Jump to content

Win7 PC infected with Trojan.Dropper.BCMiner and Rootkit.0Access


BKS79

Recommended Posts

Somewhere in the past few weeks i picked up two viruses that have been a massive thorn in my side. A Trojan.Dropper.BCMiner and Rootkit.0Access. I've already changed the passwords on all important accounts on a separate computer, but all of my removal attempts fail. I was hoping someone here could help me with this.

Link to post
Share on other sites

Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable (.exe) every time you run them

with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

---------

Link to post
Share on other sites

Please download DDS from either of these links

LINK 1

LINK 2

and save it to your desktop.

  • Disable any script blocking protection
  • Right-click and Run as Administrator dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

----------

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.

aswmbrscan.jpg

Click the image to enlarge it

----------

Link to post
Share on other sites

Hi,

Thanks for letting me know.

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :)

----------

Download Combofix from the link below, and save it to your desktop.

Link

**Note: It is important that it is saved directly to your desktop**

If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.


  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

----------

Link to post
Share on other sites

Hi,

So is it all clear? I haven't noticed any symptoms since i ran combofix.
It's looking pretty good. Let's make sure nothing is still in there hiding before you go. :)

------------

I see that your Java software is out of date. Please go to Start >> Control Panel >> Programs and Features >> uninstall all versions of Java.

Now download and install the newest version from here >> http://java.com/en/download/index.jsp

-------------

Clear Java Cache

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked

    • Downloaded Applets
      Downloaded Applications
      Other Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Java Control Panel.

----------

Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

----------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

----------

Link to post
Share on other sites

C:\Qoobox\Quarantine\C\Users\Admin\AppData\Roaming\Expa\item.exe.vir Win32/Spy.Zbot.AAO trojan

C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.EZ trojan

C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.W trojan

C:\Qoobox\Quarantine\C\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\U\00000004.@.vir Win64/Conedex.C trojan

C:\Qoobox\Quarantine\C\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\U\80000000.@.vir Win64/Sirefef.AW trojan

C:\Qoobox\Quarantine\C\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\U\80000032.@.vir probably a variant of Win32/Sirefef.FD trojan

C:\Qoobox\Quarantine\C\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\U\80000064.@.vir a variant of Win64/Sirefef.AN trojan

C:\Users\Admin\AppData\Local\Paint.NET\dwmpqfqy.dll Win32/Kryptik.AQWG.Gen trojan

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\user.js JS/SecurityDisabler.A.Gen application

C:\Users\Admin\Downloads\KMPlayer_EN_3.1.0.0_R2.exe Win32/OpenCandy application

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B99ZHCVM\fpi[7].htm HTML/ScrInject.B.Gen virus

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B99ZHCVM\fpi[7].htm HTML/ScrInject.B.Gen virus

Operating memory Win32/Kryptik.AQWG.Gen trojan

mbam-log-2012-12-21 (11-53-21).txt

Link to post
Share on other sites

Good job...

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:

    ClearJavaCache::
    File:
    C:\Users\Admin\AppData\Local\Paint.NET\dwmpqfqy.dll
    C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\user.js
    C:\Users\Admin\Downloads\KMPlayer_EN_3.1.0.0_R2.exe
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B99ZHCVM\fpi[7].htm
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B99ZHCVM\fpi[7].htm
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Post the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

----------

Post the new ComboFix log and let me know how your system is running. :)

Link to post
Share on other sites

Websearch results being redirected
In what browser(s)

----------

AdwCleaner

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

----------

Link to post
Share on other sites

# AdwCleaner v2.101 - Logfile created 12/22/2012 at 09:32:23

# Updated 16/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Admin - PC

# Boot Mode : Normal

# Running from : C:\Users\Admin\Desktop\AdwCleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\ProgramData\Partner

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}

Key Found : HKCU\Software\SweetIM

Key Found : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}

Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}

Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Found : HKLM\Software\Iminent

Key Found : HKLM\Software\SweetIM

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v9.0 (en-US)

Profile name : default

File : C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1467 octets] - [22/12/2012 09:32:23]

########## EOF - C:\AdwCleaner[R1].txt - [1527 octets] ##########

Link to post
Share on other sites

Run the following and let me know if you are still having the problems. :)

AdwCleaner

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

----------

Link to post
Share on other sites

# AdwCleaner v2.101 - Logfile created 12/22/2012 at 09:43:54

# Updated 16/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Admin - PC

# Boot Mode : Normal

# Running from : C:\Users\Admin\Desktop\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Partner

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}

Key Deleted : HKCU\Software\SweetIM

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Deleted : HKLM\Software\Iminent

Key Deleted : HKLM\Software\SweetIM

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v9.0 (en-US)

Profile name : default

File : C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\prefs.js

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1596 octets] - [22/12/2012 09:32:23]

AdwCleaner[s1].txt - [1647 octets] - [22/12/2012 09:43:54]

########## EOF - C:\AdwCleaner[s1].txt - [1707 octets] ##########

All three of the previous symptoms are still there.

Link to post
Share on other sites

Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct
    items.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

OTL

  • Download OTL to your desktop.
  • Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

----------

Link to post
Share on other sites

OTL logfile created on: 12/22/2012 10:33:49 AM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Admin\Desktop

64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7601.17514)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.98 Gb Total Physical Memory | 6.73 Gb Available Physical Memory | 84.26% Memory free

15.96 Gb Paging File | 14.48 Gb Available in Paging File | 90.68% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 1372.09 Gb Total Space | 691.79 Gb Free Space | 50.42% Space Free | Partition Type: NTFS

Drive D: | 1017.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: PC | User Name: Admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Admin\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Windows\SysWOW64\UMonit.exe ()

PRC - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation)

PRC - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation)

PRC - C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe ()

PRC - C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe (CyberLink)

PRC - C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe (Lenovo)

PRC - C:\Program Files (x86)\jmesoft\hotkey.exe (JME)

========== Modules (No Company Name) ==========

MOD - C:\Windows\SysWOW64\UMonit.exe ()

MOD - C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvcPS.dll ()

MOD - C:\Program Files (x86)\Lenovo\Power2Go\CLMediaLibrary.dll ()

MOD - C:\Program Files (x86)\jmesoft\KeyHook.dll ()

MOD - C:\Program Files (x86)\jmesoft\VistaVolume.dll ()

========== Services (SafeList) ==========

SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)

SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)

SRV:64bit: - (LitModeCtrl) -- C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe (Lenovo)

SRV:64bit: - (LenovoCOMSvc) -- C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe (Lenovo)

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)

SRV - (Desura Install Service) -- C:\Program Files (x86)\Common Files\Desura\desura_service.exe (Desura Pty Ltd)

SRV - (HiPatchService) -- C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe (Hi-Rez Studios)

SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation)

SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation)

SRV - (CEEBC40A-FDED-4C59-B354-939132350B01) -- C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe ()

SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV:64bit: - (EuMusDesignVirtualAudioCableWdm) -- C:\Windows\SysNative\drivers\vrtaucbl.sys (Eugene V. Muzychenko)

DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)

DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)

DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)

DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)

DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)

DRV:64bit: - (fbfmon) -- C:\Windows\SysNative\drivers\fbfmon.sys (Lenovo)

DRV:64bit: - (BPntDrv) -- C:\Windows\SysNative\drivers\BPntDrv.sys (Lenovo)

DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)

DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)

DRV:64bit: - (GeneStor) -- C:\Windows\SysNative\drivers\GeneStor.sys (GenesysLogic)

DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)

DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)

DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)

DRV:64bit: - (e1cexpress) -- C:\Windows\SysNative\drivers\e1c62x64.sys (Intel Corporation)

DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)

DRV:64bit: - (USB28xxBGA) -- C:\Windows\SysNative\drivers\emBDA64.sys (eMPIA Technology, Inc.)

