Win 7 won't boot after running Windows Defender Offline

jmbaltz · March 28, 2013

My daughters PC (Windows 7 64 bit) got a virus which Microsoft Security Essentials could not remove and it said to run Microsoft Defender Offline.

We did that and when we restarted the computer it gets to a blank screen with a blinking curser. I tried fixing it but without success.

I ran FRST64 and here is the most recent scan log... there are two ATTENTION entries:

1. HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess

2. ATTENTION ===> 0 byte partition bootkit on partition 1

---------------------------------------------------------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 15 days old)

Ran by SYSTEM at 28-03-2013 10:51:00

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2108200 2010-04-01] (Synaptics Incorporated)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2009-12-02] (IDT, Inc.)

HKLM\...\Run: [AlienFX Controller] "C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe" [63304 2010-05-21] (Alienware Corporation)

HKLM\...\Run: [] [x]

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1926928 2009-09-21] (Intel® Corporation)

HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe [2463232 2009-07-22] ()

HKLM\...\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]

HKLM-x32\...\Run: [FATrayAlert] C:\Program Files\Alienware\Command Center\AlienSense\FATrayMon.exe [95560 2010-04-04] (Sensible Vision )

HKLM-x32\...\Run: [FAStartup] [x]

HKLM-x32\...\Run: [OSD_LAUNCH] c:\Program Files (x86)\OSD\Launch_OSD.exe [32768 2009-11-10] (HH)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)

HKLM-x32\...\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)

HKLM-x32\...\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)

HKLM-x32\...\Run: [integrated Webcam Live! Central] "C:\Program Files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe" /mode2 [487562 2010-08-19] (Creative Technology Ltd)

HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-09-03] (Sonic Solutions)

HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe" [522736 2010-11-01] ()

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)

HKLM-x32\...\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641664 2012-04-05] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [10752 2012-02-20] ()

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)

HKU\Sara B\...\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1632680 2013-03-15] (Valve Corporation)

HKU\Sara B\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)

HKU\Sara B\...\Run: [Overwolf] C:\Program Files (x86)\Overwolf\Overwolf.exe -silent [x]

HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\AlienRespawn\Components\Scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess

Lsa: [Notification Packages] scecli FAPassSync

Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk

ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

Startup: C:\Users\Sara B\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GameStop Now.lnk

ShortcutTarget: GameStop Now.lnk -> C:\Program Files (x86)\GameStop App\Now\GameStopNow.exe (GameStop Corp.)

==================== Services (Whitelisted) ===================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ec0230c23ac63514\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)

2 FAService; C:\Program Files\Alienware\Command Center\AlienSense\FAService.exe [2409800 2010-04-04] (Sensible Vision )

2 HappyOSD; C:\Program Files (x86)\OSD\OSD_Service.exe [16384 2009-12-30] ()

2 InstallFilterService; C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [59904 2009-11-29] ()

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22056 2013-01-27] (Microsoft Corporation)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [315664 2009-09-21] ()

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [379360 2013-01-27] (Microsoft Corporation)

2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ec0230c23ac63514\STacSV64.exe [244736 2009-12-02] (IDT, Inc.)

==================== Drivers (Whitelisted) =====================

3 IAMTVE; C:\Windows\System32\Drivers\IAMTVE.sys [43416 2007-04-11] (Intel Corporation)

3 IAMTXPE; C:\Windows\System32\Drivers\IAMTXPE.sys [51096 2007-04-11] (Intel Corporation)

0 ioatdma; C:\Windows\System32\Drivers\ioatdma.sys [46792 2009-07-13] (Intel Corporation)

3 iSSetup; C:\Windows\System32\Drivers\iSSetup.sys [178400 2009-10-12] (Intel Corporation)

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)

3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)

3 XENfiltv; C:\Windows\System32\Drivers\XENfiltv.sys [25600 2009-07-30] (Creative Technology Ltd.)

3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]

3 xsherlock; C:\Windows\system32\xsherlock.xem [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-03-27 19:03 - 2010-11-20 04:40 - 00383786 _RASH C:\bootmgr

2013-03-27 15:26 - 2013-03-27 15:26 - 14811136 ____A C:\Windows\System32\config\SOFTWARE53dd211c

2013-03-23 17:55 - 2013-03-23 17:55 - 00908800 ____A C:\Windows\Minidump\032313-11232-01.dmp

2013-03-23 12:26 - 2013-03-23 12:26 - 00000000 ____D C:\Users\Default\AppData\Roaming\Apple Computer

2013-03-23 12:26 - 2013-03-23 12:26 - 00000000 ____D C:\Users\Default\AppData\Local\Apple Computer

2013-03-23 12:26 - 2013-03-23 12:26 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Apple Computer

2013-03-23 12:26 - 2013-03-23 12:26 - 00000000 ____D C:\Users\Default User\AppData\Local\Apple Computer

2013-03-21 17:44 - 2013-03-21 17:44 - 00000154 ____A C:\ProgramData\vyeukvjaxcenixf

2013-03-20 19:13 - 2013-03-20 19:13 - 00909232 ____A C:\Windows\Minidump\032013-11310-01.dmp

