000,000,000 | ---D | C] -- C:\windows\CheckSur
[2012/06/29 21:13:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/06/24 20:46:21 | 000,000,000 | ---D | C] -- C:\windows\temp
[2012/06/24 20:33:11 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/06/24 20:15:25 | 004,566,424 | R--- | C] (Swearware) -- C:\Users\jackson\Desktop\ComboFix.exe
[2012/06/24 09:41:02 | 000,000,000 | ---D | C] -- C:\Users\jackson\AppData\Local\Lenovo Security Suite
[2012/06/23 20:52:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2012/06/23 20:52:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2012/06/23 20:52:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2012/06/23 20:51:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/23 20:51:19 | 000,000,000 | ---D | C] -- C:\windows\erdnt
[2012/06/19 14:54:20 | 000,000,000 | ---D | C] -- C:\FRST
[2012/06/16 20:21:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/06/16 20:21:11 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/06/16 19:54:41 | 000,000,000 | ---D | C] -- C:\Users\jackson\AppData\Roaming\SUPERAntiSpyware.com
[2012/06/16 19:54:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/06/16 19:54:32 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/06/16 19:54:32 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/06/16 19:02:02 | 000,000,000 | ---D | C] -- C:\Users\jackson\Documents\antivirus programs
[2012/06/16 18:58:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/06/16 18:58:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/06/16 18:58:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/06/16 18:44:02 | 000,000,000 | ---D | C] -- C:\Users\jackson\AppData\Roaming\Malwarebytes
[2012/06/16 18:40:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/16 18:40:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/06/16 18:40:15 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2012/06/16 18:40:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/06/16 14:52:53 | 000,000,000 | ---D | C] -- C:\windows\Sun

========== Files - Modified Within 30 Days ==========

[2012/07/06 14:31:00 | 000,000,912 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/06 14:26:49 | 000,021,280 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/06 14:26:49 | 000,021,280 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/06 14:26:47 | 000,311,453 | ---- | M] () -- C:\windows\SysNative\fastboot.set
[2012/07/06 14:25:15 | 000,000,908 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/06 14:23:42 | 000,734,750 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2012/07/06 14:23:42 | 000,629,888 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2012/07/06 14:23:42 | 000,108,814 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2012/07/06 14:19:14 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/07/06 14:18:57 | 2348,421,120 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/24 20:33:01 | 000,000,027 | ---- | M] () -- C:\windows\SysNative\drivers\etc\hosts
[2012/06/23 20:51:10 | 004,566,424 | R--- | M] (Swearware) -- C:\Users\jackson\Desktop\ComboFix.exe
[2012/06/16 20:21:21 | 000,001,945 | ---- | M] () -- C:\windows\epplauncher.mif
[2012/06/16 20:21:18 | 000,748,900 | ---- | M] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2012/06/16 19:54:38 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/06/16 18:58:05 | 000,001,286 | ---- | M] () -- C:\Users\jackson\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/06/16 18:58:05 | 000,001,262 | ---- | M] () -- C:\Users\Public\Desktop\Spybot - Search & Destroy.lnk
[2012/06/16 18:40:17 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/16 15:04:48 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/06/15 19:52:34 | 000,326,893 | ---- | M] () -- C:\Users\jackson\Documents\cruse to Alaska.pdf
[2012/06/13 16:43:17 | 000,427,784 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
[2012/06/09 11:12:56 | 000,028,370 | ---- | M] () -- C:\Users\jackson\Documents\Snapshot_20120609.JPG