DRV:64bit: - (USB28xxOEM) -- C:\Windows\SysNative\drivers\emOEM64.sys (eMPIA Technology, Inc.)

DRV:64bit: - (wsvd) -- C:\Windows\SysNative\drivers\wsvd.sys (CyberLink)

DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)

DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)

DRV:64bit: - (Fs_Rec) -- C:\windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)

DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)

DRV:64bit: - (xnacc) -- C:\Windows\SysNative\drivers\xnacc.sys (Microsoft Corporation)

DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Sonic Solutions)

DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)

DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)

DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)

DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)

DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)

DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV:64bit: - (WinI2C-DDC) -- C:\Windows\SysNative\drivers\ddcdrv.sys (Nicomsoft Ltd.)

DRV - (WinI2C-DDC) -- C:\Windows\SysWOW64\drivers\ddcdrv.sys (Nicomsoft Ltd.)

DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com

IE:64bit: - HKLM\..\SearchScopes,DefaultScope =

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com

IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-26433898-1847276344-2995153160-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.lenovo.com/

IE - HKU\S-1-5-21-26433898-1847276344-2995153160-1001\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-26433898-1847276344-2995153160-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

IE - HKU\S-1-5-21-26433898-1847276344-2995153160-1001\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND

IE - HKU\S-1-5-21-26433898-1847276344-2995153160-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-26433898-1847276344-2995153160-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.update: false

FF - prefs.js..browser.startup.homepage: "http://store.steampowered.com/"

FF - prefs.js..extensions.enabledAddons: adblockpopups@jessehakanen.net:0.2.9

FF - prefs.js..extensions.enabledAddons: anttoolbar@ant.com:2.4.5

FF - prefs.js..extensions.enabledAddons: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.1

FF - prefs.js..extensions.enabledAddons: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.13

FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF64_11_4_402_265.dll File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.10.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Admin\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/12/22 02:06:04 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/12/22 02:06:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Admin\AppData\Roaming\Mozilla\Extensions

[2012/12/08 18:55:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\extensions

[2011/12/22 02:21:50 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

[2011/12/22 02:21:50 | 000,000,000 | ---D | M] (Ant Video Downloader) -- C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\extensions\anttoolbar@ant.com

[2011/12/22 02:21:49 | 000,098,306 | ---- | M] () (No name found) -- C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\extensions\adblockpopups@jessehakanen.net.xpi

[2011/12/22 02:21:50 | 000,644,152 | ---- | M] () (No name found) -- C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1lqfu8pg.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

[2012/12/20 18:15:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2011/12/16 23:51:36 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll

[2011/12/16 20:20:10 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

[2011/12/16 20:20:10 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/12/20 14:11:29 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O3 - HKLM\..\Toolbar: (TerraTec Home Cinema) - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\Program Files (x86)\TerraTec\TerraTec Home Cinema\ThcDeskBand.dll (TerraTec Electronic GmbH)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O4:64bit: - HKLM..\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe (Lenovo)

O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)

O4:64bit: - HKLM..\Run: [uMonit] C:\Windows\SysWOW64\UMonit.exe ()

O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [CLMLServer] C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe (CyberLink)

O4 - HKLM..\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe (JME)

O4 - HKLM..\Run: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe (Lenovo)

O4 - HKLM..\Run: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe (Lenovo)

O4 - HKLM..\Run: [ModeSwitch] C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe (Lenovo)

O4 - HKLM..\Run: [setDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe (Lenovo)

O4 - HKLM..\Run: [startCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [updateP2GoShortCut] C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updatePRCShortCut] C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKU\S-1-5-21-26433898-1847276344-2995153160-1001..\Run: [Paint.NET] C:\Users\Admin\AppData\Local\Paint.NET\dwmpqfqy.dll (Cyberlink)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-26433898-1847276344-2995153160-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-26433898-1847276344-2995153160-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8:64bit: - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found

O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{64A1F498-7D47-4980-B40E-AA63441EB1D5}: DhcpNameServer = 10.0.0.1

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\skype4com - No CLSID value found

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O18:64bit: - Protocol\Handler\wlpg - No CLSID value found

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\HmelyoffLabs\VHToolkit\Skype4COM.dll (Skype Technologies)

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/01/21 04:35:32 | 000,000,000 | RH-D | M] - D:\Autorun -- [ UDF ]

O32 - AutoRun File - [2001/09/05 06:05:18 | 000,376,832 | R--- | M] (TerraTec Electronic GmbH) - D:\Autorun.exe -- [ UDF ]

O32 - AutoRun File - [2000/11/21 08:30:26 | 000,000,045 | R--- | M] () - D:\Autorun.inf -- [ UDF ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/12/22 10:29:23 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe

[2012/12/22 10:27:15 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Admin\Desktop\tdsskiller.exe

[2012/12/22 09:19:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2012/12/21 15:30:45 | 000,000,000 | ---D | C] -- C:\windows\temp

[2012/12/21 12:02:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET

[2012/12/21 11:51:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java

[2012/12/21 11:50:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java

[2012/12/20 14:04:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe

[2012/12/20 14:04:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe

[2012/12/20 14:04:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe

[2012/12/20 14:01:15 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/12/20 14:01:12 | 000,000,000 | ---D | C] -- C:\windows\erdnt

[2012/12/20 14:00:45 | 005,012,825 | R--- | C] (Swearware) -- C:\Users\Admin\Desktop\ComboFix.exe

[2012/12/20 13:21:08 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\Admin\Desktop\aswMBR.exe

[2012/12/20 13:17:35 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Admin\Desktop\dds.com

[2012/12/19 10:10:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation

[2012/12/19 10:10:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AGEIA Technologies

[2012/12/19 10:10:29 | 000,000,000 | ---D | C] -- C:\windows\SysWow64\AGEIA

[2012/12/19 09:35:18 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Gore

[2012/12/19 09:35:18 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Fatyy

[2012/12/14 14:25:13 | 000,000,000 | -HSD | C] -- C:\windows\SysWow64\%APPDATA%

[2012/12/04 22:09:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hmelyoff Labs

[2012/12/04 22:09:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XSplit

[2012/12/04 22:09:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SplitMediaLabs

[2012/12/04 21:26:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open Broadcaster Software

[2012/12/04 21:26:02 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\OBS

[2012/12/04 21:26:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OBS

[2012/12/04 20:13:17 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\SplitMediaLabs

[2012/12/04 20:12:41 | 000,000,000 | ---D | C] -- C:\ProgramData\SplitMediaLabs

[2012/12/04 20:11:34 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\SplitMediaLabs

[2012/11/25 12:39:11 | 000,000,000 | ---D | C] -- C:\Users\Admin\Documents\Overlord

[2012/11/24 07:04:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip

[2012/11/24 07:04:20 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip

[2012/11/23 09:27:04 | 000,000,000 | ---D | C] -- C:\Users\Admin\Documents\Amazon MP3

[2012/11/23 09:27:04 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Amazon

[2012/11/23 09:26:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Amazon

[2012/11/23 09:26:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Amazon

[2011/05/07 19:05:37 | 001,914,000 | ---- | C] (Adobe Systems Incorporated) -- C:\ProgramData\flashax10.exe

[3 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/12/22 10:33:03 | 000,020,688 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2012/12/22 10:33:03 | 000,020,688 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2012/12/22 10:30:09 | 000,779,092 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI

[2012/12/22 10:30:09 | 000,660,280 | ---- | M] () -- C:\windows\SysNative\perfh009.dat

[2012/12/22 10:30:09 | 000,121,208 | ---- | M] () -- C:\windows\SysNative\perfc009.dat