2013-03-20 12:59 - 2013-03-20 12:59 - 00001073 ____A C:\Users\Sara B\Desktop\Neverwinter.lnk

2013-03-20 12:57 - 2013-03-22 16:14 - 00000000 ____D C:\Program Files (x86)\Cryptic Studios

2013-03-19 18:43 - 2013-03-19 18:43 - 00000000 ____D C:\Users\Public\Games

2013-03-19 17:49 - 2013-03-19 18:22 - 00000000 ____D C:\Users\Sara B\Downloads\Neverwinter NW.1.20130225d.1

2013-03-18 17:57 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys

2013-03-17 18:25 - 2013-02-01 22:38 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-03-17 18:25 - 2013-02-01 22:38 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-03-17 18:25 - 2013-02-01 19:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2013-03-17 18:25 - 2013-02-01 19:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-03-17 18:25 - 2013-02-01 19:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2013-03-17 18:25 - 2013-02-01 19:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-03-17 18:24 - 2013-02-01 23:31 - 17815040 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-03-17 18:24 - 2013-02-01 22:58 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-03-17 18:24 - 2013-02-01 22:57 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-03-17 18:24 - 2013-02-01 22:48 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-03-17 18:24 - 2013-02-01 22:47 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-03-17 18:24 - 2013-02-01 22:47 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-03-17 18:24 - 2013-02-01 22:46 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-03-17 18:24 - 2013-02-01 22:43 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-03-17 18:24 - 2013-02-01 22:42 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-03-17 18:24 - 2013-02-01 22:42 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-03-17 18:24 - 2013-02-01 22:41 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-03-17 18:24 - 2013-02-01 22:40 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-03-17 18:24 - 2013-02-01 22:39 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-03-17 18:24 - 2013-02-01 22:34 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-03-17 18:24 - 2013-02-01 20:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-03-17 18:24 - 2013-02-01 19:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-03-17 18:24 - 2013-02-01 19:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-03-17 18:24 - 2013-02-01 19:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-03-17 18:24 - 2013-02-01 19:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2013-03-17 18:24 - 2013-02-01 19:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-03-17 18:24 - 2013-02-01 19:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2013-03-17 18:24 - 2013-02-01 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-03-17 18:24 - 2013-02-01 19:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-03-17 18:24 - 2013-02-01 19:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2013-03-17 18:24 - 2013-02-01 19:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-03-17 18:24 - 2013-02-01 19:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-03-17 18:23 - 2013-03-17 18:23 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2013-03-17 18:23 - 2013-03-17 18:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2013-03-17 18:19 - 2013-03-17 18:19 - 00991680 ____A C:\Windows\Minidump\031713-19578-01.dmp

2013-02-26 19:37 - 2013-01-13 13:12 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-02-26 19:37 - 2013-01-13 12:35 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-02-26 19:37 - 2013-01-13 12:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-02-26 19:37 - 2013-01-13 11:53 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll

2013-02-26 19:37 - 2013-01-13 11:24 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll

2013-02-26 19:37 - 2013-01-13 11:02 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll

2013-02-26 19:37 - 2013-01-13 10:32 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll

2013-02-26 19:37 - 2013-01-03 22:11 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll

2013-02-26 19:37 - 2013-01-03 22:11 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll

2013-02-26 19:36 - 2013-01-13 13:17 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 13:17 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 13:16 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-02-26 19:36 - 2013-01-13 13:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 13:11 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 13:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 12:35 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 12:35 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 12:31 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll

2013-02-26 19:36 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-02-26 19:36 - 2013-01-13 12:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 12:31 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 12:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-02-26 19:36 - 2013-01-13 12:22 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll

2013-02-26 19:36 - 2013-01-13 12:20 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll

2013-02-26 19:36 - 2013-01-13 12:09 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll

2013-02-26 19:36 - 2013-01-13 12:08 - 01504768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll

2013-02-26 19:36 - 2013-01-13 12:08 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll

2013-02-26 19:36 - 2013-01-13 11:59 - 01643520 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2013-02-26 19:36 - 2013-01-13 11:58 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll

2013-02-26 19:36 - 2013-01-13 11:54 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2013-02-26 19:36 - 2013-01-13 11:53 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll

2013-02-26 19:36 - 2013-01-13 11:51 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2013-02-26 19:36 - 2013-01-13 11:49 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll

2013-02-26 19:36 - 2013-01-13 11:48 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll

2013-02-26 19:36 - 2013-01-13 11:46 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll

2013-02-26 19:36 - 2013-01-13 11:43 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll

2013-02-26 19:36 - 2013-01-13 11:38 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

2013-02-26 19:36 - 2013-01-13 11:38 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2013-02-26 19:36 - 2013-01-13 11:38 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll

2013-02-26 19:36 - 2013-01-13 11:37 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll

2013-02-26 19:36 - 2013-01-13 11:25 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll

2013-02-26 19:36 - 2013-01-13 11:24 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2013-02-26 19:36 - 2013-01-13 11:20 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll

2013-02-26 19:36 - 2013-01-13 11:20 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2013-02-26 19:36 - 2013-01-13 11:15 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll

2013-02-26 19:36 - 2013-01-13 11:10 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2013-02-26 19:36 - 2013-01-13 10:34 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll

2013-02-26 19:36 - 2013-01-13 10:09 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll

2013-02-26 19:36 - 2013-01-13 09:26 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll

2013-02-26 19:36 - 2013-01-13 09:05 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll

==================== One Month Modified Files and Folders =======

2013-03-28 08:56 - 2013-03-28 08:56 - 00000000 ____D C:\FRST

2013-03-27 15:26 - 2013-03-27 15:26 - 14811136 ____A C:\Windows\System32\config\SOFTWARE53dd211c

2013-03-27 11:06 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-03-27 11:06 - 2009-07-13 20:51 - 00068235 ____A C:\Windows\setupact.log

2013-03-27 11:05 - 2009-07-13 21:10 - 01562166 ____A C:\Windows\WindowsUpdate.log

2013-03-27 11:04 - 2011-09-06 17:38 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-03-27 09:37 - 2009-07-13 21:13 - 00792550 ____A C:\Windows\System32\PerfStringBackup.INI

2013-03-27 09:37 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-03-27 09:37 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-03-27 09:31 - 2011-01-22 07:50 - 00000000 ____D C:\ProgramData\Sonic

2013-03-27 09:30 - 2011-09-19 16:21 - 00000000 ____D C:\Program Files (x86)\Steam

2013-03-27 09:30 - 2011-09-06 17:38 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-03-27 09:30 - 2011-01-29 09:06 - 00000000 ____D C:\Users\Sara B\AppData\Local\SoftThinks

2013-03-27 09:30 - 2011-01-22 07:45 - 00000000 ____D C:\Program Files (x86)\AlienRespawn

2013-03-27 09:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions

2013-03-23 17:55 - 2013-03-23 17:55 - 00908800 ____A C:\Windows\Minidump\032313-11232-01.dmp

2013-03-23 17:55 - 2012-05-31 13:46 - 678344672 ____A C:\Windows\MEMORY.DMP

2013-03-23 17:55 - 2012-05-31 13:46 - 00000000 ____D C:\Windows\Minidump

2013-03-23 12:26 - 2013-03-23 12:26 - 00000000 ____D C:\Users\Default\AppData\Roaming\Apple Computer

2013-03-23 12:26 - 2013-03-23 12:26 - 00000000 ____D C:\Users\Default\AppData\Local\Apple Computer

2013-03-23 12:26 - 2013-03-23 12:26 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Apple Computer

2013-03-23 12:26 - 2013-03-23 12:26 - 00000000 ____D C:\Users\Default User\AppData\Local\Apple Computer

2013-03-23 12:25 - 2012-03-11 17:43 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-03-22 16:14 - 2013-03-20 12:57 - 00000000 ____D C:\Program Files (x86)\Cryptic Studios

2013-03-21 17:44 - 2013-03-21 17:44 - 00000154 ____A C:\ProgramData\vyeukvjaxcenixf

2013-03-20 19:13 - 2013-03-20 19:13 - 00909232 ____A C:\Windows\Minidump\032013-11310-01.dmp

2013-03-20 19:13 - 2011-01-22 09:15 - 00095708 ____A C:\Windows\PFRO.log

2013-03-20 15:43 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2013-03-20 13:53 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-03-20 12:59 - 2013-03-20 12:59 - 00001073 ____A C:\Users\Sara B\Desktop\Neverwinter.lnk

2013-03-20 12:57 - 2011-01-22 07:48 - 00482812 ____A C:\Windows\DirectX.log

2013-03-20 12:56 - 2011-01-29 09:06 - 00000000 ____D C:\users\Sara B

2013-03-19 18:43 - 2013-03-19 18:43 - 00000000 ____D C:\Users\Public\Games

2013-03-19 18:22 - 2013-03-19 17:49 - 00000000 ____D C:\Users\Sara B\Downloads\Neverwinter NW.1.20130225d.1

2013-03-19 17:56 - 2011-09-28 16:18 - 00000000 ____D C:\Program Files (x86)\NCSoft

2013-03-17 18:27 - 2012-12-14 17:56 - 00000129 ____A C:\Windows\System32\MRT.INI

2013-03-17 18:25 - 2011-01-29 09:19 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-03-17 18:23 - 2013-03-17 18:23 - 00000000 ____D C:\Program Files\Microsoft Silverlight

2013-03-17 18:23 - 2013-03-17 18:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2013-03-17 18:19 - 2013-03-17 18:19 - 00991680 ____A C:\Windows\Minidump\031713-19578-01.dmp