========== Files Created - No Company Name ==========

[2012/06/23 20:52:09 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe
[2012/06/23 20:52:09 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
[2012/06/23 20:52:09 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2012/06/23 20:52:09 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2012/06/23 20:52:09 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2012/06/16 20:21:20 | 000,001,915 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/06/16 19:54:38 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/06/16 18:58:09 | 000,001,262 | ---- | C] () -- C:\Users\Public\Desktop\Spybot - Search & Destroy.lnk
[2012/06/16 18:58:05 | 000,001,286 | ---- | C] () -- C:\Users\jackson\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/06/16 18:40:17 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/15 19:52:33 | 000,326,893 | ---- | C] () -- C:\Users\jackson\Documents\cruse to Alaska.pdf
[2012/06/09 11:13:22 | 000,028,370 | ---- | C] () -- C:\Users\jackson\Documents\Snapshot_20120609.JPG
[2012/03/19 23:31:16 | 000,963,912 | ---- | C] () -- C:\windows\SysWow64\igkrng600.bin
[2012/03/19 23:31:16 | 000,261,208 | ---- | C] () -- C:\windows\SysWow64\igfcg600m.bin
[2012/03/19 23:25:58 | 000,058,880 | ---- | C] () -- C:\windows\SysWow64\igdde32.dll
[2012/03/19 22:21:14 | 013,212,672 | ---- | C] () -- C:\windows\SysWow64\ig4icd32.dll
[2012/01/26 09:11:57 | 000,000,030 | ---- | C] () -- C:\windows\mavis15.INI
[2012/01/26 08:53:27 | 000,000,000 | ---- | C] () -- C:\windows\Mavis Beacon Teaches Typing.INI
[2011/10/31 04:42:27 | 000,748,900 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/08/18 08:53:33 | 000,300,328 | ---- | C] () -- C:\windows\it50.dll
[2011/08/18 08:53:33 | 000,259,368 | ---- | C] () -- C:\windows\FastBR.dll
[2011/08/18 08:53:33 | 000,259,368 | ---- | C] () -- C:\windows\CopyFile.dll
[2011/08/18 08:53:33 | 000,218,408 | ---- | C] () -- C:\windows\Image.dll
[2011/08/18 08:53:33 | 000,202,024 | ---- | C] () -- C:\windows\HardDisk.dll
[2011/08/18 08:53:33 | 000,177,448 | ---- | C] () -- C:\windows\disk.dll
[2011/08/18 08:53:33 | 000,003,443 | ---- | C] () -- C:\windows\UTILITYDRV.SYS
[2011/08/18 08:53:32 | 000,110,592 | ---- | C] () -- C:\windows\BootseqwWmi.exe
[2011/08/18 08:53:32 | 000,081,920 | ---- | C] () -- C:\windows\Bootseqw32.exe
[2011/08/18 08:53:32 | 000,049,152 | ---- | C] () -- C:\windows\CHGBOOTW.EXE
[2011/08/18 08:53:32 | 000,008,704 | ---- | C] () -- C:\windows\Access32.sys
[2011/08/18 00:10:14 | 002,086,240 | ---- | C] () -- C:\windows\SysWow64\LenovoVeriface.Interface.dll
[2011/08/18 00:10:14 | 001,500,512 | ---- | C] () -- C:\windows\SysWow64\Apblend.dll
[2011/08/18 00:10:14 | 001,171,456 | ---- | C] () -- C:\windows\SysWow64\PicNotify.dll
[2011/08/18 00:10:14 | 000,472,416 | ---- | C] () -- C:\windows\SysWow64\Lenovo.VerifaceStub.dll
[2011/08/18 00:10:08 | 001,044,480 | ---- | C] () -- C:\windows\SysWow64\3DImageRenderer.dll
[2011/08/17 23:57:30 | 000,015,190 | ---- | C] () -- C:\windows\S6000Twn.ini
[2011/04/14 22:29:01 | 000,066,856 | ---- | C] () -- C:\windows\SysWow64\SynTPEnhPS.dll
[2011/04/14 22:28:13 | 000,145,804 | ---- | C] () -- C:\windows\SysWow64\igcompkrng600.bin

========== LOP Check ==========

[2012/05/18 10:04:44 | 000,000,000 | ---D | M] -- C:\Users\jackson\AppData\Roaming\.purple
[2012/01/26 08:56:25 | 000,000,000 | -H-D | M] -- C:\Users\jackson\AppData\Roaming\Broderbund
[2012/03/09 12:39:45 | 000,000,000 | ---D | M] -- C:\Users\jackson\AppData\Roaming\CompuClever
[2012/01/26 17:56:10 | 000,000,000 | ---D | M] -- C:\Users\jackson\AppData\Roaming\SoftGrid Client
[2011/11/24 08:53:57 | 000,000,000 | ---D | M] -- C:\Users\jackson\AppData\Roaming\TP
[2012/06/28 19:06:10 | 000,032,656 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/07/06 14:13:09 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/07/06 14:13:09 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/07/06 14:13:09 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files (x86)\Mozilla Firefox\firefox.exe [2012/07/06 14:13:12 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -preferences [2012/07/06 14:13:12 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode [2012/07/06 14:13:12 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --show-icons [2012/06/28 03:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --hide-icons [2012/06/28 03:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/06/28 03:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" [2012/06/28 03:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/08/03 20:50:18 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/08/03 20:50:18 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/08/03 20:50:18 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2012/05/17 16:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" [2012/05/17 16:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)

