Trogan.gen.2 infected - logs attached

jeffce · January 17, 2013

Symentec EPP popped up again and already shows more then 300 notification

Are you able to get a log of this so that I can see the actual file paths showing where this thing is?

Ed_Infected · January 17, 2013

The log file is in CSV - however this forum does not allows me to uplaod that format. I have made a pdf of partial log (the complete one would be 214 pages long) attached is the pdf log file - from the log file, I can see as follows 3 locations:

Trojan.Gen.2

C:\Users\Me\AppData\Local\Temp\

C:\Users\Me\AppData\Local\Temp\Rar$EXa0.004\Patch\

C:\Users\POLARIS\AppData\Local\Temp\

File

Tracking Cookies

Cookie:me@zedo.com/

Trackware

However, there must be something (process/program) that is generating these files - as I have deleted the files in Temp multiple times but the problem stays.

sepplog.pdf

jeffce · January 17, 2013

Let's go about this a different way.....it looks like the files are in different locations.

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

Double click Dr Web
IMGBurn will open
Burn the ISO to a cd

Reboot the infected computer with the CD in the drive
Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
Use arrow keys to select DrWeb-LiveCD (Default)
When the system is loaded, check the disks or folders you want to scan, and click on “Start”.
The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
Once completed reboot to normal windows
No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

Ed_Infected · January 20, 2013

Hi Jeff,

Am having problem burning a CD of Dr Live Web - 3 already failed - will try again later today/tomorrow and update. (This computer does not allow for option to boot from USB so cannot create a bootable USB either).

Ed

Ed_Infected · January 20, 2013

Problem - my computer's CD seems to b having problem reading/writing any disc. Though I had burnt a disc using my friends computer, this one will not read the same (or any disc) - so I am stuck.

The BIOS also does not allow boot from USB - so cannot go that route either.

So bottom line - any scan option that would work without booting from an alternate device? I know this is too much to ask but just in case you know of a different route we can take.

(CD replacement in near term is not an option as this is all in one PC - and I will have to work on finding how to get this replaced/fixed by HP).

Ed

jeffce · January 20, 2013

Let's try a different route...

Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.
Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
Scan your system for malware
If malware is found, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.

If no malware is found please let me know.

----------

Ed_Infected · January 21, 2013

Hello Jeff,

Thanks for suggesting an alternative - I did scan with MBAR - however it found no problems. (However, I do know there is a problem as the SEP active scan keeps coming up with over 1000s of msg - almost every 20-30 sec once it detects the first instance).

Below is the log:

Malwarebytes Anti-Rootkit BETA 1.01.0.1016

www.malwarebytes.org

Database version: v2013.01.21.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Me :: C12754 [administrator]

21-01-2013 09:09:15

mbar-log-2013-01-21 (09-09-15).txt

Scan type: Quick scan

Scan options disabled:

Objects scanned: 31898

Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

jeffce · January 21, 2013

Download CKScanner by askey127 from Here & save it to your Desktop.

Right-click and Run as Administrator CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

----------

Ed_Infected · January 21, 2013

here is the log from CKScanner

CKScanner 2.1 - Additional Security Risks - These are not necessarily bad

c:\jboss-4.2.3.ga\server\all\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\hilo\hilokeygenerator.class

c:\jboss-4.2.3.ga\server\all\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\hilo\hilokeygeneratorfactory.class

c:\jboss-4.2.3.ga\server\all\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\hilo\hilokeygeneratorfactorymbean.class

c:\jboss-4.2.3.ga\server\all\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\uuid\uuidkeygenerator.class

c:\jboss-4.2.3.ga\server\all\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\uuid\uuidkeygeneratorfactory.class

c:\jboss-4.2.3.ga\server\all\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\uuid\uuidkeygeneratorfactoryservice.class

c:\jboss-4.2.3.ga\server\all\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\uuid\uuidkeygeneratorfactoryservicembean.class

c:\jboss-4.2.3.ga\server\default\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\hilo\hilokeygenerator.class

c:\jboss-4.2.3.ga\server\default\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\hilo\hilokeygeneratorfactory.class

c:\jboss-4.2.3.ga\server\default\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\hilo\hilokeygeneratorfactorymbean.class

c:\jboss-4.2.3.ga\server\default\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\uuid\uuidkeygenerator.class