2013-03-14 07:41 - 2013-02-10 16:16 - 00000000 ____D C:\Program Files (x86)\TERA

2013-02-27 16:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK

2013-02-27 16:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR

2013-02-27 16:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\zh-HK

2013-02-27 16:50 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\tr-TR

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-20 20:28:17

Restore point made on: 2013-03-21 11:46:10

Restore point made on: 2013-03-21 12:00:35

Restore point made on: 2013-03-21 23:00:18

Restore point made on: 2013-03-22 23:00:17

Restore point made on: 2013-03-22 23:08:20

Restore point made on: 2013-03-23 20:04:25

Restore point made on: 2013-03-24 09:29:16

Restore point made on: 2013-03-24 19:39:30

Restore point made on: 2013-03-25 16:10:45

Restore point made on: 2013-03-27 09:23:22

Restore point made on: 2013-03-27 09:24:12

Restore point made on: 2013-03-27 09:25:02

Restore point made on: 2013-03-27 09:26:35

Restore point made on: 2013-03-27 11:05:08

==================== Memory info ===========================

Percentage of memory in use: 11%

Total physical RAM: 8180.49 MB

Available physical RAM: 7224.86 MB

Total Pagefile: 8178.64 MB

Available Pagefile: 7322.79 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:223.79 GB) (Free:53.18 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.29 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive e: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF

4 Drive f: (WDO_MEDIA64) (Removable) (Total:14.93 GB) (Free:14.91 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 238 GB 0 B

Disk 1 Online 14 GB 0 B

Partitions of Disk 0:

===============

Disk ID: 11121723

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 31 KB

Partition 2 Primary 14 GB 39 MB

Partition 3 Primary 223 GB 14 GB

==================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 223 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Disk ID: 5F8031F0

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 14 GB 4032 KB

==================================================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F WDO_MEDIA64 FAT32 Removable 14 GB Healthy

=========================================================

============================== MBR Partition Table ==================

==============================

Partitions of Disk 0:

===============

Disk ID: 11121723

Partition 1:

=========

Hex: 80002300000000002200000000000000

Active: YES

Type: 00

Size: 0 byte

ATTENTION ===> 0 byte partition bootkit on partition 1

Partition 2:

=========

Hex: 00010100DEFE3F043F00000086390100

Active: NO

Type: DE

Size: 39 MB

Partition 3:

=========

Hex: 0000010507FEFFFFC539010000C0D401

Active: NO

Type: 07 (NTFS)

Size: 15 GB

Partition 4:

=========

Hex: 80FEFFFF07FEFFFFC5F9D501EB30F91B

Active: YES

Type: 07 (NTFS)

Size: 224 GB

==============================

Partitions of Disk 1:

===============

Disk ID: 5F8031F0

Partition 1:

=========

Hex: 808001000CFEFFFF801F00008030DE01

Active: YES

Type: 0C

Size: 15 GB

Last Boot: 2013-03-20 15:36

==================== End Of Log =============================

Larusso · March 29, 2013

Hy

my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
I am currently visiting an evening school and working nightshift only which might be evening for you. In this time I am mostly online with my mobile devices and won't be able to reply.

I tried fixing it but without success

What did you try so far ?

Is this a blank or a Black screen ?

Can you remember what has been found by defender online ?

jmbaltz · March 29, 2013

Daniel, thank you for your help. To answer your questions...

What did you try so far ?

1. Ran FRST64 and found a few "ATTENTION" items one was Windows\svchost which I deleted via command prompt from a Windows 7 installation disk (repair sees the installed OS) Windows\system32\svchost is still there.

2. Ran gparted-live-0.15.0-1-i486, reassigned "boot" to the C: OS partition, deleted "unknown" boot,hidden partition

3. Ran bootrec /FixMbr, bootrec /FixBoot, bootrec /RebuildBCD

4. Tried running AvastMBR, Mbr.exe, TDSSKiller from command prompt but all failed with the same error "Subsystem needed to support the image type is not present". Seems WOW64 is not part of the installation DVD startup, it is a 64 bit Win 7 DVD.

5. Reran FRST64 results above

Is this a blank or a Black screen ?

After POST and all the Bios messages it gets to the point where the Bios transfers control to the OS at that point the screen is blank with the cursor blinking at Row 1 Column 1 of the screen.

Can you remember what has been found by defender online ?

Trojan:DOS/Alureon.J

Larusso · March 29, 2013

Wow

You fixed around and nothing helped

. Ran bootrec /FixMbr, bootrec /FixBoot, bootrec /RebuildBCD

And here we have the problem. The MBR has been rewritten to default.

In all honest, I will try to repair these stuff but for this, I need to use Linux.

Note: This OS is known to cause some problems. If it wont run, let me know.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
After it has completed do not choose to reboot the clean computer simply close the installer.

Download xPUDtestdisk.exe and save it to the USB device.
Double click xPUDtestdisk.exe to extract the contents to your USB device
Remove the USB and insert it in the sick computer
Boot the Sick computer
Press F12 and choose to boot from the USB
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Press Tool at the top
Choose Open Terminal
Type in: dd if=/dev/sda of=MBRbackup.zip bs=512 count=1 and hit Enter.

MBRbackup.zip should be created on your flash drive, please attach it to your next reply.

jmbaltz · March 29, 2013

I created the bootable thumdrive and it had the following:

boot (folder)

opt (folder)

testdisk (folder)

syslinux.cfg (3 KB file)

vesamenu.c32 (143 KB file)

xPUDtestdisk.exe (3,345 KB application)

When I booted from the thumdrive I did get to the Welcome to xPUD screen which had a choose your lanquage defaulting to English,

I did not see anywhere to "Press FILE

It started loading xPud (a series of dots going across the screen, like a progress bar).
Then it started displaying error messages one of which was
(EE) No devices detected. Followed by "Fatal server error": "no screens found" and a lot of things

jmbaltz · March 29, 2013

Based on this FRST64 entry I assume that we need to turn off the Active: YES bit in the Partition Table for this partition.