< %systemroot%\*. /rp /s >

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >
[2012/06/24 14:10:12 | 000,202,749 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Certificate Revocation Lists
[2012/06/24 14:14:24 | 000,000,004 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
[2011/10/31 04:32:17 | 000,548,874 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\en-US-1-2.bdic
[2011/11/05 22:49:24 | 000,441,089 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\en-US-2-1.bdic
[2011/10/31 04:23:42 | 000,000,000 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\First Run
[2012/06/24 14:14:24 | 000,011,382 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Local State
[2012/06/24 14:08:45 | 004,717,196 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
[2012/06/24 14:08:45 | 000,840,303 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Filter 2
[2012/06/16 19:55:05 | 000,006,144 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies
[2012/06/16 19:55:05 | 000,001,544 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
[2012/06/24 14:08:45 | 000,134,356 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
[2012/06/24 14:08:43 | 003,828,924 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
[2012/06/24 14:08:45 | 000,016,600 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
[2012/06/24 14:04:07 | 000,053,248 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Archived History
[2012/06/24 14:04:07 | 000,000,512 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Archived History-journal
[2011/10/31 04:23:43 | 000,000,505 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
[2011/10/31 04:23:43 | 000,000,505 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak
[2012/06/24 14:13:56 | 000,190,464 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Cookies
[2012/06/24 14:13:56 | 000,010,832 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
[2012/06/24 14:14:24 | 000,380,836 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Current Session
[2012/06/24 14:14:24 | 000,036,404 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Current Tabs
[2012/01/10 15:37:39 | 000,007,168 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
[2012/06/24 14:14:11 | 000,260,096 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Favicons
[2012/06/24 14:14:11 | 000,016,384 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal
[2012/04/07 11:36:00 | 000,150,798 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
[2012/06/24 14:13:41 | 000,417,792 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\History
[2012/06/24 14:12:43 | 000,065,536 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\History Index 2012-06
[2012/06/24 14:12:43 | 000,016,384 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\History Index 2012-06-journal
[2012/06/24 14:14:24 | 000,009,957 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache
[2012/06/24 14:13:41 | 000,016,384 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\History-journal
[2011/11/14 23:46:52 | 000,012,288 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Login Data
[2012/06/24 14:04:26 | 000,010,240 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor
[2012/06/24 14:04:26 | 000,003,608 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal
[2012/06/24 14:14:24 | 000,038,837 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Preferences
[2011/12/24 07:09:51 | 000,016,610 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Preferences.bad
[2012/04/07 11:39:04 | 000,013,312 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\QuotaManager
[2012/06/16 19:55:55 | 000,000,180 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\README
[2012/06/24 14:04:26 | 000,012,288 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Shortcuts
[2012/06/24 14:04:26 | 000,012,824 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journal
[2012/06/24 14:04:07 | 000,020,480 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Top Sites
[2012/06/24 14:04:07 | 000,012,824 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journal
[2012/06/24 14:14:24 | 000,131,072 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Visited Links
[2012/06/24 14:06:27 | 000,090,112 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Web Data
[2012/06/24 14:06:27 | 000,010,792 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
[2012/04/07 11:37:34 | 000,007,168 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
[2011/11/14 22:20:24 | 000,109,568 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\databases\https_mail.google.com_0\1
[2012/04/07 11:38:35 | 000,096,256 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\databases\https_mail.google.com_0\2
[2012/04/07 11:43:50 | 000,003,524 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\128.png
[2012/04/07 11:43:50 | 000,000,745 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\manifest.json
[2012/04/07 11:43:50 | 000,000,401 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ar\messages.json
[2012/04/07 11:43:50 | 000,000,427 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\bg\messages.json
[2012/04/07 11:43:50 | 000,000,250 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ca\messages.json
[2012/04/07 11:43:50 | 000,000,255 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\cs\messages.json
[2012/04/07 11:43:50 | 000,000,242 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\da\messages.json
[2012/04/07 11:43:50 | 000,000,226 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\de\messages.json
[2012/04/07 11:43:50 | 000,000,475 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\el\messages.json