[2012/12/22 10:29:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe

[2012/12/22 10:27:20 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Admin\Desktop\tdsskiller.exe

[2012/12/22 10:26:42 | 000,162,485 | ---- | M] () -- C:\windows\SysNative\fastboot.set

[2012/12/22 10:25:46 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat

[2012/12/22 10:25:41 | 2133,671,935 | -HS- | M] () -- C:\hiberfil.sys

[2012/12/22 09:32:02 | 000,547,175 | ---- | M] () -- C:\Users\Admin\Desktop\AdwCleaner.exe

[2012/12/20 14:11:29 | 000,000,027 | ---- | M] () -- C:\windows\SysNative\drivers\etc\hosts

[2012/12/20 14:00:54 | 005,012,825 | R--- | M] (Swearware) -- C:\Users\Admin\Desktop\ComboFix.exe

[2012/12/20 13:32:49 | 000,000,512 | ---- | M] () -- C:\Users\Admin\Desktop\MBR.dat

[2012/12/20 13:21:45 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\Admin\Desktop\aswMBR.exe

[2012/12/20 13:17:36 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Admin\Desktop\dds.com

[2012/12/19 15:39:00 | 1019,272,240 | ---- | M] () -- C:\windows\MEMORY.DMP

[2012/12/12 03:36:15 | 000,772,990 | ---- | M] () -- C:\windows\SysWow64\PerfStringBackup.INI

[3 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/12/22 09:32:00 | 000,547,175 | ---- | C] () -- C:\Users\Admin\Desktop\AdwCleaner.exe

[2012/12/20 14:04:09 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe

[2012/12/20 14:04:09 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe

[2012/12/20 14:04:09 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe

[2012/12/20 14:04:09 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe

[2012/12/20 14:04:09 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe

[2012/12/20 13:32:49 | 000,000,512 | ---- | C] () -- C:\Users\Admin\Desktop\MBR.dat

[2012/11/24 07:50:47 | 000,001,756 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Episode1Beta.lnk

[2012/08/02 21:51:47 | 000,000,000 | ---- | C] () -- C:\windows\Game.INI

[2011/12/22 17:02:53 | 000,772,990 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI

[2011/11/09 22:39:44 | 000,059,904 | ---- | C] () -- C:\windows\SysWow64\OpenVideo.dll

[2011/11/09 22:39:32 | 000,054,784 | ---- | C] () -- C:\windows\SysWow64\OVDecode.dll

[2011/11/09 21:36:06 | 000,204,960 | ---- | C] () -- C:\windows\SysWow64\ativvsvl.dat

[2011/11/09 21:36:06 | 000,157,152 | ---- | C] () -- C:\windows\SysWow64\ativvsva.dat

[2011/09/28 16:44:14 | 000,179,271 | ---- | C] () -- C:\windows\SysWow64\xlive.dll.cat

[2011/09/12 18:06:16 | 000,003,917 | ---- | C] () -- C:\windows\SysWow64\atipblag.dat

[2011/05/07 19:49:07 | 000,201,728 | ---- | C] () -- C:\windows\SetDrive.exe

[2011/05/07 19:49:06 | 000,036,864 | ---- | C] () -- C:\windows\WinWait.exe

[2011/05/07 18:58:18 | 000,139,264 | ---- | C] () -- C:\windows\SysWow64\ustor.dll

[2011/05/07 18:58:18 | 000,028,672 | ---- | C] () -- C:\windows\SysWow64\UMonit.exe

[2011/05/07 18:58:15 | 000,172,097 | ---- | C] () -- C:\windows\SysWow64\NoMSGuninstall.exe

[2011/05/07 18:58:15 | 000,000,767 | ---- | C] () -- C:\windows\SysWow64\ProductName.ini

[2011/05/07 18:58:15 | 000,000,187 | ---- | C] () -- C:\windows\SysWow64\IconCfg0.ini

[2011/05/07 18:55:25 | 000,008,192 | ---- | C] () -- C:\windows\SysWow64\drivers\IntelMEFWVer.dll

[2011/02/12 14:35:47 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin

========== ZeroAccess Check ==========

[2012/12/20 14:10:19 | 000,000,000 | ---D | M] -- C:\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\L

[2012/12/20 14:01:49 | 000,000,000 | ---D | M] -- C:\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\U

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

"" = C:\Windows\SysNative\shell32.dll -- [2012/01/04 05:44:25 | 014,172,672 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/01/04 03:59:38 | 012,872,704 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/03/19 06:02:06 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\.minecraft

[2012/11/23 09:28:36 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Amazon

[2012/12/18 18:38:30 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Audacity

[2012/11/17 07:43:11 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Awesomium

[2012/06/16 16:47:17 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Bioshock2

[2012/11/12 06:49:48 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Corneroids

[2012/06/09 22:55:04 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\DarknessII

[2012/01/30 00:55:43 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\DarknessIIDemo

[2012/12/12 03:35:35 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Dwarfs

[2012/12/20 11:56:30 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Fatyy

[2012/02/28 06:33:08 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Firefly Studios

[2012/12/19 09:35:18 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Gore

[2012/07/19 03:53:34 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Lionhead Studios

[2012/04/05 18:55:47 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Mount&Blade Warband

[2012/11/24 13:41:04 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Natural Selection 2

[2012/12/04 21:26:09 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\OBS

[2012/10/09 13:23:21 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Opera

[2012/08/23 22:55:39 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\PPNet

[2012/05/03 12:17:18 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\ProjectZomboid_LAUNCHER

[2012/12/04 20:11:34 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\SplitMediaLabs

[2011/12/22 03:20:28 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\SystemRequirementsLab

[2012/03/14 17:27:29 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\TerraTec

[2012/05/04 22:09:11 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\X-Chat 2

[2012/04/19 08:13:10 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\XRay Engine

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 12/22/2012 10:33:49 AM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Admin\Desktop

64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7601.17514)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.98 Gb Total Physical Memory | 6.73 Gb Available Physical Memory | 84.26% Memory free

15.96 Gb Paging File | 14.48 Gb Available in Paging File | 90.68% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 1372.09 Gb Total Space | 691.79 Gb Free Space | 50.42% Space Free | Partition Type: NTFS

Drive D: | 1017.19 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: PC | User Name: Admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = Opera.HTML] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1"

.url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)

.html [@ = Opera.HTML] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1"

[HKEY_USERS\S-1-5-21-26433898-1847276344-2995153160-1001\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- Reg Error: Key error.

htmlfile [opennew] -- Reg Error: Key error.

htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1

https [open] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1"

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- Reg Error: Key error.

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- Reg Error: Key error.

htmlfile [opennew] -- Reg Error: Key error.

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1

https [open] -- "C:\Program Files (x86)\Opera\Opera.exe" "%1"

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- Reg Error: Key error.