Partitions of Disk 0:

===============

Disk ID: 11121723

Partition 1:

=========

Hex: 80002300000000002200000000000000

Active: YES

Type: 00

Size: 0 byte

ATTENTION ===> 0 byte partition bootkit on partition 1

jmbaltz · March 29, 2013

Since the Gparted iso I have booted from CD would it help if I installed it on a bootable USB and ran "testdisk" from there? I'm not fluent in Linux commands so I would need a step by step command list.

Larusso · March 30, 2013

as said, this OS runs not on all systems. No idea what causes this problem.

Please download Ubuntu --> http://www.ubuntu.com/download/desktop/thank-you?distro=desktop&bits=32&release=lts

When the download finished, please follow the instructions here to create an bootable USB drive --> http://www.ubuntu.com/download/help/create-a-usb-stick-on-windows

When booting from the USB Drive, choose Try it !!

Once the Ubuntu desktop is loaded, click the top icon in the left panel.
Type terminal in the search box.
Click on the first Terminal icon that is displayed - this will open a command prompt window
Type the following line and press enter

sudo dd if=/dev/sda of=mbr.zip bs=512 count=1

Open Firefox and connect to this topic
To access the Home folder click the third icon from the top in the left panel (Home Folder). You will see some folders there, as well as the mbr.txt file you just created.
Attach mbr.zip file located in Home Folder and post in your next reply.

Restart system in Windows

jmbaltz · March 30, 2013

File mbr.zip... attached I hope mbr.zip

Larusso · March 30, 2013

Well done

Please reboot into Ubuntu, delete the current mbr.zip and download the attached one in the same location.

This file has been written for this machine only. Do not attempt to use it on other machines

Open the terminal again and type in

sudo dd if=mbr.zip of=/dev/sda bs=512 count=1

Please reboot into Windows.

Download ComboFix from this location:

Link 1

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.

jmbaltz · March 30, 2013

I do not see a link to the attached mbr.zip in your post

jmbaltz · March 30, 2013

And for some reason the mbr.zip file is no longer in the Home folder of Ubuntu

Larusso · March 31, 2013

hm, where is my attachment :huh:

mbr.zip

jmbaltz · March 31, 2013

OK I messed up when I entered the command sudo dd if=mbr.zip of=/dev/sda bs=512 count=1 I miss typed it and entered sudo dd if=mbr.zip of=dev/sda bs=512 count=1 and the system did not boot into windows. I tried again with the correct command sudo dd if=mbr.zip of=/dev/sda bs=512 count=1 and it still would not boot into Windows. Will start over.

jmbaltz · March 31, 2013

Current mbr.zip...mbr.zip

Larusso · March 31, 2013

Your mbr looks like the first one you posted me.

2 reasons, the other mbr is still there or you mistyped something.

Please boot into Ubuntu, open the terminal and type dir -l .

Note that these commands are case sensitive

This will list all files in from the current working directory. make sure the mbr.zip file is in the list.

If it is not there, download the file again. Choose "Save File".

Open the "Home folder" --> Downloads and move the file to "home"

type in sudo dd if=mbr.zip of=/dev/sda bs=512 count=1 and let me know if you get any errors after hitting Enter.

If not, you should now be able to boot into Windows.

jmbaltz · March 31, 2013

after comand sudo dd if=mbr.zip of=/dev/sda bs=512 count=1 terminal came back with:

1+0 records in

1+0 records out

512 bytes (512 B) copied, 0.0017102 s, 299 kB/s

ubuntu@ubuntu:<character not on my keyboard>S

Then restarted got Starting Windows logged in now running ComboFix

jmbaltz · March 31, 2013

ComboFix log

ComboFix 13-03-31.01 - Sara B 03/31/2013 16:14:38.1.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8180.6188 [GMT -4:00]

Running from: c:\users\Sara B\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\vyeukvjaxcenixf

c:\users\Sara B\AppData\Local\assembly\tmp

c:\users\Sara B\GoToAssistDownloadHelper.exe

c:\windows\SysWow64\URTTemp

c:\windows\SysWow64\URTTemp\regtlib.exe

.

((((((((((((((((((((((((( Files Created from 2013-02-28 to 2013-03-31 )))))))))))))))))))))))))))))))

.

2013-03-31 20:18 . 2013-03-31 20:18 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-03-28 16:56 . 2013-03-28 16:56 -------- d-----w- C:\FRST

2013-03-28 02:58 . 2013-03-28 03:03 -------- d-----w- C:\Boot

2013-03-25 22:18 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2419E67B-9E6E-4FE5-9152-A31A88C3BE27}\mpengine.dll

2013-03-24 02:06 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-03-23 20:26 . 2013-03-23 20:26 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer

2013-03-23 20:26 . 2013-03-23 20:26 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer

2013-03-21 03:25 . 2012-11-29 01:59 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7945319-24C7-40E2-A7C4-90122A4D77CC}\gapaengine.dll

2013-03-20 20:57 . 2013-03-23 00:14 -------- d-----w- c:\program files (x86)\Cryptic Studios