c:\jboss-4.2.3.ga\server\default\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\uuid\uuidkeygeneratorfactory.class

c:\jboss-4.2.3.ga\server\default\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\uuid\uuidkeygeneratorfactoryservice.class

c:\jboss-4.2.3.ga\server\default\deploy\uuid-key-generator.sar\org\jboss\ejb\plugins\keygenerator\uuid\uuidkeygeneratorfactoryservicembean.class

c:\program files (x86)\hp games\blasterball 3\data\art\bitmaps\enemies\boss2_crack.jpg.wkz

c:\users\me\documents\temp\adblock_pro_v3.6\crack\abpmain.exe

scanner sequence 3.HH.11.QVAPHW

----- EOF -----

Ed_Infected · January 21, 2013

BTW. I checked the installed programs - and do not see any adblock or such installed on the machine - do I just delete this directory?

HP Games - don't play these - so not sure what that is. Ditto for jboss stuff - looks like something to do with Java (which I had removed & reinstalled as you had asked).

Will wait for you to advise on next stuff before doing anything.

SEP continues to show Trojan.Gen.2 - 100s of instances.

jeffce · January 21, 2013

Hi,

Tricky one we have here.

Delete the directories:

c:\users\me\documents\temp\adblock_pro_v3.6 <--------------

c:\jboss-4.2.3.ga <------------

Run a new scan with OTL and post the new log

Ed_Infected · January 22, 2013

Deleted both directories, below is OTL scan.

OTL logfile created on: 1/22/2013 8:42:46 AM - Run 4

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Me\Desktop

64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: India | Language: ENN | Date Format: dd-MM-yyyy

3.87 Gb Total Physical Memory | 2.28 Gb Available Physical Memory | 58.89% Memory free

7.73 Gb Paging File | 5.93 Gb Available in Paging File | 76.65% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 685.21 Gb Total Space | 562.35 Gb Free Space | 82.07% Space Free | Partition Type: NTFS

Computer Name: C12754 | User Name: Me | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Me\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)

PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)

PRC - C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe (Siber Systems)

PRC - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

PRC - C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

PRC - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)

PRC - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe (Symantec Corporation)

PRC - c:\Program Files (x86)\Hewlett-Packard\Media\Live TV\Kernel\TV\TVCapSvc.exe ()

PRC - C:\Program Files (x86)\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE (Hewlett-Packard)

PRC - C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe (Hewlett-Packard)

PRC - C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe (Hewlett-Packard)

PRC - C:\Program Files (x86)\Hewlett-Packard\Buttons & OSDs control application gen3\JAN2OSD.exe (Hewlett-Packard)

PRC - C:\Program Files (x86)\Hewlett-Packard\Buttons & OSDs control application gen3\FastUserSwitching.exe (Hewlett-Packard)

PRC - C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe (Hewlett-Packard)

PRC - C:\Program Files (x86)\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe ()

PRC - C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)

========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\64c0903165647666cf22d311aa4c49d2\System.ServiceModel.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\5ad51f54de5df73f09eb6be16f3ca4ff\System.Runtime.Serialization.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\613a3a6fa3ca5b7367ccf690c0f07253\System.IdentityModel.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\d3b721c20d789414b8b5c19fc27ae959\SMDiagnostics.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\6c262bb6aa4919d9d73b6b3b00159c86\System.Web.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\cf5c82e8bc18ea55b1ce6a8ba0a5e843\ReachFramework.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\4a12f6f34f05a3e27f5ea4a72625e5f8\System.Windows.Forms.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\287e0f73a2bb79d6ba7f6141d6914bab\System.Drawing.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\802842f94f331623b759edc5bdff47d4\PresentationCore.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\5937ee228d11266a0a60cffeac95fd07\WindowsBase.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\1a8cdc51e5752c5ef72b8677017df8c9\System.Xml.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\f1d29cd3d9de9febda2ea12ab2796666\System.Configuration.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\98b49167a3373cf333d4c89ac47dcefb\System.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2866646f2e764e809451219352b63ef0\mscorlib.ni.dll ()

MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll ()

MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ()

MOD - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ()

MOD - C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll ()

MOD - C:\Program Files (x86)\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe ()

========== Services (SafeList) ==========

SRV:64bit: - (AERTFilters) -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe (Andrea Electronics Corporation)

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV:64bit: - (btwdins) -- c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe (Broadcom Corporation.)

SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)

SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)

SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)

SRV - (HP Support Assistant Service) -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe (Hewlett-Packard Company)

SRV - (ccSetMgr) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

SRV - (ccEvtMgr) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

SRV - (SNAC) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE (Symantec Corporation)

SRV - (SmcService) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)

SRV - (Symantec AntiVirus) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)

SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (TVCapSvc) -- c:\Program Files (x86)\Hewlett-Packard\Media\Live TV\Kernel\TV\TVCapSvc.exe ()

SRV - (LiveUpdate) -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)

SRV - (CalendarSynchService) -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe (Hewlett-Packard)

SRV - (GameConsoleService) -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe (WildTangent, Inc.)

SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)

DRV:64bit: - (WpsHelper) -- C:\Windows\SysNative\drivers\wpshelper.sys (Symantec Corporation)

DRV:64bit: - (truecrypt) -- C:\Windows\SysNative\drivers\truecrypt.sys (TrueCrypt Foundation)

DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)

DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)

DRV:64bit: - (SymEvent) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS (Symantec Corporation)

DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)

DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)

DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)

DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)

DRV:64bit: - (WPS) -- C:\Windows\SysNative\drivers\WPSDRVnt.sys (Symantec Corporation)

DRV:64bit: - (SRTSPL) -- C:\Windows\SysNative\drivers\srtspl64.sys (Symantec Corporation)

DRV:64bit: - (SRTSP) -- C:\Windows\SysNative\drivers\srtsp64.sys (Symantec Corporation)

DRV:64bit: - (SRTSPX) -- C:\Windows\SysNative\drivers\srtspx64.sys (Symantec Corporation)

DRV:64bit: - (Teefer2) -- C:\Windows\SysNative\drivers\Teefer2.sys (Symantec Corporation)

DRV:64bit: - (AVerAVF2) -- C:\Windows\SysNative\drivers\AVerAVF2.sys (AVerMedia TECHNOLOGIES, Inc.)

DRV:64bit: - (PCDSRVC{F36B3A4C-F95654BD-06000000}_0) -- c:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms (PC-Doctor, Inc.)

DRV:64bit: - (netr28x) -- C:\Windows\SysNative\drivers\netr28x.sys (Ralink Technology, Corp.)

DRV:64bit: - (FintekCIR) -- C:\Windows\SysNative\drivers\FintekCIR.sys (Fintek)

DRV:64bit: - (HECIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)

DRV:64bit: - (hidkmdf) -- C:\Windows\SysNative\drivers\hidkmdf.sys (Windows ® Win 7 DDK provider)

DRV:64bit: - (NW1950) -- C:\Windows\SysNative\drivers\NW1950.sys ()

DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )

DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)

DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)

DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)

DRV:64bit: - (WSDPrintDevice) -- C:\Windows\SysNative\drivers\WSDPrint.sys (Microsoft Corporation)

DRV:64bit: - (btwaudio) -- C:\Windows\SysNative\drivers\btwaudio.sys (Broadcom Corporation.)

DRV:64bit: - (btwavdt) -- C:\Windows\SysNative\drivers\btwavdt.sys (Broadcom Corporation.)

DRV:64bit: - (btwrchid) -- C:\Windows\SysNative\drivers\btwrchid.sys (Broadcom Corporation.)

DRV:64bit: - (ACPIService) -- C:\Windows\SysNative\drivers\OSDACPI.SYS ()

DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)

DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)

DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)

DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)

DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)

DRV:64bit: - (btwl2cap) -- C:\Windows\SysNative\drivers\btwl2cap.sys (Broadcom Corporation.)

DRV - (NAVEX15) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20130120.018\ex64.sys (Symantec Corporation)

DRV - (NAVENG) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20130120.018\eng64.sys (Symantec Corporation)

DRV - (eeCtrl) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys (Symantec Corporation)

DRV - (EraserUtilRebootDrv) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)

DRV - (SRTSPL) -- C:\Windows\SysWOW64\drivers\srtspl64.sys (Symantec Corporation)

DRV - (SRTSP) -- C:\Windows\SysWOW64\drivers\srtsp64.sys (Symantec Corporation)

DRV - (SRTSPX) -- C:\Windows\SysWOW64\drivers\srtspx64.sys (Symantec Corporation)

DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/26

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {DAF31C31-55E6-4D00-BE19-1FB42CF91094}

IE:64bit: - HKLM\..\SearchScopes\{DAF31C31-55E6-4D00-BE19-1FB42CF91094}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/26

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/26

IE - HKLM\..\SearchScopes,DefaultScope = {DAF31C31-55E6-4D00-BE19-1FB42CF91094}

IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3072253

IE - HKLM\..\SearchScopes\{DAF31C31-55E6-4D00-BE19-1FB42CF91094}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\..\SearchScopes,DefaultScope = {DAF31C31-55E6-4D00-BE19-1FB42CF91094}

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.10.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox [2012/11/01 09:26:23 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/11/08 15:09:59 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013/01/11 12:48:33 | 000,000,000 | ---D | M]

[2012/10/15 15:51:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Me\AppData\Roaming\Mozilla\Extensions

[2012/10/15 15:51:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Me\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com

[2013/01/12 19:37:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\x35lwact.default\extensions

[2012/11/22 21:54:43 | 000,192,248 | ---- | M] () (No name found) -- C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\x35lwact.default\extensions\ERAIL.IN.FFPLUGIN@jetpack.xpi

[2013/01/12 19:37:42 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\x35lwact.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

[2013/01/10 23:03:09 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2012/11/08 15:09:59 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll

[2012/10/11 06:35:38 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

[2012/10/11 06:35:38 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2013/01/08 20:13:59 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2:64bit: - BHO: (SimpleAdblock Class) - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblockx64.dll File not found

O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O2 - BHO: (HP Network Check Helper) - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)

O2 - BHO: (SimpleAdblock Class) - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblock.dll File not found

O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)

O4:64bit: - HKLM..\Run: [hpsysdrv] c:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)

O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [buttons & OSDs control application gen3] c:\Program Files (x86)\Hewlett-Packard\Buttons & OSDs control application gen3\FastUserSwitching.exe (Hewlett-Packard)

O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [HP KEYBOARDx] C:\Program Files (x86)\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE (Hewlett-Packard)

O4 - HKLM..\Run: [HP Remote Solution] C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe (Hewlett-Packard)

O4 - HKCU..\Run: [RoboForm] C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8:64bit: - Extra context menu item: Customize Menu - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()

O8:64bit: - Extra context menu item: Fill Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()

O8:64bit: - Extra context menu item: RoboForm Toolbar - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()

O8:64bit: - Extra context menu item: Save Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()

O8 - Extra context menu item: Customize Menu - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()

O8 - Extra context menu item: Fill Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()

O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()

O8 - Extra context menu item: Save Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()

O9:64bit: - Extra Button: @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()

O9:64bit: - Extra 'Tools' menuitem : @c:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()

O9 - Extra Button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard)

O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard)

O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()

O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()

O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()

O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()

O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()

O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()

O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()

O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()

O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} http://mail.polaris.co.in/dwa7W.cab (Domino Web Access 7 Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 202.56.215.54 202.56.215.55

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9ECE40DD-80FA-4D16-A031-984CE8F70B06}: DhcpNameServer = 202.56.215.54 202.56.215.55

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D5E80C70-7ADC-4214-A42F-884610BAF45C}: DhcpNameServer = 202.56.215.54 202.56.215.55

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\ms-help - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O18:64bit: - Protocol\Handler\wlpg - No CLSID value found

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/21 15:48:34 | 000,000,000 | ---D | C] -- C:\Users\Me\Documents\Escorts

[2013/01/20 16:04:30 | 000,000,000 | ---D | C] -- C:\Users\Me\Documents\Ref file to review

[2013/01/18 17:07:01 | 000,000,000 | ---D | C] -- C:\Users\Me\Documents\HP

[2013/01/18 13:08:14 | 000,000,000 | ---D | C] -- C:\Users\Me\AppData\Roaming\ImgBurn

[2013/01/18 13:07:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ImgBurn

[2013/01/17 09:45:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

[2013/01/17 09:45:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT

[2013/01/17 09:01:59 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2013/01/16 22:22:06 | 000,000,000 | ---D | C] -- C:\Users\Me\AppData\Local\ElevatedDiagnostics

[2013/01/16 21:00:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Me\Desktop\OTL.exe

[2013/01/16 18:20:45 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2013/01/13 12:57:23 | 000,000,000 | ---D | C] -- C:\Users\Me\AppData\Local\libimobiledevice

[2013/01/13 12:55:51 | 000,000,000 | ---D | C] -- C:\Users\Me\Documents\Apple

[2013/01/11 08:35:29 | 000,000,000 | ---D | C] -- C:\FRST

[2013/01/11 00:39:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET

[2013/01/11 00:23:08 | 000,260,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe

[2013/01/11 00:22:19 | 000,174,000 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe

[2013/01/11 00:22:19 | 000,173,992 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe

[2013/01/11 00:22:19 | 000,095,184 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

[2013/01/09 14:55:16 | 000,750,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll

[2013/01/09 14:55:15 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll

[2013/01/09 14:54:25 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll

[2013/01/09 14:54:22 | 000,800,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\usp10.dll

[2013/01/09 14:54:05 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc-nz.rs

[2013/01/09 14:54:05 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc-nz.rs

[2013/01/09 14:54:04 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\csrr.rs

[2013/01/09 14:54:04 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysNative\csrr.rs

[2013/01/09 14:54:03 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\fpb.rs

[2013/01/09 14:54:03 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysNative\fpb.rs

[2013/01/09 14:54:01 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cob-au.rs

[2013/01/09 14:54:01 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cob-au.rs

[2013/01/09 14:54:00 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegibbfc.rs

[2013/01/09 14:54:00 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegibbfc.rs

[2013/01/09 14:53:59 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysNative\usk.rs

[2013/01/09 14:53:58 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\usk.rs

[2013/01/09 14:53:58 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\djctq.rs

[2013/01/09 14:53:58 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysNative\djctq.rs

[2013/01/09 14:53:57 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\grb.rs

[2013/01/09 14:53:57 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysNative\grb.rs

[2013/01/09 14:53:57 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi.rs

[2013/01/09 14:53:56 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi.rs

[2013/01/09 14:53:55 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-pt.rs

[2013/01/09 14:53:55 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-pt.rs

[2013/01/09 14:53:54 | 000,441,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Wpc.dll

[2013/01/09 14:53:52 | 002,746,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gameux.dll

[2013/01/09 14:53:52 | 002,576,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gameux.dll

[2013/01/09 14:53:50 | 000,308,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Wpc.dll

[2013/01/09 14:53:43 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\esrb.rs

[2013/01/09 14:53:43 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysNative\esrb.rs

[2013/01/09 14:53:41 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-fi.rs

[2013/01/09 14:53:41 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-fi.rs

[2013/01/09 14:53:40 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc.rs

[2013/01/09 14:53:40 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc.rs

[2013/01/09 14:53:39 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cero.rs

[2013/01/09 14:53:39 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cero.rs

[2013/01/09 14:52:45 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll

[2013/01/09 14:52:37 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll

[2013/01/09 14:52:31 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll

[2013/01/09 14:52:31 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll

[2013/01/09 14:52:30 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe

[2013/01/09 14:52:29 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll

[2013/01/09 14:52:29 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll

[2013/01/09 14:52:29 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll

[2013/01/09 14:52:28 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll

[2013/01/09 14:52:28 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll

[2013/01/09 14:52:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll

[2013/01/09 14:52:25 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll

[2013/01/09 14:52:25 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll

[2013/01/09 14:52:24 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll

[2013/01/09 14:52:24 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll

[2013/01/09 14:52:24 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll

[2013/01/09 14:52:23 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll

[2013/01/09 14:52:23 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll

[2013/01/09 14:52:23 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll

[2013/01/09 14:52:23 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll

[2013/01/09 14:52:23 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll

[2013/01/09 14:52:23 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll

[2013/01/09 14:52:22 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll

[2013/01/09 14:52:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll

[2013/01/09 14:52:22 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll

[2013/01/09 14:52:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll

[2013/01/09 14:52:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll

[2013/01/09 14:52:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll

[2013/01/09 14:52:22 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll

[2013/01/09 14:52:21 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll

[2013/01/09 14:52:21 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll

[2013/01/09 14:52:21 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll

[2013/01/09 14:52:21 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll

[2013/01/09 14:52:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll

[2013/01/09 14:52:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll

[2013/01/09 14:52:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll

[2013/01/09 14:52:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll

[2013/01/09 14:52:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll

[2013/01/09 14:52:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll

[2013/01/09 14:52:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll

[2013/01/09 14:52:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll

[2013/01/09 14:52:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll

[2013/01/09 14:52:19 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

[2013/01/09 14:52:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll

[2013/01/09 14:52:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll

[2013/01/09 14:52:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll

[2013/01/09 14:52:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll

[2013/01/09 14:52:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll

[2013/01/09 14:52:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll

[2013/01/09 14:52:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll

[2013/01/09 14:52:18 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

[2013/01/09 14:52:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

[2013/01/09 14:52:17 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

[2013/01/09 14:52:17 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll

[2013/01/09 14:52:16 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe

[2013/01/09 14:52:16 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe

[2013/01/09 14:52:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll

[2013/01/09 14:52:15 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll

[2013/01/09 14:52:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll

[2013/01/09 14:52:15 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll

[2013/01/09 14:52:15 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe

[2013/01/09 14:51:51 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskhost.exe

[2013/01/08 20:00:51 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2013/01/08 20:00:50 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2013/01/08 20:00:50 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2013/01/08 19:59:56 | 000,000,000 | ---D | C] -- C:\Qoobox

[2013/01/08 19:59:32 | 000,000,000 | ---D | C] -- C:\Windows\erdnt

[2013/01/08 19:52:27 | 005,022,206 | R--- | C] (Swearware) -- C:\Users\Me\Desktop\ComboFix.exe

[2013/01/08 09:49:09 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\Me\Desktop\aswMBR.exe

[2013/01/07 19:51:10 | 000,000,000 | ---D | C] -- C:\Users\Me\Desktop\RK_Quarantine

[2013/01/05 10:43:08 | 000,000,000 | ---D | C] -- C:\Users\Me\AppData\Local\Programs

[2013/01/05 09:38:31 | 000,000,000 | ---D | C] -- C:\Users\Me\AppData\Local\NPE

[2012/12/23 19:25:54 | 000,000,000 | ---D | C] -- C:\ProgramData\YTD Video Downloader

[2012/12/23 19:23:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader

[2012/12/23 19:23:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GreenTree Applications

========== Files - Modified Within 30 Days ==========

[2013/01/22 08:44:03 | 000,018,736 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2013/01/22 08:44:03 | 000,018,736 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2013/01/22 08:39:17 | 000,000,266 | ---- | M] () -- C:\Windows\tasks\AutoKMS.job

[2013/01/22 08:38:20 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForPOLARIS.job

[2013/01/22 08:38:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2013/01/22 08:38:01 | 3113,570,304 | -HS- | M] () -- C:\hiberfil.sys

[2013/01/21 22:59:00 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1924947387-3120324859-2087383454-1000UA.job

[2013/01/21 19:26:40 | 000,681,984 | ---- | M] () -- C:\Users\Me\Desktop\CKScanner.exe

[2013/01/21 16:59:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1924947387-3120324859-2087383454-1000Core.job

[2013/01/20 18:51:40 | 000,730,532 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2013/01/20 18:51:40 | 000,627,104 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2013/01/20 18:51:40 | 000,107,420 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2013/01/18 13:07:10 | 000,001,831 | ---- | M] () -- C:\Users\Public\Desktop\ImgBurn.lnk

[2013/01/16 21:00:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Me\Desktop\OTL.exe

[2013/01/16 09:48:38 | 005,022,206 | R--- | M] (Swearware) -- C:\Users\Me\Desktop\ComboFix.exe

[2013/01/11 00:22:00 | 000,095,184 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

[2013/01/11 00:21:58 | 000,260,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe

[2013/01/11 00:21:58 | 000,174,000 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe

[2013/01/11 00:21:57 | 000,859,072 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\npdeployJava1.dll

[2013/01/11 00:21:57 | 000,779,704 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\deployJava1.dll

[2013/01/11 00:21:57 | 000,173,992 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe

[2013/01/10 03:30:23 | 000,487,072 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2013/01/08 20:13:59 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts

[2013/01/08 09:49:52 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\Me\Desktop\aswMBR.exe

[2013/01/07 19:50:13 | 000,761,856 | ---- | M] () -- C:\Users\Me\Desktop\RogueKiller.exe

[2013/01/05 11:14:38 | 000,000,320 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForMe.job

[2013/01/01 22:53:24 | 000,000,544 | ---- | M] () -- C:\Windows\tasks\PCDRScheduledMaintenance.job

[2012/12/23 19:23:48 | 000,001,255 | ---- | M] () -- C:\Users\Public\Desktop\YTD Video Downloader.lnk

========== Files Created - No Company Name ==========

[2013/01/21 19:26:39 | 000,681,984 | ---- | C] () -- C:\Users\Me\Desktop\CKScanner.exe

[2013/01/18 13:07:10 | 000,001,831 | ---- | C] () -- C:\Users\Public\Desktop\ImgBurn.lnk

[2013/01/08 20:00:51 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2013/01/08 20:00:50 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2013/01/08 20:00:50 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2013/01/08 20:00:50 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2013/01/08 20:00:50 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2013/01/07 19:50:03 | 000,761,856 | ---- | C] () -- C:\Users\Me\Desktop\RogueKiller.exe

[2012/12/23 19:23:48 | 000,001,255 | ---- | C] () -- C:\Users\Public\Desktop\YTD Video Downloader.lnk

[2012/10/26 23:00:10 | 000,743,538 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2012/10/01 21:12:20 | 000,000,523 | ---- | C] () -- C:\Windows\Viewer.INI

[2012/10/01 20:35:11 | 000,001,265 | ---- | C] () -- C:\Windows\MyHeritage.INI

[2012/10/01 20:33:33 | 000,454,656 | ---- | C] () -- C:\Windows\SysWow64\PaintX.dll

[2012/09/28 13:23:46 | 000,215,668 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat

[2012/09/27 13:30:12 | 000,000,126 | ---- | C] () -- C:\Windows\QUICKEN.INI

[2009/07/14 10:24:24 | 000,000,174 | -HS- | C] () -- C:\Program Files (x86)\desktop(20794).ini

========== ZeroAccess Check ==========

[2012/11/02 21:15:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 11:13:10 | 014,172,672 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 10:11:00 | 012,873,728 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 07:10:51 | 000,909,312 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 17:49:02 | 000,606,208 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 07:11:56 | 000,505,856 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

jeffce · January 23, 2013

Hi,

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {DAF31C31-55E6-4D00-BE19-1FB42CF91094}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT3072253
IE - HKCU\..\SearchScopes,DefaultScope = {DAF31C31-55E6-4D00-BE19-1FB42CF91094}

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Post the new OTL and let me know about your system.

Ed_Infected · January 24, 2013

This is the log that was created when OTL finsihed and rebooted. Will run scan again and post the log.

All processes killed

========== SERVICES/DRIVERS ==========

========== OTL ==========

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: IT.chennai1

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 29093439 bytes

->Flash cache emptied: 1068 bytes

User: Me

->Temp folder emptied: 13135024 bytes

->Temporary Internet Files folder emptied: 8450310 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 105229018 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 2862 bytes

User: POLARIS

->Temp folder emptied: 92643 bytes

->Temporary Internet Files folder emptied: 5608363 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 36098407 bytes

->Google Chrome cache emptied: 355871198 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 523 bytes

User: Public

->Temp folder emptied: 0 bytes

User: UpdatusUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 24928 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 4754641 bytes

RecycleBin emptied: 207305 bytes

Total Files Cleaned = 533.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01242013_093834

Files\Folders moved on Reboot...

C:\Users\Me\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

jeffce · January 24, 2013

Ok please do so and also let me know exactly how your system is running too.

Ed_Infected · January 24, 2013

Below is the log - actually I have been waiting this long expecting the SEP active scan to pop up anytime to tell me about the virus (Oh, got used to that by now :angry: ) - but it did not!

Over all system running fine - thanks for getting me here.

OTL logfile created on: 1/24/2013 9:45:35 AM - Run 6

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Me\Desktop

64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: India | Language: ENN | Date Format: dd-MM-yyyy

3.87 Gb Total Physical Memory | 2.36 Gb Available Physical Memory | 61.06% Memory free

7.73 Gb Paging File | 6.03 Gb Available in Paging File | 78.02% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 685.21 Gb Total Space | 566.33 Gb Free Space | 82.65% Space Free | Partition Type: NTFS