[2012/04/07 11:43:50 | 000,000,227 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\en\messages.json
[2012/04/07 11:43:50 | 000,000,240 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\es\messages.json
[2012/04/07 11:43:50 | 000,000,222 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fi\messages.json
[2012/04/07 11:43:50 | 000,000,236 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fil\messages.json
[2012/04/07 11:43:50 | 000,000,249 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fr\messages.json
[2012/04/07 11:43:50 | 000,000,419 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\he\messages.json
[2012/04/07 11:43:50 | 000,000,408 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hi\messages.json
[2012/04/07 11:43:50 | 000,000,220 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hr\messages.json
[2012/04/07 11:43:50 | 000,000,253 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hu\messages.json
[2012/04/07 11:43:50 | 000,000,231 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\id\messages.json
[2012/04/07 11:43:50 | 000,000,224 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\it\messages.json
[2012/04/07 11:43:50 | 000,000,349 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ja\messages.json
[2012/04/07 11:43:50 | 000,000,323 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ko\messages.json
[2012/04/07 11:43:50 | 000,000,266 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\lt\messages.json
[2012/04/07 11:43:50 | 000,000,245 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\lv\messages.json
[2012/04/07 11:43:50 | 000,000,225 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\nl\messages.json
[2012/04/07 11:43:49 | 000,000,216 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\no\messages.json
[2012/04/07 11:43:50 | 000,000,274 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\pl\messages.json
[2012/04/07 11:43:50 | 000,000,237 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\pt_BR\messages.json
[2012/04/07 11:43:50 | 000,000,236 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\pt_PT\messages.json
[2012/04/07 11:43:50 | 000,000,248 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ro\messages.json
[2012/04/07 11:43:50 | 000,000,394 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ru\messages.json
[2012/04/07 11:43:50 | 000,000,241 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\sk\messages.json
[2012/04/07 11:43:50 | 000,000,245 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\sl\messages.json
[2012/04/07 11:43:50 | 000,000,437 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\sr\messages.json
[2012/04/07 11:43:50 | 000,000,238 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\sv\messages.json
[2012/04/07 11:43:50 | 000,000,365 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\th\messages.json
[2012/04/07 11:43:50 | 000,000,255 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\tr\messages.json
[2012/04/07 11:43:50 | 000,000,442 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\uk\messages.json
[2012/04/07 11:43:50 | 000,000,310 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\vi\messages.json
[2012/04/07 11:43:50 | 000,000,257 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\zh_CN\messages.json
[2012/04/07 11:43:50 | 000,000,269 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\zh_TW\messages.json
[2012/04/07 11:43:52 | 000,005,369 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\128.png
[2012/04/07 11:43:52 | 000,000,496 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\16.png
[2012/04/07 11:43:52 | 000,001,143 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\32.png
[2012/04/07 11:43:52 | 000,001,858 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\48.png
[2012/04/07 11:43:52 | 000,000,790 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\manifest.json
[2012/04/07 11:43:52 | 000,000,423 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ar\messages.json
[2012/04/07 11:43:52 | 000,000,515 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\bg\messages.json
[2012/04/07 11:43:52 | 000,000,330 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ca\messages.json
[2012/04/07 11:43:52 | 000,000,355 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\cs\messages.json
[2012/04/07 11:43:52 | 000,000,328 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\da\messages.json
[2012/04/07 11:43:52 | 000,000,307 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\de\messages.json
[2012/04/07 11:43:52 | 000,000,569 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\el\messages.json
[2012/04/07 11:43:52 | 000,000,314 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en\messages.json
[2012/04/07 11:43:52 | 000,000,314 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en_GB\messages.json
[2012/04/07 11:43:52 | 000,000,314 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en_US\messages.json
[2012/04/07 11:43:52 | 000,000,340 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\es\messages.json
[2012/04/07 11:43:52 | 000,000,341 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\es_419\messages.json
[2012/04/07 11:43:52 | 000,000,314 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\et\messages.json
[2012/04/07 11:43:52 | 000,000,305 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fi\messages.json
[2012/04/07 11:43:52 | 000,000,337 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fil\messages.json
[2012/04/07 11:43:52 | 000,000,329 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fr\messages.json