2013-03-20 02:43 . 2013-03-20 02:43 -------- d-----w- c:\users\Public\Games

2013-03-19 01:57 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-03-18 02:25 . 2013-02-02 06:38 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-03-18 02:25 . 2013-02-02 07:37 182816 ----a-w- c:\program files\Internet Explorer\sqmapi.dll

2013-03-18 02:25 . 2013-02-02 06:38 96768 ----a-w- c:\windows\system32\mshtmled.dll

2013-03-18 02:25 . 2013-02-02 04:19 149552 ----a-w- c:\program files (x86)\Internet Explorer\sqmapi.dll

2013-03-18 02:25 . 2013-02-02 03:23 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2013-03-18 02:25 . 2013-02-02 06:44 304640 ----a-w- c:\program files\Internet Explorer\IEShims.dll

2013-03-18 02:25 . 2013-02-02 03:27 194048 ----a-w- c:\program files (x86)\Internet Explorer\IEShims.dll

2013-03-18 02:25 . 2013-02-02 03:26 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2013-03-18 02:23 . 2013-03-18 02:23 -------- d-----w- c:\program files\Microsoft Silverlight

2013-03-18 02:23 . 2013-03-18 02:23 -------- d-----w- c:\program files (x86)\Microsoft Silverlight

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-03-18 02:25 . 2011-01-29 17:19 72013344 ----a-w- c:\windows\system32\MRT.exe

2013-02-13 01:28 . 2013-02-13 01:28 477616 ----a-w- c:\windows\SysWow64\npdeployJava1.dll

2013-02-13 01:28 . 2011-01-22 15:22 473520 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-02-12 05:45 . 2013-03-14 15:49 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-02-12 05:45 . 2013-03-14 15:49 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-02-12 05:45 . 2013-03-14 15:49 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-02-12 05:45 . 2013-03-14 15:49 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-02-12 04:48 . 2013-03-14 15:49 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-02-12 04:48 . 2013-03-14 15:49 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-01-30 10:53 . 2011-01-29 17:18 273840 ------w- c:\windows\system32\MpSigStub.exe

2013-01-20 20:59 . 2013-01-20 20:59 230320 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2013-01-20 20:59 . 2010-10-25 02:25 130008 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

2013-01-13 21:17 . 2013-02-27 03:36 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-01-13 21:17 . 2013-02-27 03:36 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-01-13 21:16 . 2013-02-27 03:36 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-01-13 21:12 . 2013-02-27 03:37 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-01-13 21:11 . 2013-02-27 03:36 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll

2013-01-13 21:11 . 2013-02-27 03:36 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-01-13 21:11 . 2013-02-27 03:36 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-01-13 21:11 . 2013-02-27 03:36 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll

2013-01-13 21:11 . 2013-02-27 03:36 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-01-13 20:35 . 2013-02-27 03:36 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-01-13 20:35 . 2013-02-27 03:36 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll

2013-01-13 20:35 . 2013-02-27 03:37 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll

2013-01-13 20:32 . 2013-02-27 03:37 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll

2013-01-13 20:31 . 2013-02-27 03:36 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll

2013-01-13 20:31 . 2013-02-27 03:36 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll

2013-01-13 20:31 . 2013-02-27 03:36 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-01-13 20:31 . 2013-02-27 03:36 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll

2013-01-13 20:31 . 2013-02-27 03:36 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll

2013-01-13 20:31 . 2013-02-27 03:36 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll

2013-01-13 20:22 . 2013-02-27 03:36 1988096 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2013-01-13 20:20 . 2013-02-27 03:36 293376 ----a-w- c:\windows\SysWow64\dxgi.dll

2013-01-13 20:09 . 2013-02-27 03:36 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2013-01-13 20:08 . 2013-02-27 03:36 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll

2013-01-13 20:08 . 2013-02-27 03:36 1504768 ----a-w- c:\windows\SysWow64\d3d11.dll

2013-01-13 19:59 . 2013-02-27 03:36 1643520 ----a-w- c:\windows\system32\DWrite.dll

2013-01-13 19:58 . 2013-02-27 03:36 1175552 ----a-w- c:\windows\system32\FntCache.dll

2013-01-13 19:54 . 2013-02-27 03:36 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll

2013-01-13 19:53 . 2013-02-27 03:36 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll

2013-01-13 19:53 . 2013-02-27 03:37 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll

2013-01-13 19:51 . 2013-02-27 03:36 2565120 ----a-w- c:\windows\system32\d3d10warp.dll

2013-01-13 19:49 . 2013-02-27 03:36 363008 ----a-w- c:\windows\system32\dxgi.dll

2013-01-13 19:48 . 2013-02-27 03:36 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2013-01-13 19:46 . 2013-02-27 03:36 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll

2013-01-13 19:43 . 2013-02-27 03:36 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll

2013-01-13 19:38 . 2013-02-27 03:36 333312 ----a-w- c:\windows\system32\d3d10_1core.dll

2013-01-13 19:38 . 2013-02-27 03:36 1887232 ----a-w- c:\windows\system32\d3d11.dll