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |

"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |

"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |

"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |

"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |

"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |

"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |

"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |

"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |

"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |

"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |

"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |

"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"TCP Query User{B312955A-FB03-44BE-8F32-A8E0103F25C1}C:\program files (x86)\skype\phone\skype.exe" = protocol=6 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |

"TCP Query User{BA306893-2DEF-4579-8190-219F0804B63D}C:\program files (x86)\steam\steamapps\headhunter17960\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\headhunter17960\team fortress 2\hl2.exe |

"UDP Query User{532BCAF1-7EF7-4336-97D0-4A53622D5D38}C:\program files (x86)\steam\steamapps\headhunter17960\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\headhunter17960\team fortress 2\hl2.exe |

"UDP Query User{99896435-5499-45DE-B071-3286E7A5A5A3}C:\program files (x86)\skype\phone\skype.exe" = protocol=17 | dir=in | app=c:\program files (x86)\skype\phone\skype.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0BD776F3-057D-4C11-020C-4FA9B13D04F9}" = AMD Catalyst Install Manager

"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant

"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)

"{463FB535-67FB-17C9-6FD6-164BC60462F6}" = ccc-utility64

"{46F4D124-20E5-4D12-BE52-EC177A7A4B42}" = Lenovo Rescue System

"{4D533F05-A3F6-F8A9-F1F6-FA6812089D36}" = AMD Drag and Drop Transcoding

"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime

"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10

"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources

"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour

"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources

"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended

"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting

"{A6FE29A0-622B-2763-88AA-D1E084F77CD9}" = AMD Media Foundation Decoders

"{B8AD779A-82DA-4365-A7D0-AD3DCFC55CFF}" = Apple Mobile Device Support

"{BC915A04-93BD-A74E-F90D-4BC84D88F087}" = AMD AVIVO64 Codecs

"{CF8FFD12-602B-422D-AF1D-511B411E7632}" = iTunes

"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector

"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter

"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database

"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client

"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service

"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile

"Lenovo EE Boot Optimizer" = Lenovo EE Boot Optimizer

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended

"PROSet" = Intel® Network Connections Drivers

"WinRAR archiver" = WinRAR 4.01 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{0659E943-DDF4-44FC-9FEE-A13B09F8BB08}" = Adobe Flash Media Live Encoder 3.2

"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer

"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker

"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update

"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions

"{24570B2F-3937-47F0-A16A-E82B480A7699}" = XSplit

"{26A24AE4-039D-4CA4-87B4-2F83217010FF}" = Java 7 Update 10

"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections

"{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}" = Microsoft XNA Framework Redistributable 4.0

"{2ECA81CA-D932-4AD3-AD59-BF5CCF099C83}" = Catalyst Control Center - Branding

"{32F9BACF-FCD3-4B6A-AD85-255A449B6FA5}" = Roxio BackOnTrack

"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery

"{347151C4-7F16-B275-8865-CC6B64056D3F}" = Catalyst Control Center Graphics Previews Common

"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery

"{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = Microsoft AppLocale

"{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF010}" = Tribes Ascend Closed Beta

"{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}" = Hi-Rez Studios Authenticate and Update Service

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Lenovo Power2Go

"{42B21298-C850-4272-AFD9-636CBC005421}" = LXH-JME2207FN Hotkey Driver

"{45970CD1-D599-47D4-938F-3E9800D54ED1}" = Lenovo Driver and Application Installation

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace

"{5183D7AB-D09B-411F-A74E-BBAEA61C6505}" = Lenovo Eye Distance System

"{5454085C-129F-416C-9C0B-8B1000058301}" = BioShock 2

"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack

"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack

"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup

"{62AEBBB6-8314-7902-B3DA-1690F97DFA74}" = CCC Help English

"{63B9BAB5-F36A-4A3B-9E5C-68A7F212BFB9}" = TerraTec Home Cinema

"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components

"{662CFD19-EA80-4EFE-A0D8-EE10EFEB3C83}" = Livestream Procaster

"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{72E80496-C446-4389-B4F2-CC46DF704A7F}" = Terrafirma

"{73FFC7D9-3D8F-D20B-502E-587CEBD8AF3A}" = HydraVision

"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update

"{803E6DED-5050-4E3D-B26A-5915397362CD}" = Lenovo Screensaver

"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger

"{816F9A97-9889-43DA-A394-7AA45DD68BA0}" = Power Dial

"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime

"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT

"{8FC8A1FB-F49B-4C2A-9A90-F229250A1AF6}" = Judge Dredd - Dredd vs Death

"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker

"{943A8D28-80D6-41DC-AE94-81FEB42041BF}" = System Requirements Lab CYRI

"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010

"{959B7F35-2819-40C5-A0CD-3C53B5FCC935}" = Genesys USB Mass Storage Device

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail

"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer

"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common

"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5

"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer

"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer

"{B93EEE50-9C8F-45DF-95E4-3D85A6E242F3}" = DarksidersInstaller

"{C01AE05C-3C8C-75B3-C9F0-1B525DD3697C}" = Catalyst Control Center InstallProxy

"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail

"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform

"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64

"{D3063097-EC84-4D21-84A4-9D852E974355}" = LVT

"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common

"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform

"{D9ED6D06-6002-495E-A7BC-46E6AE386996}" = Lenovo Dynamic Brightness System

"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX

"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources

"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh

"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10

"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger

"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support

"{F017778C-11C7-4E57-8124-F10C5AD74B1E}_is1" = Open Broadcaster Software version 0.448a

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F29CBF73-C211-4616-898A-379A2679F990}" = ThemeWallpaper

"{F865B0B5-0D43-2704-0B22-35C5F721374B}" = Catalyst Control Center

"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"1ClickDownload" = 1ClickDownloader

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"Afraid of Monsters" = Afraid of Monsters

"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.14 (Unicode)

"Comical_is1" = Comical 0.8

"Desura" = Desura

"ESET Online Scanner" = ESET Online Scanner v3

"Fraps" = Fraps (remove only)

"Generic Mod Manager_is1" = Fallout Mod Manager 0.13.21

"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Lenovo Power2Go

"InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}" = Lenovo Rescue System

"LAME_is1" = LAME v3.99.3 (for Windows)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000

"Mozilla Firefox 9.0 (x86 en-US)" = Mozilla Firefox 9.0 (x86 en-US)

"Nehrim - At Fate's Edge_is1" = NehrimUninstaller

"OpenAL" = OpenAL

"PartyPokerNet" = PartyPoker.net

"PokerStars.net" = PokerStars.net

"Steam App 102600" = Orcs Must Die!

"Steam App 104700" = Super Monday Night Combat

"Steam App 105400" = Fable III

"Steam App 105600" = Terraria

"Steam App 10680" = Aliens vs. Predator

"Steam App 108710" = Alan Wake

"Steam App 113200" = The Binding Of Isaac

"Steam App 11450" = Overlord

"Steam App 12100" = Grand Theft Auto III

"Steam App 12130" = Manhunt

"Steam App 12220" = Grand Theft Auto: Episodes from Liberty City

"Steam App 1250" = Killing Floor

"Steam App 1300" = SiN Episodes: Emergence

"Steam App 1313" = SiN

"Steam App 1840" = Source Filmmaker

"Steam App 200510" = XCOM: Enemy Unknown

"Steam App 201280" = Deus Ex: Human Revolution - The Missing Link

"Steam App 201790" = Orcs Must Die! 2

"Steam App 202170" = Sleeping Dogs™

"Steam App 203750" = Binary Domain

"Steam App 204030" = Fable - The Lost Chapters

"Steam App 20510" = S.T.A.L.K.E.R.: Clear Sky

"Steam App 206760" = Painkiller: Recurring Evil

"Steam App 207610" = The Walking Dead

"Steam App 207811" = ValveTestApp207811

"Steam App 2100" = Dark Messiah Might and Magic Single Player

"Steam App 21010" = Watchmen: The End Is Nigh

"Steam App 21030" = Watchmen: The End Is Nigh Part 2

"Steam App 21090" = F.E.A.R.