[2012/04/07 11:43:52 | 000,000,471 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\he\messages.json
[2012/04/07 11:43:52 | 000,000,326 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hi\messages.json
[2012/04/07 11:43:52 | 000,000,340 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hr\messages.json
[2012/04/07 11:43:52 | 000,000,336 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hu\messages.json
[2012/04/07 11:43:52 | 000,000,319 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\id\messages.json
[2012/04/07 11:43:52 | 000,000,324 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\it\messages.json
[2012/04/07 11:43:52 | 000,000,388 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ja\messages.json
[2012/04/07 11:43:52 | 000,000,380 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ko\messages.json
[2012/04/07 11:43:52 | 000,000,359 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\lt\messages.json
[2012/04/07 11:43:52 | 000,000,360 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\lv\messages.json
[2012/04/07 11:43:52 | 000,000,323 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\nl\messages.json
[2012/04/07 11:43:52 | 000,000,300 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\no\messages.json
[2012/04/07 11:43:52 | 000,000,336 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pl\messages.json
[2012/04/07 11:43:52 | 000,000,332 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pt_BR\messages.json
[2012/04/07 11:43:52 | 000,000,331 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pt_PT\messages.json
[2012/04/07 11:43:52 | 000,000,332 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ro\messages.json
[2012/04/07 11:43:52 | 000,000,471 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ru\messages.json
[2012/04/07 11:43:52 | 000,000,338 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sk\messages.json
[2012/04/07 11:43:52 | 000,000,329 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sl\messages.json
[2012/04/07 11:43:52 | 000,000,483 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sr\messages.json
[2012/04/07 11:43:52 | 000,000,333 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sv\messages.json
[2012/04/07 11:43:52 | 000,000,472 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\th\messages.json
[2012/04/07 11:43:52 | 000,000,330 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\tr\messages.json
[2012/04/07 11:43:52 | 000,000,501 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\uk\messages.json
[2012/04/07 11:43:52 | 000,000,363 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\vi\messages.json
[2012/04/07 11:43:52 | 000,000,346 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\zh_CN\messages.json
[2012/04/07 11:43:52 | 000,000,346 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\zh_TW\messages.json
[2012/04/07 11:43:51 | 000,005,920 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\128.png
[2012/04/07 11:43:51 | 000,000,755 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\manifest.json
[2012/04/07 11:43:51 | 000,000,556 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ar\messages.json
[2012/04/07 11:43:51 | 000,000,492 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\bg\messages.json
[2012/04/07 11:43:51 | 000,000,262 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ca\messages.json
[2012/04/07 11:43:51 | 000,000,289 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\cs\messages.json
[2012/04/07 11:43:51 | 000,000,240 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\da\messages.json
[2012/04/07 11:43:51 | 000,000,239 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\de\messages.json
[2012/04/07 11:43:51 | 000,000,624 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\el\messages.json
[2012/04/07 11:43:51 | 000,000,215 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\en\messages.json
[2012/04/07 11:43:51 | 000,000,281 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\es\messages.json
[2012/04/07 11:43:51 | 000,000,284 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\fi\messages.json
[2012/04/07 11:43:51 | 000,000,234 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\fil\messages.json
[2012/04/07 11:43:51 | 000,000,272 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\fr\messages.json
[2012/04/07 11:43:51 | 000,000,391 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hi\messages.json
[2012/04/07 11:43:51 | 000,000,246 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hr\messages.json
[2012/04/07 11:43:51 | 000,000,234 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hu\messages.json
[2012/04/07 11:43:51 | 000,000,242 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\id\messages.json
[2012/04/07 11:43:51 | 000,000,260 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\it\messages.json
[2012/04/07 11:43:51 | 000,000,364 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ja\messages.json
[2012/04/07 11:43:51 | 000,000,328 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ko\messages.json
[2012/04/07 11:43:51 | 000,000,269 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\lt\messages.json
[2012/04/07 11:43:51 | 000,000,262 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\lv\messages.json
[2012/04/07 11:43:51 | 000,000,232 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\nl\messages.json
[2012/04/07 11:43:50 | 000,000,210 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\no\messages.json
[2012/04/07 11:43:51 | 000,000,292 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pl\messages.json
[2012/04/07 11:43:51 | 000,000,230 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pt_BR\messages.json
[2012/04/07 11:43:51 | 000,000,231 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pt_PT\messages.json
[2012/04/07 11:43:51 | 000,000,281 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ro\messages.json
[2012/04/07 11:43:51 | 000,000,482 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ru\messages.json
[2012/04/07 11:43:51 | 000,000,210 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\se\messages.json
[2012/04/07 11:43:51 | 000,000,238 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sk\messages.json
[2012/04/07 11:43:51 | 000,000,249 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sl\messages.json
[2012/04/07 11:43:51 | 000,000,511 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sr\messages.json
[2012/04/07 11:43:51 | 000,000,471 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\th\messages.json
[2012/04/07 11:43:51 | 000,000,250 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\tr\messages.json
[2012/04/07 11:43:51 | 000,000,536 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\uk\messages.json
[2012/04/07 11:43:51 | 000,000,257 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\vi\messages.json
[2012/04/07 11:43:51 | 000,000,339 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\zh_CN\messages.json
[2012/04/07 11:43:51 | 000,000,321 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\zh_TW\messages.json
[1 C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\*.tmp files -> C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\*.tmp -> ]
[2011/12/24 00:51:48 | 000,003,072 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-devtools_devtools_0.localstorage
[2012/04/07 11:39:05 | 000,011,264 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_mail.google.com_0.localstorage
[2011/11/01 04:56:06 | 000,017,408 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Plugin Data\Google Gears\localserver.db
[2011/11/01 04:56:06 | 000,019,456 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\Plugin Data\Google Gears\permissions.db
[2011/10/31 04:23:43 | 000,000,000 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Default\User StyleSheets\Custom.css
[2011/12/24 21:18:44 | 000,080,040 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\DECODED_IMAGES
[2011/12/24 21:18:44 | 000,014,329 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\DECODED_MESSAGE_CATALOGS
[2011/12/07 00:22:31 | 000,032,393 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\search.crx
[2011/12/24 21:18:49 | 000,006,856 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\128.png
[2011/12/24 21:18:49 | 000,000,749 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\16.png
[2011/12/24 21:18:49 | 000,001,946 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\32.png
[2011/12/24 21:18:49 | 000,002,184 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\48.png
[2011/12/24 21:18:49 | 000,000,826 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\manifest.json
[2011/12/24 21:18:49 | 000,000,423 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\ar\messages.json
[2011/12/24 21:18:49 | 000,000,515 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\bg\messages.json
[2011/12/24 21:18:49 | 000,000,330 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\ca\messages.json
[2011/12/24 21:18:49 | 000,000,355 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\cs\messages.json
[2011/12/24 21:18:49 | 000,000,328 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\da\messages.json
[2011/12/24 21:18:50 | 000,000,307 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\de\messages.json
[2011/12/24 21:18:50 | 000,000,569 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\el\messages.json
[2011/12/24 21:18:50 | 000,000,314 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\en\messages.json
[2011/12/24 21:18:50 | 000,000,314 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\en_GB\messages.json
[2011/12/24 21:18:50 | 000,000,314 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\en_US\messages.json
[2011/12/24 21:18:50 | 000,000,340 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\es\messages.json
[2011/12/24 21:18:50 | 000,000,341 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\es_419\messages.json
[2011/12/24 21:18:50 | 000,000,314 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\et\messages.json
[2011/12/24 21:18:50 | 000,000,305 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\fi\messages.json
[2011/12/24 21:18:50 | 000,000,337 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\fil\messages.json
[2011/12/24 21:18:50 | 000,000,329 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\fr\messages.json
[2011/12/24 21:18:50 | 000,000,471 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\he\messages.json
[2011/12/24 21:18:50 | 000,000,326 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\hi\messages.json
[2011/12/24 21:18:50 | 000,000,340 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\hr\messages.json
[2011/12/24 21:18:50 | 000,000,336 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\hu\messages.json
[2011/12/24 21:18:50 | 000,000,319 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\id\messages.json
[2011/12/24 21:18:50 | 000,000,324 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\it\messages.json
[2011/12/24 21:18:50 | 000,000,388 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\ja\messages.json
[2011/12/24 21:18:50 | 000,000,380 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\ko\messages.json
[2011/12/24 21:18:50 | 000,000,359 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\lt\messages.json
[2011/12/24 21:18:50 | 000,000,360 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\lv\messages.json
[2011/12/24 21:18:50 | 000,000,323 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\nl\messages.json
[2011/12/24 21:18:42 | 000,000,300 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\no\messages.json
[2011/12/24 21:18:50 | 000,000,336 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\pl\messages.json
[2011/12/24 21:18:50 | 000,000,332 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\pt_BR\messages.json
[2011/12/24 21:18:50 | 000,000,331 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\pt_PT\messages.json
[2011/12/24 21:18:50 | 000,000,332 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\ro\messages.json
[2011/12/24 21:18:50 | 000,000,471 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\ru\messages.json
[2011/12/24 21:18:50 | 000,000,338 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\sk\messages.json
[2011/12/24 21:18:50 | 000,000,329 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\sl\messages.json
[2011/12/24 21:18:50 | 000,000,483 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\sr\messages.json
[2011/12/24 21:18:50 | 000,000,333 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\sv\messages.json
[2011/12/24 21:18:50 | 000,000,472 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\th\messages.json
[2011/12/24 21:18:50 | 000,000,330 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\tr\messages.json
[2011/12/24 21:18:50 | 000,000,501 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\uk\messages.json
[2011/12/24 21:18:50 | 000,000,363 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\vi\messages.json
[2011/12/24 21:18:51 | 000,000,346 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\zh_CN\messages.json
[2011/12/24 21:18:51 | 000,000,346 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_15400\CRX_INSTALL\_locales\zh_TW\messages.json
[2011/12/24 21:18:41 | 000,065,594 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_18176\DECODED_IMAGES
[2011/12/24 21:18:41 | 000,000,024 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_18176\DECODED_MESSAGE_CATALOGS
[2011/12/07 00:22:31 | 000,006,401 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_18176\youtube.crx
[2011/12/24 21:18:48 | 000,006,442 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_18176\CRX_INSTALL\128.png
[2011/12/24 21:18:48 | 000,000,697 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_18176\CRX_INSTALL\manifest.json
[2011/12/24 21:18:41 | 000,000,020 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\DECODED_IMAGES
[2011/12/24 21:18:41 | 000,000,024 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\DECODED_MESSAGE_CATALOGS
[2011/08/11 11:12:24 | 000,074,071 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\McChPlg.crx
[2011/12/24 21:18:41 | 000,000,780 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Background.html
[2011/12/24 21:18:41 | 000,000,535 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\ContentOnDocStart.js
[2011/12/24 21:18:41 | 000,003,034 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\ContentScript.js
[2011/12/24 21:18:49 | 000,000,972 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\manifest.json
[2011/12/24 21:18:41 | 000,101,560 | ---- | M] (McAfee, Inc.) -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\McChPlg.dll
[2011/12/24 21:18:41 | 000,001,350 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\popup.html
[2011/12/24 21:18:41 | 000,001,200 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_black.gif
[2011/12/24 21:18:41 | 000,001,200 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_black_lock.gif
[2011/12/24 21:18:41 | 000,001,200 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_black_small.GIF
[2011/12/24 21:18:41 | 000,001,190 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_disabled.gif
[2011/12/24 21:18:41 | 000,001,212 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_green.gif
[2011/12/24 21:18:41 | 000,001,212 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_green_lock.gif
[2011/12/24 21:18:41 | 000,001,190 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_grey.gif
[2011/12/24 21:18:41 | 000,001,190 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_grey_lock.gif
[2011/12/24 21:18:41 | 000,001,216 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_hs.gif
[2011/12/24 21:18:41 | 000,001,216 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_hs_lock.gif
[2011/12/24 21:18:41 | 000,001,215 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_red.gif
[2011/12/24 21:18:41 | 000,001,215 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_red_lock.gif
[2011/12/24 21:18:41 | 000,001,224 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_yellow.gif
[2011/12/24 21:18:41 | 000,001,224 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_827\CRX_INSTALL\Resources\button_yellow_lock.gif
[2011/12/24 21:18:44 | 000,077,188 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\DECODED_IMAGES
[2011/12/24 21:18:44 | 000,009,745 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\DECODED_MESSAGE_CATALOGS
[2011/12/07 00:22:31 | 000,027,348 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\gmail.crx
[2011/12/24 21:18:51 | 000,005,283 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\128.png
[2011/12/24 21:18:51 | 000,000,997 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\24.png
[2011/12/24 21:18:51 | 000,002,502 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\48.png
[2011/12/24 21:18:51 | 000,000,805 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\manifest.json
[2011/12/24 21:18:51 | 000,000,556 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\ar\messages.json
[2011/12/24 21:18:51 | 000,000,492 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\bg\messages.json
[2011/12/24 21:18:51 | 000,000,262 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\ca\messages.json
[2011/12/24 21:18:51 | 000,000,289 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\cs\messages.json
[2011/12/24 21:18:51 | 000,000,240 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\da\messages.json
[2011/12/24 21:18:51 | 000,000,239 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\de\messages.json
[2011/12/24 21:18:51 | 000,000,624 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\el\messages.json
[2011/12/24 21:18:51 | 000,000,215 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\en\messages.json
[2011/12/24 21:18:51 | 000,000,281 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\es\messages.json
[2011/12/24 21:18:51 | 000,000,284 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\fi\messages.json
[2011/12/24 21:18:51 | 000,000,234 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\fil\messages.json
[2011/12/24 21:18:51 | 000,000,272 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\fr\messages.json
[2011/12/24 21:18:51 | 000,000,391 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\hi\messages.json
[2011/12/24 21:18:51 | 000,000,246 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\hr\messages.json
[2011/12/24 21:18:51 | 000,000,234 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\hu\messages.json
[2011/12/24 21:18:51 | 000,000,242 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\id\messages.json
[2011/12/24 21:18:51 | 000,000,260 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\it\messages.json
[2011/12/24 21:18:51 | 000,000,364 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\ja\messages.json
[2011/12/24 21:18:51 | 000,000,328 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\ko\messages.json
[2011/12/24 21:18:51 | 000,000,269 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\lt\messages.json
[2011/12/24 21:18:51 | 000,000,262 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\lv\messages.json
[2011/12/24 21:18:51 | 000,000,232 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\nl\messages.json
[2011/12/24 21:18:42 | 000,000,210 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\no\messages.json
[2011/12/24 21:18:51 | 000,000,292 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\pl\messages.json
[2011/12/24 21:18:51 | 000,000,230 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\pt_BR\messages.json
[2011/12/24 21:18:51 | 000,000,231 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\pt_PT\messages.json
[2011/12/24 21:18:51 | 000,000,281 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\ro\messages.json
[2011/12/24 21:18:51 | 000,000,482 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\ru\messages.json
[2011/12/24 21:18:42 | 000,000,210 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\se\messages.json
[2011/12/24 21:18:51 | 000,000,238 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\sk\messages.json
[2011/12/24 21:18:51 | 000,000,249 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\sl\messages.json
[2011/12/24 21:18:51 | 000,000,511 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\sr\messages.json
[2011/12/24 21:18:51 | 000,000,471 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\th\messages.json
[2011/12/24 21:18:51 | 000,000,250 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\tr\messages.json
[2011/12/24 21:18:51 | 000,000,536 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\uk\messages.json
[2011/12/24 21:18:52 | 000,000,257 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\vi\messages.json
[2011/12/24 21:18:52 | 000,000,339 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\zh_CN\messages.json
[2011/12/24 21:18:52 | 000,000,321 | ---- | M] () -- C:\Users\jackson\AppData\Local\Google\Chrome\User Data\Temp\scoped_dir_830\CRX_INSTALL\_locales\zh_TW\messages.json

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< >

< End of report >


4. I haven't touched the laptop for a few days due to the holidays. When I first boot it up this morning, MSE found and successfully removed win64/sirefef.b trojan. Everything has been clean in subsequent reboots. Laptop hasn't been in use since we did all the scans from before, so it is not a new issue (not sure if it is an issue at all). :) Thanks!

Edited by shvidky, 06 July 2012 - 05:24 PM.


#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 07 July 2012 - 06:32 AM

Hi shvidky!

When I first boot it up this morning, MSE found and successfully removed win64/sirefef.b trojan.

Could you please post the file path of where this infection was found?

I see a few orphaned registry entries that I'm going to have you remove using an OTL fix.

OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    :OTL
    IE - HKCU\..\SearchScopes\{29DC8356-26E4-4EB2-9B2A-CF9336C5A442}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3209604
    O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    :Reg
    
    :Commands
    [CreateRestorePoint]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Let me know.

-ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 14 July 2012 - 02:41 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users