2013-01-13 19:38 . 2013-02-27 03:36 296960 ----a-w- c:\windows\system32\d3d10core.dll

2013-01-13 19:37 . 2013-02-27 03:36 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll

2013-01-13 19:25 . 2013-02-27 03:36 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll

2013-01-13 19:24 . 2013-02-27 03:36 648192 ----a-w- c:\windows\system32\d3d10level9.dll

2013-01-13 19:24 . 2013-02-27 03:37 221184 ----a-w- c:\windows\system32\UIAnimation.dll

2013-01-13 19:20 . 2013-02-27 03:36 194560 ----a-w- c:\windows\system32\d3d10_1.dll

2013-01-13 19:20 . 2013-02-27 03:36 1238528 ----a-w- c:\windows\system32\d3d10.dll

2013-01-13 19:15 . 2013-02-27 03:36 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll

2013-01-13 19:10 . 2013-02-27 03:36 3928064 ----a-w- c:\windows\system32\d2d1.dll

2013-01-13 19:02 . 2013-02-27 03:37 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll

2013-01-13 18:34 . 2013-02-27 03:36 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll

2013-01-13 18:32 . 2013-02-27 03:37 465920 ----a-w- c:\windows\system32\WMPhoto.dll

2013-01-13 18:09 . 2013-02-27 03:36 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2013-01-13 17:26 . 2013-02-27 03:36 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll

2013-01-13 17:05 . 2013-02-27 03:36 1682432 ----a-w- c:\windows\system32\XpsPrint.dll

2013-01-12 03:05 . 2013-01-12 03:05 666720 ----a-w- c:\windows\SysWow64\xsherlock.xem

2013-01-04 06:11 . 2013-02-27 03:37 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll

2013-01-04 06:11 . 2013-02-27 03:37 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll

2013-01-04 05:46 . 2013-02-14 01:42 215040 ----a-w- c:\windows\system32\winsrv.dll

2013-01-04 04:51 . 2013-02-14 01:41 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2013-01-04 04:43 . 2013-02-14 01:42 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2013-01-04 03:26 . 2013-02-14 01:42 3153408 ----a-w- c:\windows\system32\win32k.sys

2013-01-04 02:47 . 2013-02-14 01:41 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2013-01-04 02:47 . 2013-02-14 01:41 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2013-01-04 02:47 . 2013-02-14 01:41 2048 ----a-w- c:\windows\SysWow64\user.exe

2013-01-04 02:47 . 2013-02-14 01:41 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2013-01-03 06:00 . 2013-02-14 01:40 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-01-03 06:00 . 2013-02-14 01:40 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2013-01-02 17:31 . 2013-01-02 17:31 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll

2013-01-02 17:30 . 2013-01-02 17:30 768848 ----a-w- c:\windows\SysWow64\msvcr100.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2013-03-15 1632680]

"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]

"FATrayAlert"="c:\program files\Alienware\Command Center\AlienSense\FATrayMon.exe" [2010-04-04 95560]

"OSD_LAUNCH"="c:\program files (x86)\OSD\Launch_OSD.exe" [2009-11-10 32768]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]

"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]

"Integrated Webcam Live! Central"="c:\program files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe" [2010-08-20 487562]

"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-09-04 240112]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-02 522736]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-06 421736]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\program files (x86)\AlienRespawn\Components\Scheduler\Launcher.exe" [2011-01-13 165184]

.

c:\users\Sara B\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

GameStop Now.lnk - c:\program files (x86)\GameStop App\Now\GameStopNow.exe [2012-11-5 2039568]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-17 1080096]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]

2010-04-04 18:43 144712 ----a-w- c:\program files\Alienware\Command Center\AlienSense\FALogNot.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli FAPassSync

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 HappyOSD;HappyOSD;c:\program files (x86)\OSD\OSD_Service.exe [2009-12-30 16384]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-09-04 219632]

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]

R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\DRIVERS\facap.sys [2008-09-25 238848]

R3 IAMTVE;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTVE.sys [2007-04-11 43416]

R3 IAMTXPE;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTXPE.sys [2007-04-11 51096]

R3 ioatdma1;ioatdma1;c:\windows\System32\Drivers\qd162x64.sys [2009-07-13 40144]

R3 ioatdma2;Intel® QuickData Technology device ver.2;c:\windows\System32\Drivers\qd262x64.sys [2009-07-13 42192]

R3 iSSetup;iSSetup;c:\windows\system32\DRIVERS\iSSetup.sys [2009-10-13 178400]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2009-09-21 315664]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-09-04 1116656]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-29 1255736]

R3 XENfiltv;XENfiltv;c:\windows\system32\drivers\XENfiltv.sys [2009-07-31 25600]

R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x]

S0 ioatdma;Intel® QuickData Technology device;c:\windows\System32\Drivers\ioatdma.sys [2009-07-13 46792]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]

S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [2009-11-27 19504]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ec0230c23ac63514\AESTSr64.exe [2009-03-02 89600]

S2 AlienFusionService;Alienware Fusion Service;c:\program files\Alienware\Command Center\AlienFusionService.exe [2010-05-21 14648]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-04-06 236544]

S2 FAService;FAService;c:\program files\Alienware\Command Center\AlienSense\FAService.exe [2010-04-04 2409800]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]

S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-11-30 59904]

S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-07-02 60416]

S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2009-07-01 80896]

S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-07-04 55808]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\AlienRespawn\sftservice.EXE [2011-01-13 705856]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [2009-12-02 25136]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 35104]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-08-12 175168]

S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-12-10 294064]

S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2009-09-15 6952960]

S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

.