"Steam App 211" = Source SDK

"Steam App 21100" = F.E.A.R. 3

"Steam App 218" = Source SDK Base 2007

"Steam App 220" = Half-Life 2

"Steam App 22330" = The Elder Scrolls IV: Oblivion

"Steam App 22380" = Fallout: New Vegas

"Steam App 22480" = GECK - New Vegas Edition

"Steam App 22600" = Worms Reloaded

"Steam App 240" = Counter-Strike: Source

"Steam App 2400" = The Ship

"Steam App 24240" = PAYDAY: The Heist

"Steam App 2600" = Vampire: The Masquerade - Bloodlines

"Steam App 27900" = Twin Sector

"Steam App 28050" = Deus Ex: Human Revolution

"Steam App 31280" = Poker Night at the Inventory

"Steam App 31700" = Iron Grip: Warlord

"Steam App 31820" = Nancy Drew: The Haunted Carousel

"Steam App 32800" = The Lord of the Rings: War in the North

"Steam App 34800" = Chronicles of Mystery: The Scorpio Ritual

"Steam App 35480" = Dwarfs!?

"Steam App 380" = Half-Life 2: Episode One

"Steam App 4000" = Garry's Mod

"Steam App 41700" = S.T.A.L.K.E.R.: Call of Pripyat

"Steam App 420" = Half-Life 2: Episode Two

"Steam App 43110" = Metro 2033

"Steam App 440" = Team Fortress 2

"Steam App 4500" = S.T.A.L.K.E.R.: Shadow of Chernobyl

"Steam App 4590" = Titan Quest Demo

"Steam App 48700" = Mount & Blade: Warband

"Steam App 500" = Left 4 Dead

"Steam App 50620" = Darksiders

"Steam App 50650" = Darksiders II

"Steam App 550" = Left 4 Dead 2

"Steam App 55230" = Saints Row: The Third

"Steam App 620" = Portal 2

"Steam App 630" = Alien Swarm

"Steam App 63380" = Sniper Elite V2

"Steam App 67370" = The Darkness II

"Steam App 6860" = Hitman: Blood Money

"Steam App 6980" = Thief: Deadly Shadows

"Steam App 70" = Half-Life

"Steam App 71260" = Space Channel 5: Part 2

"Steam App 71340" = Sonic Generations

"Steam App 7760" = X-COM: UFO Defense

"Steam App 8850" = BioShock 2

"Steam App 8980" = Borderlands

"Steam App 91310" = Dead Island

"Steam App 9480" = Saints Row 2

"Steam App 98800" = Dungeons of Dredmor

"TerraTec Grabby" = TerraTec Grabby V5.09.0813.00

"The KMPlayer" = The KMPlayer (remove only)

"VH Toolkit_is1" = VH Toolkit 1.0.44.0

"WinLiveSuite" = Windows Live Essentials

"X-Chat 2_is1" = X-Chat 2.8.6-2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-26433898-1847276344-2995153160-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"UnityWebPlayer" = Unity Web Player

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 12/8/2012 3:25:48 AM | Computer Name = PC | Source = Application Hang | ID = 1002

Description = The program audiorepeater.exe version 0.0.0.0 stopped interacting

with Windows and was closed. To see if more information about the problem is available,

check the problem history in the Action Center control panel. Process ID: 1700 Start

Time: 01cdd50b5ace23ef Termination Time: 1 Application Path: C:\Program Files\Virtual

Audio Cable\audiorepeater.exe Report Id: 7b83fa1c-4108-11e2-85df-1078d2f6ef53

Error - 12/8/2012 3:27:03 AM | Computer Name = PC | Source = Application Hang | ID = 1002

Description = The program VHMultiCam.exe version 1.1.8.0 stopped interacting with

Windows and was closed. To see if more information about the problem is available,

check the problem history in the Action Center control panel. Process ID: 14d4 Start

Time: 01cdd50b569859b7 Termination Time: 60000 Application Path: C:\Program Files

(x86)\HmelyoffLabs\VHToolkit\VHMultiCam.exe Report Id: 7d45fc03-4108-11e2-85df-1078d2f6ef53

Error - 12/8/2012 5:53:08 AM | Computer Name = PC | Source = Application Hang | ID = 1002

Description = The program firefox.exe version 9.0.0.4367 stopped interacting with

Windows and was closed. To see if more information about the problem is available,

check the problem history in the Action Center control panel. Process ID: b68 Start

Time: 01cdd48686c8af9c Termination Time: 47 Application Path: C:\Program Files (x86)\Mozilla

Firefox\firefox.exe Report Id: 105a651e-411d-11e2-85df-1078d2f6ef53

Error - 12/8/2012 5:54:36 AM | Computer Name = PC | Source = Application Hang | ID = 1002

Description = The program wmplayer.exe version 12.0.7601.17514 stopped interacting

with Windows and was closed. To see if more information about the problem is available,

check the problem history in the Action Center control panel. Process ID: c34 Start

Time: 01cdd51c5fa2d0f6 Termination Time: 60000 Application Path: C:\Program Files

(x86)\Windows Media Player\wmplayer.exe Report Id: 19d60dfa-411d-11e2-85df-1078d2f6ef53

Error - 12/8/2012 5:55:01 AM | Computer Name = PC | Source = Application Hang | ID = 1002

Description = The program firefox.exe version 9.0.0.4367 stopped interacting with

Windows and was closed. To see if more information about the problem is available,

check the problem history in the Action Center control panel. Process ID: 288 Start

Time: 01cdd529d45c4432 Termination Time: 14 Application Path: C:\Program Files (x86)\Mozilla

Firefox\firefox.exe Report Id: 53a750f4-411d-11e2-85df-1078d2f6ef53

Error - 12/8/2012 5:56:30 AM | Computer Name = PC | Source = Application Hang | ID = 1002

Description = The program Explorer.EXE version 6.1.7601.17567 stopped interacting

with Windows and was closed. To see if more information about the problem is available,

check the problem history in the Action Center control panel. Process ID: 734 Start

Time: 01cdd29486705e5e Termination Time: 60000 Application Path: C:\windows\Explorer.EXE

Report

Id: 55d73176-411d-11e2-85df-1078d2f6ef53

Error - 12/8/2012 6:00:31 AM | Computer Name = PC | Source = WinMgmt | ID = 10

Description =

Error - 12/8/2012 9:09:29 AM | Computer Name = PC | Source = SideBySide | ID = 16842785

Description = Activation context generation failed for "C:\Program Files (x86)\SplitMediaLabs\XSplit\XSplitBroadcasterSrc.exe".

Dependent

Assembly Native.XSplitBroadcaster.exe,type="win32",version="1.0.0.0" could not

be found. Please use sxstrace.exe for detailed diagnosis.

Error - 12/8/2012 9:09:33 AM | Computer Name = PC | Source = SideBySide | ID = 16842785

Description = Activation context generation failed for "C:\Program Files\ATI\CIM\Bin64\SetACL64.exe".

Dependent

Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"

could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 12/9/2012 4:23:35 AM | Computer Name = PC | Source = Application Error | ID = 1000

Description = Faulting application name: audiorepeater.exe, version: 0.0.0.0, time

stamp: 0x47b1cf98 Faulting module name: audiorepeater.exe, version: 0.0.0.0, time

stamp: 0x47b1cf98 Exception code: 0xc0000094 Fault offset: 0x00003484 Faulting process

id: 0x2538 Faulting application start time: 0x01cdd5c745394490 Faulting application

path: C:\Program Files\Virtual Audio Cable\audiorepeater.exe Faulting module path:

C:\Program Files\Virtual Audio Cable\audiorepeater.exe Report Id: b96a7fbd-41d9-11e2-90e9-1078d2f6ef53

Error - 12/11/2012 6:55:37 AM | Computer Name = PC | Source = Application Error | ID = 1000

Description = Faulting application name: audiorepeater.exe, version: 0.0.0.0, time

stamp: 0x47b1cf98 Faulting module name: audiorepeater.exe, version: 0.0.0.0, time

stamp: 0x47b1cf98 Exception code: 0xc0000094 Fault offset: 0x00003484 Faulting process

id: 0x312c Faulting application start time: 0x01cdd7797ecf4f12 Faulting application

path: C:\Program Files\Virtual Audio Cable\audiorepeater.exe Faulting module path:

C:\Program Files\Virtual Audio Cable\audiorepeater.exe Report Id: 4adc7d06-4381-11e2-90e9-1078d2f6ef53

[ System Events ]

Error - 12/19/2012 4:39:49 PM | Computer Name = PC | Source = Service Control Manager | ID = 7003

Description = The IKE and AuthIP IPsec Keying Modules service depends the following

service: BFE. This service might not be installed.

Error - 12/19/2012 4:39:49 PM | Computer Name = PC | Source = Service Control Manager | ID = 7003

Description = The IPsec Policy Agent service depends the following service: BFE.

This service might not be installed.

Error - 12/19/2012 8:51:25 PM | Computer Name = PC | Source = EventLog | ID = 6008

Description = The previous system shutdown at 7:50:27 PM on ?12/?19/?2012 was unexpected.

Error - 12/19/2012 8:51:28 PM | Computer Name = PC | Source = Service Control Manager | ID = 7023

Description = The Computer Browser service terminated with the following error:

%%1060

Error - 12/19/2012 8:51:29 PM | Computer Name = PC | Source = Service Control Manager | ID = 7023

Description = The Function Discovery Resource Publication service terminated with

the following error: %%-2147024891

Error - 12/19/2012 8:51:31 PM | Computer Name = PC | Source = Service Control Manager | ID = 7003

Description = The IKE and AuthIP IPsec Keying Modules service depends the following

service: BFE. This service might not be installed.

Error - 12/19/2012 8:51:32 PM | Computer Name = PC | Source = Service Control Manager | ID = 7003

Description = The IPsec Policy Agent service depends the following service: BFE.

This service might not be installed.

Error - 12/20/2012 11:10:45 AM | Computer Name = PC | Source = Service Control Manager | ID = 7023

Description = The Computer Browser service terminated with the following error:

%%1060

Error - 12/20/2012 11:10:46 AM | Computer Name = PC | Source = Service Control Manager | ID = 7023

Description = The Function Discovery Resource Publication service terminated with

the following error: %%-2147024891

Error - 12/20/2012 11:10:53 AM | Computer Name = PC | Source = Service Control Manager | ID = 7003

Description = The IKE and AuthIP IPsec Keying Modules service depends the following

service: BFE. This service might not be installed.

< End of report >

TDSSKiller.2.8.15.0_22.12.2012_10.27.25_log.txt

Link to post
Share on other sites

Looks like there are parts of ZeroAccess still on your system....

FRST

Download the 32 bit version for your system of FRST and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

----------

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-12-2012

Ran by SYSTEM at 22-12-2012 12:57:21

Running from F:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11543656 2010-10-26] (Realtek Semiconductor)

HKLM\...\Run: [uMonit] C:\windows\SysWOW64\UMonit.exe [28672 2010-11-30] ()

HKLM\...\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-05-07] (Lenovo)

HKLM-x32\...\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe [114688 2009-07-16] (JME)

HKLM-x32\...\Run: [ModeSwitch] "C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe" /AutoRun [163840 2010-09-26] (Lenovo)

HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe 1 [285696 2010-10-08] (Lenovo)

HKLM-x32\...\Run: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1 [265216 2010-09-09] (Lenovo)

HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe" [103720 2009-12-04] (CyberLink)

HKLM-x32\...\Run: [updateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [updatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)

HKLM-x32\...\Run: [setDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe [102400 2009-12-30] (Lenovo)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-11-09] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKU\Admin\...\Run: [Paint.NET] RUNDLL32.EXE C:\Users\Admin\AppData\Local\Paint.NET\dwmpqfqy.dll,RegisterEmitter [466944 2012-06-20] (Cyberlink)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

==================== Services (Whitelisted) ===================

2 CEEBC40A-FDED-4C59-B354-939132350B01; C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [96752 2010-08-29] ()

2 LenovoCOMSvc; "C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe" [49152 2009-09-30] (Lenovo)

3 LitModeCtrl; "C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe" [81920 2010-09-09] (Lenovo)

==================== Drivers (Whitelisted) =====================

3 GeneStor; C:\Windows\System32\Drivers\GeneStor.sys [57856 2010-12-16] (GenesysLogic)

0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)

3 catchme; \??\C:\ComboFix\catchme.sys [x]

3 EagleX64; \??\C:\windows\system32\drivers\EagleX64.sys [x]

3 GPU-Z; \??\C:\Users\Admin\AppData\Local\Temp\GPU-Z.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-12-22 12:57 - 2012-12-22 12:57 - 00000000 ____D C:\FRST

2012-12-22 09:46 - 2012-12-22 09:46 - 00907996 ____A (Farbar) C:\Users\Admin\Downloads\FRST.exe

2012-12-22 07:38 - 2012-12-22 07:38 - 00068722 ____A C:\Users\Admin\Desktop\Extras.Txt

2012-12-22 07:37 - 2012-12-22 07:37 - 00065360 ____A C:\Users\Admin\Desktop\OTL.Txt

2012-12-22 07:29 - 2012-12-22 07:29 - 00602112 ____A (OldTimer Tools) C:\Users\Admin\Desktop\OTL.exe

2012-12-22 07:27 - 2012-12-22 07:27 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Admin\Desktop\tdsskiller.exe

2012-12-22 06:43 - 2012-12-22 06:43 - 00001776 ____A C:\AdwCleaner[s1].txt

2012-12-22 06:34 - 2012-12-22 06:34 - 00001596 ____A C:\Users\Admin\Desktop\AdwCleaner[R1].txt

2012-12-22 06:32 - 2012-12-22 06:32 - 00547175 ____A C:\Users\Admin\Desktop\AdwCleaner.exe

2012-12-22 06:32 - 2012-12-22 06:32 - 00001596 ____A C:\AdwCleaner[R1].txt

2012-12-21 13:48 - 2012-12-22 07:40 - 00000000 ____D C:\Users\Admin\Downloads\Placeholder Folder

2012-12-21 12:30 - 2012-12-21 12:30 - 00012464 ____A C:\ComboFix.txt

2012-12-21 11:02 - 2012-12-21 11:02 - 00001441 ____A C:\Users\Admin\Desktop\ESETscan.txt

2012-12-21 09:02 - 2012-12-21 09:02 - 00000000 ____D C:\Program Files (x86)\ESET

2012-12-21 09:01 - 2012-12-21 09:01 - 02322184 ____A (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_enu.exe

2012-12-21 08:50 - 2012-12-21 08:50 - 00859072 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll

2012-12-21 08:50 - 2012-12-21 08:50 - 00260528 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-12-21 08:50 - 2012-12-21 08:50 - 00174000 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-12-21 08:50 - 2012-12-21 08:50 - 00173992 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-12-21 08:50 - 2012-12-21 08:50 - 00095184 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2012-12-21 08:50 - 2012-12-21 08:50 - 00000000 ____D C:\Program Files (x86)\Java

2012-12-20 11:04 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe

2012-12-20 11:04 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe

2012-12-20 11:04 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2012-12-20 11:04 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2012-12-20 11:04 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2012-12-20 11:04 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe

2012-12-20 11:04 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe

2012-12-20 11:04 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe

2012-12-20 11:01 - 2012-12-21 12:30 - 00000000 ____D C:\Qoobox

2012-12-20 11:01 - 2012-12-20 11:14 - 00000000 ____D C:\Windows\erdnt

2012-12-20 11:00 - 2012-12-20 11:00 - 05012825 ____R (Swearware) C:\Users\Admin\Desktop\ComboFix.exe

2012-12-20 10:32 - 2012-12-20 10:32 - 00002217 ____A C:\Users\Admin\Desktop\aswMBR.txt

2012-12-20 10:32 - 2012-12-20 10:32 - 00000512 ____A C:\Users\Admin\Desktop\MBR.dat

2012-12-20 10:21 - 2012-12-20 10:21 - 04732416 ____A (AVAST Software) C:\Users\Admin\Desktop\aswMBR.exe

2012-12-20 10:20 - 2012-12-20 10:20 - 00012130 ____A C:\Users\Admin\Desktop\dds.txt

2012-12-20 10:20 - 2012-12-20 10:20 - 00008542 ____A C:\Users\Admin\Desktop\attach.txt

2012-12-20 10:17 - 2012-12-20 10:17 - 00688992 ____R (Swearware) C:\Users\Admin\Desktop\dds.com

2012-12-19 12:39 - 2012-12-19 12:39 - 00277232 ____A C:\Windows\Minidump\121912-24180-01.dmp

2012-12-19 07:10 - 2012-12-19 07:10 - 00000000 ____D C:\Windows\SysWOW64\AGEIA

2012-12-19 07:10 - 2012-12-19 07:10 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies

2012-12-19 07:09 - 2012-12-19 07:10 - 41161496 ____A (NVIDIA Corporation) C:\Users\Admin\Downloads\PhysX_9.09.0203_SystemSoftware.exe

2012-12-19 06:35 - 2012-12-20 08:56 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Fatyy

2012-12-19 06:35 - 2012-12-19 06:35 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Gore

2012-12-14 11:25 - 2012-12-14 11:25 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-12-04 19:09 - 2012-12-04 19:09 - 00000000 ____D C:\Program Files (x86)\SplitMediaLabs

2012-12-04 18:26 - 2012-12-04 18:26 - 00000000 ____D C:\Users\Admin\AppData\Roaming\OBS

2012-12-04 18:26 - 2012-12-04 18:26 - 00000000 ____D C:\Program Files (x86)\OBS

2012-12-04 18:25 - 2012-12-04 18:25 - 03659836 ____A ( ) C:\Users\Admin\Downloads\OBS_0448a_Installer.exe

2012-12-04 17:13 - 2012-12-04 17:13 - 00000000 ____D C:\Users\Admin\AppData\Local\SplitMediaLabs

2012-12-04 17:12 - 2012-12-04 17:12 - 00000000 ____D C:\Users\All Users\SplitMediaLabs

2012-12-04 17:11 - 2012-12-04 17:11 - 09226440 ____A (Adobe Systems Incorporated) C:\Users\Admin\Downloads\ash_player_current_active_x.exe

2012-12-04 17:11 - 2012-12-04 17:11 - 00000000 ____D C:\Users\Admin\AppData\Roaming\SplitMediaLabs

2012-12-04 17:10 - 2012-12-04 17:11 - 37354472 ____A (SplitMediaLabs) C:\Users\Admin\Downloads\xsplit_installer_v1.1.1210.3101.exe

2012-11-25 09:39 - 2012-11-26 11:11 - 00000000 ____D C:\Users\Admin\Documents\Overlord

2012-11-24 04:04 - 2012-11-24 04:04 - 00000000 ____D C:\Program Files\7-Zip

2012-11-24 04:03 - 2012-11-24 04:03 - 01376768 ____A C:\Users\Admin\Downloads\7z920-x64.msi

2012-11-23 06:27 - 2012-11-23 06:28 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Amazon

2012-11-23 06:27 - 2012-11-23 06:27 - 00000000 ____D C:\Users\Admin\Documents\Amazon MP3

2012-11-23 06:26 - 2012-11-23 06:26 - 02964128 ____A C:\Users\Admin\Downloads\AmazonMP3DownloaderInstall.exe

2012-11-23 06:26 - 2012-11-23 06:26 - 00000000 ____D C:\Program Files (x86)\Amazon

==================== One Month Modified Files and Folders =======

2012-12-22 09:54 - 2011-05-07 16:10 - 00263011 ____A C:\Windows\System32\fastboot.set

2012-12-22 09:54 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-22 09:54 - 2009-07-13 20:51 - 00071795 ____A C:\Windows\setupact.log

2012-12-22 09:48 - 2012-01-02 12:38 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Skype

2012-12-22 09:48 - 2011-05-07 15:54 - 01796543 ____A C:\Windows\WindowsUpdate.log

2012-12-22 09:47 - 2009-07-13 21:13 - 00779092 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-22 09:46 - 2012-12-22 09:46 - 00907996 ____A (Farbar) C:\Users\Admin\Downloads\FRST.exe

2012-12-22 09:04 - 2011-12-21 23:12 - 00000000 ____D C:\Program Files (x86)\Steam

2012-12-22 08:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2012-12-22 07:40 - 2012-12-21 13:48 - 00000000 ____D C:\Users\Admin\Downloads\Placeholder Folder

2012-12-22 07:38 - 2012-12-22 07:38 - 00068722 ____A C:\Users\Admin\Desktop\Extras.Txt

2012-12-22 07:37 - 2012-12-22 07:37 - 00065360 ____A C:\Users\Admin\Desktop\OTL.Txt

2012-12-22 07:33 - 2009-07-13 20:45 - 00020688 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-22 07:33 - 2009-07-13 20:45 - 00020688 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-22 07:29 - 2012-12-22 07:29 - 00602112 ____A (OldTimer Tools) C:\Users\Admin\Desktop\OTL.exe

2012-12-22 07:27 - 2012-12-22 07:27 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\Admin\Desktop\tdsskiller.exe

2012-12-22 06:43 - 2012-12-22 06:43 - 00001776 ____A C:\AdwCleaner[s1].txt

2012-12-22 06:34 - 2012-12-22 06:34 - 00001596 ____A C:\Users\Admin\Desktop\AdwCleaner[R1].txt

2012-12-22 06:32 - 2012-12-22 06:32 - 00547175 ____A C:\Users\Admin\Desktop\AdwCleaner.exe

2012-12-22 06:32 - 2012-12-22 06:32 - 00001596 ____A C:\AdwCleaner[R1].txt

2012-12-22 06:19 - 2010-11-20 19:47 - 00017694 ____A C:\Windows\PFRO.log

2012-12-21 12:30 - 2012-12-21 12:30 - 00012464 ____A C:\ComboFix.txt

2012-12-21 12:30 - 2012-12-20 11:01 - 00000000 ____D C:\Qoobox

2012-12-21 12:29 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini

2012-12-21 11:02 - 2012-12-21 11:02 - 00001441 ____A C:\Users\Admin\Desktop\ESETscan.txt

2012-12-21 09:02 - 2012-12-21 09:02 - 00000000 ____D C:\Program Files (x86)\ESET

2012-12-21 09:01 - 2012-12-21 09:01 - 02322184 ____A (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_enu.exe

2012-12-21 08:50 - 2012-12-21 08:50 - 00859072 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll

2012-12-21 08:50 - 2012-12-21 08:50 - 00260528 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2012-12-21 08:50 - 2012-12-21 08:50 - 00174000 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2012-12-21 08:50 - 2012-12-21 08:50 - 00173992 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2012-12-21 08:50 - 2012-12-21 08:50 - 00095184 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2012-12-21 08:50 - 2012-12-21 08:50 - 00000000 ____D C:\Program Files (x86)\Java

2012-12-21 08:50 - 2011-12-22 00:19 - 00779704 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll

2012-12-21 08:49 - 2012-02-22 22:03 - 00896016 ____A (Oracle Corporation) C:\Users\Admin\Downloads\jxpiinstall.exe

2012-12-21 08:49 - 2011-05-07 16:04 - 00000000 ____D C:\Users\All Users\McAfee

2012-12-20 11:15 - 2009-07-13 19:20 - 00000000 __AHD C:\users\Default

2012-12-20 11:14 - 2012-12-20 11:01 - 00000000 ____D C:\Windows\erdnt

2012-12-20 11:01 - 2009-07-13 21:08 - 00017944 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-12-20 11:00 - 2012-12-20 11:00 - 05012825 ____R (Swearware) C:\Users\Admin\Desktop\ComboFix.exe

2012-12-20 10:32 - 2012-12-20 10:32 - 00002217 ____A C:\Users\Admin\Desktop\aswMBR.txt

2012-12-20 10:32 - 2012-12-20 10:32 - 00000512 ____A C:\Users\Admin\Desktop\MBR.dat

2012-12-20 10:21 - 2012-12-20 10:21 - 04732416 ____A (AVAST Software) C:\Users\Admin\Desktop\aswMBR.exe

2012-12-20 10:20 - 2012-12-20 10:20 - 00012130 ____A C:\Users\Admin\Desktop\dds.txt

2012-12-20 10:20 - 2012-12-20 10:20 - 00008542 ____A C:\Users\Admin\Desktop\attach.txt

2012-12-20 10:17 - 2012-12-20 10:17 - 00688992 ____R (Swearware) C:\Users\Admin\Desktop\dds.com

2012-12-20 08:56 - 2012-12-19 06:35 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Fatyy

2012-12-19 12:39 - 2012-12-19 12:39 - 00277232 ____A C:\Windows\Minidump\121912-24180-01.dmp

2012-12-19 12:39 - 2012-03-14 15:03 - 1019272240 ____A C:\Windows\MEMORY.DMP

2012-12-19 12:39 - 2012-03-14 15:03 - 00000000 ____D C:\Windows\Minidump

2012-12-19 12:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\LiveKernelReports

2012-12-19 07:10 - 2012-12-19 07:10 - 00000000 ____D C:\Windows\SysWOW64\AGEIA

2012-12-19 07:10 - 2012-12-19 07:10 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies

2012-12-19 07:10 - 2012-12-19 07:09 - 41161496 ____A (NVIDIA Corporation) C:\Users\Admin\Downloads\PhysX_9.09.0203_SystemSoftware.exe

2012-12-19 06:35 - 2012-12-19 06:35 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Gore

2012-12-19 06:35 - 2011-12-21 22:58 - 00000000 ____D C:\users\Admin

2012-12-18 15:38 - 2011-12-30 12:23 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Audacity

2012-12-18 05:59 - 2012-01-23 22:34 - 00000000 ____D C:\Users\Admin\AppData\Local\Paint.NET

2012-12-14 11:25 - 2012-12-14 11:25 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-12-13 01:59 - 2011-12-22 01:23 - 00000000 ____D C:\Users\Admin\Documents\My Games

2012-12-13 01:58 - 2011-05-07 16:07 - 00400674 ____A C:\Windows\DirectX.log

2012-12-12 00:36 - 2011-12-22 14:02 - 00772990 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-12-12 00:35 - 2012-01-27 18:36 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Dwarfs

2012-12-10 21:02 - 2011-12-22 01:16 - 00000000 ____D C:\Program Files (x86)\The KMPlayer

2012-12-06 23:47 - 2012-02-15 10:06 - 00000000 ____D C:\Users\Admin\AppData\Local\Procaster

2012-12-04 19:09 - 2012-12-04 19:09 - 00000000 ____D C:\Program Files (x86)\SplitMediaLabs

2012-12-04 19:09 - 2012-03-29 14:51 - 00000000 ____D C:\Program Files (x86)\HmelyoffLabs

2012-12-04 18:26 - 2012-12-04 18:26 - 00000000 ____D C:\Users\Admin\AppData\Roaming\OBS

2012-12-04 18:26 - 2012-12-04 18:26 - 00000000 ____D C:\Program Files (x86)\OBS

2012-12-04 18:26 - 2011-12-22 00:45 - 00000000 ____D C:\Windows\SysWOW64\directx

2012-12-04 18:25 - 2012-12-04 18:25 - 03659836 ____A ( ) C:\Users\Admin\Downloads\OBS_0448a_Installer.exe

2012-12-04 17:13 - 2012-12-04 17:13 - 00000000 ____D C:\Users\Admin\AppData\Local\SplitMediaLabs

2012-12-04 17:12 - 2012-12-04 17:12 - 00000000 ____D C:\Users\All Users\SplitMediaLabs

2012-12-04 17:12 - 2012-08-25 17:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-12-04 17:12 - 2011-12-21 23:32 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-12-04 17:11 - 2012-12-04 17:11 - 09226440 ____A (Adobe Systems Incorporated) C:\Users\Admin\Downloads\ash_player_current_active_x.exe

2012-12-04 17:11 - 2012-12-04 17:11 - 00000000 ____D C:\Users\Admin\AppData\Roaming\SplitMediaLabs

2012-12-04 17:11 - 2012-12-04 17:10 - 37354472 ____A (SplitMediaLabs) C:\Users\Admin\Downloads\xsplit_installer_v1.1.1210.3101.exe

2012-11-30 11:04 - 2011-02-15 02:41 - 00000000 ___RD C:\Users\Public\Recorded TV

2012-11-26 11:11 - 2012-11-25 09:39 - 00000000 ____D C:\Users\Admin\Documents\Overlord

2012-11-24 10:41 - 2012-11-20 03:42 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Natural Selection 2

2012-11-24 04:46 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

2012-11-24 04:04 - 2012-11-24 04:04 - 00000000 ____D C:\Program Files\7-Zip

2012-11-24 04:03 - 2012-11-24 04:03 - 01376768 ____A C:\Users\Admin\Downloads\7z920-x64.msi

2012-11-23 06:28 - 2012-11-23 06:27 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Amazon

2012-11-23 06:27 - 2012-11-23 06:27 - 00000000 ____D C:\Users\Admin\Documents\Amazon MP3

2012-11-23 06:26 - 2012-11-23 06:26 - 02964128 ____A C:\Users\Admin\Downloads\AmazonMP3DownloaderInstall.exe

2012-11-23 06:26 - 2012-11-23 06:26 - 00000000 ____D C:\Program Files (x86)\Amazon

ZeroAccess:

C:\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}

C:\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\L

C:\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\U

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-19 07:08:50

Restore point made on: 2012-12-19 07:10:18

Restore point made on: 2012-12-20 15:14:29

Restore point made on: 2012-12-20 15:15:04

Restore point made on: 2012-12-21 08:50:12

Restore point made on: 2012-12-22 07:24:33

==================== Memory info ===========================

Percentage of memory in use: 9%

Total physical RAM: 8174.44 MB

Available physical RAM: 7360.59 MB

Total Pagefile: 8172.64 MB

Available Pagefile: 7353.31 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:1372.09 GB) (Free:691.35 GB) NTFS

2 Drive e: (GrabsterSeries J1) (CDROM) (Total:0.99 GB) (Free:0 GB) UDF

3 Drive f: () (Removable) (Total:29.8 GB) (Free:29.8 GB) FAT32

8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

9 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 1397 GB 0 B

Disk 1 Online 29 GB 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 1372 GB 101 MB

Partition 3 OEM 25 GB 1372 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 1372 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 12

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 8 LENOVO_PART NTFS Partition 25 GB Healthy Hidden

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F FAT32 Removable 29 GB Healthy

=========================================================

Last Boot: 2012-12-15 01:33

==================== End Of Log =============================

Link to post
Share on other sites

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt


C:\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}
C:\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\L
C:\Windows\Installer\{32b59420-b0fa-5594-1094-936bfdece123}\U

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST/FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

----------

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.