Contents of the 'Scheduled Tasks' folder

.

2013-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-07 01:38]

.

2013-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-07 01:38]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-12-03 487424]

"AlienFX Controller"="c:\program files\Alienware\Command Center\AlienwareAlienFXController.exe" [2010-05-21 63304]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-09-21 1926928]

"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2463232]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService

FontCache

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.alienware.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{322F3624-17E2-4B8F-B281-188BDFE3B731}\D627D6F647865627665736B65627: NameServer = 8.8.8.8,8.8.8.4

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-Overwolf - c:\program files (x86)\Overwolf\Overwolf.exe

Wow6432Node-HKLM-Run-FAStartup - (no file)

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe

AddRemove-NCsoft-CityOfHeroes - c:\program files (x86)\ncsoft\launcher\NCLauncher.exe

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\xsherlock]

"ImagePath"="c:\windows\system32\xsherlock.xem"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,

27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,

ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3

"{DA5BCE70-D057-4D63-943D-5F3927EC59F1}"=hex:51,66,7a,6c,4c,1d,38,12,1e,cd,48,

de,65,9e,0d,08,eb,2b,1c,79,22,b2,1d,e5

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:d9,f6,59,de,ca,f2,cd,01

.

[HKEY_USERS\S-1-5-21-4075634720-804054989-590395163-1001\Software\SecuROM\License information*]

"datasecu"=hex:29,26,dd,e8,c7,81,5a,25,05,c2,25,8e,9f,13,ab,ea,10,78,30,d0,20,

98,8b,ec,e7,e7,c6,ff,76,38,ab,90,9b,d6,b9,63,35,f1,79,d6,ad,72,ac,8e,05,d0,\

"rkeysecu"=hex:96,ae,ef,c2,f6,04,ce,c2,5d,d8,72,b2,3e,65,7f,b1

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-03-31 16:19:44

ComboFix-quarantined-files.txt 2013-03-31 20:19

.

Pre-Run: 56,277,331,968 bytes free

Post-Run: 59,566,436,352 bytes free

.

- - End Of File - - 3E8FE095D6C70E1638F99188E7BFEB3B

jmbaltz · March 31, 2013

Uninstalled Java 1.6, installed Jave 1.7. Checking Adobe now

jmbaltz · March 31, 2013

MSE full scan came up clean.

jmbaltz · March 31, 2013

Updated Adobe from V10 to V11

Larusso · April 1, 2013

From my first answer.

Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.

Open notepad and copy/paste the text in the Code-box below into it:


DirLook::
C:\Windows\System32\config\SOFTWARE53dd211c

Save this as CFScript.txt, in the same location as ComboFix.exe.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Download DDS and save it to your desktop from here.

Double click DDS to run the tool and press Start

Don't change any stettings without instruction

When done, DDS will save two (2) logs to your desktop:
1. DDS.txt
2. Attach.txt
[*].Please post them in your next reply

jmbaltz · April 1, 2013

ComboFix 13-03-31.01 - Sara B 04/01/2013 17:47:32.2.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8180.6319 [GMT -4:00]

Running from: c:\users\Sara B\Desktop\ComboFix.exe

Command switches used :: c:\users\Sara B\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2013-03-01 to 2013-04-01 )))))))))))))))))))))))))))))))

.

2013-04-01 21:51 . 2013-04-01 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-04-01 20:31 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{73C57B8D-ACB7-439D-B715-D0B227003C47}\mpengine.dll

2013-04-01 01:03 . 2013-04-01 01:03 -------- d-----w- c:\users\Sara B\AppData\Local\Macromedia

2013-04-01 01:01 . 2013-04-01 01:01 -------- d-----w- c:\users\Sara B\AppData\Local\Mozilla

2013-04-01 01:01 . 2013-04-01 01:01 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service

2013-03-31 21:34 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-03-31 21:18 . 2013-03-31 22:13 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-03-31 21:18 . 2013-03-31 21:18 -------- d-----w- c:\windows\system32\Macromed

2013-03-31 21:06 . 2013-03-31 21:06 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2013-03-31 20:55 . 2013-03-31 20:55 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center

2013-03-31 20:26 . 2013-03-31 20:26 -------- d-----w- c:\program files (x86)\Common Files\Java

2013-03-31 20:26 . 2013-03-31 20:26 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-28 16:56 . 2013-03-28 16:56 -------- d-----w- C:\FRST

2013-03-28 02:58 . 2013-03-28 03:03 -------- d-----w- C:\Boot

2013-03-27 17:26 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2013-03-27 17:26 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys

2013-03-27 17:26 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll

2013-03-27 17:26 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll

2013-03-27 17:26 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll

2013-03-27 17:26 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll

2013-03-27 17:26 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll

2013-03-27 17:26 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll

2013-03-27 17:26 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll