1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

System32\service.exe infected | Help please!!

Discussion in 'Virus & Other Malware Removal' started by Trumi, Jul 18, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Trumi

    Trumi Thread Starter

    Joined:
    Jul 18, 2012
    Messages:
    10
    I've seen this around the forums as a common problem but I wanted to do this one on one so I don't mess up my computer more than I already have. > .< Especially since I should "NOT RUN ComboFix unless requested to."

    As titles states my system32\service.exe file is infected. [image here] The problem started sometime around yesterday. I also do not know how to, er, generate a log.

    I also have another problem. I'm not sure what to call it but a problem with "doubleclick(.net/.com)" Hopefully I can solve this problem along with my first. My first being the most important.

    Many thanks,
    Trums :eek:
     
  2. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi and welcome,

    • Download OTL to your desktop.
    • Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
    ----------

    Please download aswMBR to your desktop.

    • Right click and Run as Administrator the aswMBR icon to run it.
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

    [​IMG]
    Click the image to enlarge it
    ----------
     
  3. Trumi

    Trumi Thread Starter

    Joined:
    Jul 18, 2012
    Messages:
    10
    Thank you very much for your reply and I apologize for my late one. Here are the logs you requested.
    ~Trums

     
  4. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    No need to put your logs that are created in code/quote boxes. :)
    ----------

    **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

    Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

    If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

    If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :)
    ----------

    Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
    ----------

    If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

    To disable Malwarebytes
    • Open the scanner and select the Protection tab
    • Remove the tick from "Start Protection Module with Windows" as seen below
    [​IMG]

    Once complete continue with the instructions...
    ----------

    Run OTL.exe
    • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

      Code:
      :Services
      
      :Files
      C:\Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
    ----------

    Download Combofix from the link below, and save it to your desktop.
    Link

    **Note: It is important that it is saved directly to your desktop**
    If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


    --------------------------------------------------------------------

    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    --------------------------------------------------------------------

    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt for further review.
    ----------

    In your next reply please post the logs made by OTL and ComboFix. :)
     
  5. Trumi

    Trumi Thread Starter

    Joined:
    Jul 18, 2012
    Messages:
    10
    I'll remember that next time :eek: Here are OTL and ComboFix.

    OTL:
    All processes killed
    ========== SERVICES/DRIVERS ==========
    ========== FILES ==========
    C:\Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\U folder moved successfully.
    C:\Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\L folder moved successfully.
    C:\Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3} folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Chateau
    ->Temp folder emptied: 131447 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->FireFox cache emptied: 7197055 bytes
    ->Flash cache emptied: 56478 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 56478 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 50254 bytes
    ->Temporary Internet Files folder emptied: 742894 bytes
    ->Flash cache emptied: 41620 bytes

    User: Ming-Ti
    ->Temp folder emptied: 80155747 bytes
    ->Temporary Internet Files folder emptied: 69020134 bytes
    ->Java cache emptied: 6929606 bytes
    ->FireFox cache emptied: 9212968 bytes
    ->Google Chrome cache emptied: 383466136 bytes
    ->Flash cache emptied: 126531 bytes

    User: Public

    User: Steven

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4643302 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 36028370 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 570.00 mb


    OTL by OldTimer - Version 3.2.54.0 log created on 07192012_053916

    Files\Folders moved on Reboot...
    C:\Users\Ming-Ti\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File\Folder C:\Windows\temp\fla144.tmp not found!
    C:\Windows\temp\master33691 moved successfully.

    PendingFileRenameOperations files...
    File C:\Users\Ming-Ti\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
    File C:\Windows\temp\fla144.tmp not found!
    File C:\Windows\temp\master33691 not found!

    Registry entries deleted on Reboot...

    ----------

    ComboFix:
    ComboFix 12-07-19.01 - Ming-Ti 07/19/2012 5:54.1.8 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.2614 [GMT -7:00]
    Running from: c:\users\Ming-Ti\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\program files (x86)\Brand Affinity Technologies
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\ChromeInstaller.dll
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\ChromeInstaller.InstallState
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\fantapper_w3i20110531.crx
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\fantapper_w3i20110531.xpi
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FantapperUpdateService.exe
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FantapperUpdateService.InstallState
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FirefoxInstaller.dll
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FirefoxInstaller.InstallState
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FT_Enabled.ico
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FT_Plugin_Installer.jpg
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\IEInstaller.dll
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\OpenIE.dll
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\OpenIE.InstallState
    c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\update.msi
    c:\program files (x86)\DealBulldog Toolbar
    c:\program files (x86)\DealBulldog Toolbar\affid.dat
    c:\program files (x86)\DealBulldog Toolbar\alert_plugin.dll
    c:\program files (x86)\DealBulldog Toolbar\basis.xml
    c:\program files (x86)\DealBulldog Toolbar\icons.bmp
    c:\program files (x86)\DealBulldog Toolbar\info.txt
    c:\program files (x86)\DealBulldog Toolbar\install.ico
    c:\program files (x86)\DealBulldog Toolbar\MacroParserPlugin.dll
    c:\program files (x86)\DealBulldog Toolbar\mbback.bmp
    c:\program files (x86)\DealBulldog Toolbar\mbbigopen.bmp
    c:\program files (x86)\DealBulldog Toolbar\mbclose.bmp
    c:\program files (x86)\DealBulldog Toolbar\mbfwd.bmp
    c:\program files (x86)\DealBulldog Toolbar\mbsep.bmp
    c:\program files (x86)\DealBulldog Toolbar\nav1c.bmp
    c:\program files (x86)\DealBulldog Toolbar\somoto.dll
    c:\program files (x86)\DealBulldog Toolbar\TbCommonUtils.dll
    c:\program files (x86)\DealBulldog Toolbar\tbcore3.dll
    c:\program files (x86)\DealBulldog Toolbar\tbcore3.inf
    c:\program files (x86)\DealBulldog Toolbar\tbhelper.dll
    c:\program files (x86)\DealBulldog Toolbar\TbHelper2.exe
    c:\program files (x86)\DealBulldog Toolbar\uninstall.exe
    c:\program files (x86)\DealBulldog Toolbar\UninstallToolbar.exe
    c:\program files (x86)\DealBulldog Toolbar\update.exe
    c:\program files (x86)\DealBulldog Toolbar\version.txt
    c:\program files (x86)\Shop to Win
    c:\program files (x86)\Shop to Win\InstallNotifier.exe
    c:\program files (x86)\Shop to Win\ShopToWin.exe
    c:\program files (x86)\Shop to Win\TestFeeds\DisableStatus.xml
    c:\program files (x86)\Shop to Win\TestFeeds\DisableStatusDirection.xml
    c:\program files (x86)\Shop to Win\TestFeeds\GenericPopup.xml
    c:\program files (x86)\Shop to Win\TestFeeds\MainStatus.xml
    c:\program files (x86)\Shop to Win\TestFeeds\ShoppingConfirmation.xml
    c:\program files (x86)\Shop to Win\unins000.dat
    c:\program files (x86)\Shop to Win\unins000.exe
    c:\program files (x86)\StartNow Toolbar
    c:\program files (x86)\StartNow Toolbar\ReactivateFF.exe
    c:\program files (x86)\StartNow Toolbar\ReactivateIE.exe
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_images.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_maps.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_news.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_videos.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\engine_web.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_games.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_msn.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_travel.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png
    c:\program files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png
    c:\program files (x86)\StartNow Toolbar\Resources\installer.xml
    c:\program files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\separator.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\splitter.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
    c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
    c:\program files (x86)\StartNow Toolbar\Resources\toolbar.xml
    c:\program files (x86)\StartNow Toolbar\Resources\update.xml
    c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
    c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
    c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe
    c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
    c:\program files (x86)\StartNow Toolbar\uninstall.dat
    c:\program files (x86)\VooMuu
    c:\program files (x86)\VooMuu\bin\1.0.36.0\copyright.txt
    c:\program files (x86)\VooMuu\bin\1.0.36.0\VooMuuSA.exe
    c:\program files (x86)\VooMuu\bin\1.0.36.0\VooMuuSAHook.dll
    c:\program files (x86)\VooMuu\bin\1.0.36.0\VooMuuUninstaller.exe
    c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
    c:\programdata\VooMuuSA
    c:\programdata\VooMuuSA\VooMuuSA.dat
    c:\programdata\VooMuuSA\VooMuuSA_kyf.dat
    c:\programdata\VooMuuSA\VooMuuSAau.dat
    c:\users\Ming-Ti\98da2a1f9690730917d54170cefd2439.jpg
    c:\users\Ming-Ti\AppData\Local\assembly\tmp
    c:\users\Ming-Ti\Documents\ShopToWin
    .
    Infected copy of c:\windows\system32\Services.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_MyWebSearchService
    -------\Service_FTSvc
    -------\Service_Updater Service for StartNow Toolbar
    -------\Service_FTSvc
    -------\Service_Updater Service for StartNow Toolbar
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-19 13:06 . 2012-07-19 13:06 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-07-19 13:06 . 2012-07-19 13:06 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-19 12:39 . 2012-07-19 12:39 -------- d-----w- C:\_OTL
    2012-07-19 12:36 . 2012-07-19 12:36 -------- d-----w- c:\program files (x86)\ERUNT
    2012-07-18 12:00 . 2012-07-18 12:00 -------- d-----w- c:\users\Guest\AppData\Roaming\AVG2012
    2012-07-18 06:16 . 2012-07-18 06:16 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-18 06:16 . 2012-07-18 10:43 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-18 03:56 . 2012-07-18 12:01 -------- d-----w- c:\programdata\AVG2012
    2012-07-17 15:35 . 2012-07-18 10:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-07-17 15:22 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\Anna
    2012-07-17 13:03 . 2012-07-17 13:03 -------- d-----w- c:\program files (x86)\Common Files\DAZ
    2012-07-17 12:58 . 2012-07-18 10:46 -------- d-----w- c:\programdata\DAZ 3D
    2012-07-17 12:46 . 2012-07-18 10:46 -------- d-----w- c:\program files\DAZ 3D
    2012-07-16 06:01 . 2012-07-18 10:49 -------- d-----w- c:\programdata\McAfee Security Scan
    2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\McAfee Security Scan
    2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-07-16 05:59 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Oracle
    2012-07-16 05:59 . 2012-07-06 05:06 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-07-16 05:56 . 2012-07-16 05:56 -------- d-----w- c:\programdata\McAfee
    2012-07-16 01:40 . 2012-07-18 14:50 -------- d-----w- c:\program files (x86)\4game
    2012-07-14 01:48 . 2012-07-18 10:45 -------- d-----w- c:\program files (x86)\Audition Online
    2012-07-13 12:04 . 2012-07-14 01:03 -------- d-----w- c:\program files (x86)\1ClickDownload
    2012-07-12 06:41 . 2012-07-18 14:47 -------- d-----w- c:\program files (x86)\medit
    2012-07-09 20:23 . 2012-07-18 10:49 -------- d-----w- c:\users\Chateau
    2012-07-07 02:58 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\NCsoft
    2012-07-04 18:22 . 2012-07-18 10:46 -------- d-----w- c:\users\Steven
    2012-07-04 03:36 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\beanfun!
    2012-07-03 19:25 . 2012-07-19 13:05 -------- d-----w- c:\users\Ming-Ti
    2012-07-03 18:52 . 2012-07-18 10:46 -------- d-----w- c:\windows\system32\%LocalAppData%
    2012-07-03 18:30 . 2012-02-23 21:24 24408 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2012-07-03 17:47 . 2012-07-18 10:46 -------- d-----w- c:\program files\SmartPCFixer
    2012-07-03 17:22 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Uniblue
    2012-07-03 17:22 . 2012-07-03 17:22 -------- dc-h--w- c:\programdata\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
    2012-07-03 16:52 . 2012-07-18 10:46 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\programdata\AVG Secure Search
    2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
    2012-07-02 18:51 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\AVG Secure Search
    2012-07-02 17:38 . 2012-07-02 19:11 -------- d-----w- C:\e012b0bfc282bb9dec1ac0c1cd7087bb
    2012-07-02 17:37 . 2012-05-21 07:20 333216 ----a-w- c:\windows\SysWow64\MMInstaller.dll
    2012-07-02 17:35 . 2012-07-18 10:46 -------- d-----w- c:\program files\Tencent
    2012-07-02 17:34 . 2012-07-02 17:37 -------- d-----w- c:\programdata\Tencent
    2012-07-02 17:34 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Tencent
    2012-07-02 17:34 . 2012-07-18 14:52 -------- d-----w- c:\program files (x86)\Tencent
    2012-07-02 17:33 . 2012-07-02 18:53 18760 ----a-w- c:\windows\SysWow64\QQVistaHelper.dll
    2012-06-25 15:09 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-25 15:09 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-25 15:09 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-25 15:09 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-25 15:08 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-25 15:08 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-25 15:08 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-25 15:08 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-25 15:08 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 16:09 . 2012-04-14 19:43 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 16:09 . 2011-12-02 03:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-06 05:06 . 2011-12-03 06:47 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-07-01 18:26 . 2011-05-24 03:56 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2012-07-01 18:26 . 2011-11-30 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2012-07-01 18:26 . 2011-05-24 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2012-07-01 18:26 . 2011-05-24 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-06-25 22:35 . 2010-03-18 16:15 770384 ----a-w- c:\windows\SysWow64\MSVCR100.dll
    2012-06-25 22:35 . 2010-03-18 16:15 421200 ----a-w- c:\windows\SysWow64\MSVCP100.dll
    2012-06-18 10:32 . 2012-06-18 10:32 1409 ----a-w- c:\windows\Fonts\fsex2p00_public.fot
    2012-06-16 06:36 . 2011-11-30 03:57 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2012-06-16 06:36 . 2011-05-24 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2012-06-16 06:35 . 2011-11-30 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2012-06-16 06:35 . 2011-11-30 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2012-05-18 02:47 . 2012-06-15 13:42 17807360 ----a-w- c:\windows\system32\mshtml.dll
    2012-05-18 02:16 . 2012-06-15 13:42 10924032 ----a-w- c:\windows\system32\ieframe.dll
    2012-05-18 02:06 . 2012-06-15 13:42 2311680 ----a-w- c:\windows\system32\jscript9.dll
    2012-05-18 01:59 . 2012-06-15 13:42 1346048 ----a-w- c:\windows\system32\urlmon.dll
    2012-05-18 01:59 . 2012-06-15 13:42 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-05-18 01:58 . 2012-06-15 13:42 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-05-18 01:58 . 2012-06-15 13:42 237056 ----a-w- c:\windows\system32\url.dll
    2012-05-18 01:56 . 2012-06-15 13:42 85504 ----a-w- c:\windows\system32\jsproxy.dll
    2012-05-18 01:55 . 2012-06-15 13:42 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-05-18 01:55 . 2012-06-15 13:42 818688 ----a-w- c:\windows\system32\jscript.dll
    2012-05-18 01:54 . 2012-06-15 13:42 2144768 ----a-w- c:\windows\system32\iertutil.dll
    2012-05-18 01:51 . 2012-06-15 13:42 96768 ----a-w- c:\windows\system32\mshtmled.dll
    2012-05-18 01:51 . 2012-06-15 13:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-05-18 01:47 . 2012-06-15 13:42 248320 ----a-w- c:\windows\system32\ieui.dll
    2012-05-17 22:45 . 2012-06-15 13:42 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
    2012-05-17 22:35 . 2012-06-15 13:42 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-05-17 22:35 . 2012-06-15 13:42 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-05-17 22:29 . 2012-06-15 13:42 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-05-17 22:24 . 2012-06-15 13:42 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-05-15 01:32 . 2012-06-15 09:38 3144192 ----a-w- c:\windows\system32\win32k.sys
    2012-05-13 22:28 . 2011-12-28 22:56 121416 ----a-w- c:\windows\system32\drivers\MijXfilt.sys
    2012-05-04 10:52 . 2012-06-15 09:38 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 10:08 . 2012-06-15 09:38 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:08 . 2012-06-15 09:38 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
    2012-05-03 02:54 . 2012-05-03 02:54 28056 ----a-w- c:\windows\system32\xfcodec64.dll
    2012-05-02 05:32 . 2012-06-15 09:38 208896 ----a-w- c:\windows\system32\profsvc.dll
    2012-04-28 03:50 . 2012-06-15 09:38 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-28 00:28 . 2012-04-28 01:12 258352 ----a-w- c:\windows\SysWow64\unicows.dll
    2012-04-26 05:34 . 2012-06-15 09:38 76288 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-04-26 05:34 . 2012-06-15 09:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-04-26 05:28 . 2012-06-15 09:38 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-04-24 05:59 . 2012-06-15 09:37 1460224 ----a-w- c:\windows\system32\crypt32.dll
    2012-04-24 05:59 . 2012-06-15 09:37 182272 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-04-24 05:59 . 2012-06-15 09:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
    2012-04-24 04:47 . 2012-06-15 09:37 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-04-24 04:47 . 2012-06-15 09:37 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-04-24 04:47 . 2012-06-15 09:37 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2010-11-20 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
    [7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
    [-] 2012-01-28 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
    .
    [-] 2012-01-28 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
    [7] 2010-11-20 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
    [7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~2\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-25 19:47 297808 ----a-w- c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{46F9BE77-3DD9-0ECB-98F9-1793D13B9886}]
    2012-06-27 23:25 1404320 ----a-w- c:\program files\Tencent\SSPlus\SAddr.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
    2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\IMVU_Inc\prxtbIMVU.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-02 18:52 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{90b49673-5506-483e-b92b-ca0265bd9ca8}"= "c:\program files (x86)\IMVU_Inc\prxtbIMVU.dll" [2011-05-09 176936]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-02 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128]
    "Advanced SystemCare 5"="c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2012-03-07 574296]
    "QQIntl"="c:\program files (x86)\Tencent\QQIntl\Bin\QQ.exe" [2012-07-02 128416]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-05 17344176]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-12-03 1242448]
    "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-07-13 895376]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
    "BambooCore"="c:\program files (x86)\Bamboo Dock\BambooCore.exe" [2011-09-27 646232]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-02 1107552]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    c:\users\Ming-Ti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    MSPANotify - Shortcut.lnk - c:\users\Ming-Ti\Downloads\MSPANotify-0.4.1\MSPANotify.exe [2012-7-16 410112]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-2 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
    R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [x]
    R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
    R3 iscFlash;iscFlash;c:\users\Steven\AppData\Local\Temp\7zSB6F0.tmp\iscflashx64.sys [x]
    R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-01-11 34304]
    R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-02-22 28160]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
    R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-05-13 121416]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
    R3 qkm;qkm;c:\koramgame\GDOnline\mqkwy64.sys [2012-02-04 48048]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-10-24 291328]
    R3 sj;sj;c:\aeriagames\EdenEternal\sjcs64.sys [2011-12-09 47224]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712]
    R3 usj;usj;c:\aeriagames\EdenEternal\avital\ussjcs64.sys [2012-07-06 89560]
    R3 vtany;vtany;c:\windows\vtany.sys [x]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2011-09-09 13312]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-21 1255736]
    R3 X6va005;X6va005;c:\users\Steven\AppData\Local\Temp\0057DA7.tmp [x]
    R3 X6va006;X6va006;c:\users\Steven\AppData\Local\Temp\006F845.tmp [x]
    R3 X6va008;X6va008;c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp [x]
    R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-03-04 55856]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872]
    S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-03-15 913752]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_70dacb64382a61a7\AESTSr64.exe [2009-03-03 89600]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-07-05 5160568]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-14 30520]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2011-09-09 6583160]
    S2 TBUpdate;Tencent Toolbar Update Service;c:\program files\Tencent\barupdate\TBUpdate.exe [2012-07-03 197536]
    S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-23 2886528]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2011-09-09 528760]
    S2 UpdaterService;WhiteSmoke Updater Service;c:\programdata\UpdaterService\wsupdsvc.exe [2012-04-29 549744]
    S2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-07-02 935008]
    S2 WajamUpdater;WajamUpdater;c:\program files\Wajam\Updater\WajamUpdater.exe [2012-03-09 109064]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
    S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-14 32880]
    S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
    S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 70656]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-07-20 140712]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2009-08-22 84512]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-06-16 20:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 16:09]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004Core.job
    - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004UA.job
    - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51]
    .
    2012-07-16 c:\windows\Tasks\Norton Security Scan for Steven.job
    - c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2011-12-23 09:45]
    .
    2012-07-19 c:\windows\Tasks\RegistryBooster.job
    - c:\program files (x86)\Uniblue\RegistryBooster\rbmonitor.exe [2012-07-03 18:56]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-25 19:47 444752 ----a-w- c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-24 487424]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-29 16395880]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "combofix"="c:\combofix\CF14418.3XE" [2009-07-14 344576]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3007394
    mStart Page = hxxp://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9852
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Steven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    Trusted Zone: qq.com\cache.tv
    Trusted Zone: qq.com\qqlivecaption
    Trusted Zone: qq.com\qqlivehabit
    Trusted Zone: qq.com\qqlivesearch
    Trusted Zone: qq.com\video_1
    TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}: NameServer = 4.2.2.1
    TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}\46C696E6B6: NameServer = 4.2.2.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {12193C65-F0E1-4DD1-AD4E-DB73C6911011} - file:///D:/activeX/DCP.cab
    DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://sslpx-ccas01.edmc.edu/auth/taweb.cab
    DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - file:///D:/activeX/aplugLiteDL.cab
    FF - ProfilePath - c:\users\Ming-Ti\AppData\Roaming\Mozilla\Firefox\Profiles\4fiohuq8.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://isearch.avg.com/?cid={D1E1E66B-09C0-42E2-9FAC-CAB67704104F}&mid=4d27b50357d247d68b6f1a671b6c1e32-ec7a1d4c2e9b3a9a0ad0219ec7c4e08c4f2893c9&lang=en&ds=yu012&pr=sa&d=2012-07-02 11:52&v=11.1.0.12&sap=hp
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{127AD70F-B2B7-4f6a-ACD9-C7B1FE48C8C0} - (no file)
    Wow6432Node-HKCU-Run-PlayNC Launcher - (no file)
    Wow6432Node-HKCU-Run-Akamai NetSession Interface - c:\users\Ming-Ti\AppData\Local\Akamai\netsession_win.exe
    WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-DealBulldog Toolbar - c:\program files (x86)\DealBulldog Toolbar\UninstallToolbar.exe
    AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
    AddRemove-VooMuuSA - c:\program files (x86)\VooMuu\bin\1.0.36.0\VooMuuUninstaller.exe
    AddRemove-{92A196AE-9B4D-499C-94D4-18FA2061B3CE}_is1 - c:\program files (x86)\Shop To Win\unins000.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
    "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\0057DA7.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va006]
    "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\006F845.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va008]
    "ImagePath"="\??\c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\xsherlock]
    "ImagePath"="c:\windows\system32\xsherlock.xem"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{47BF077C-44C6-42B1-8F88-ADE2585DD2ED}*]
    @=hex:21,08,4a,87,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{97A98033-9FA1-4E80-A339-59787B43CC89}*]
    @=hex:ed,b8,9e,87,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{A82EB336-567D-4F41-A63E-8113AD8B6903}*]
    @=hex:56,b0,46,84,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{C4B20040-7D5A-4558-9E19-B7DF94366F97}*]
    @=hex:22,6d,17,88,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
    "value"="?\05\02\1f\15\05\19?"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
    @Denied: (A) (Everyone)
    "Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
    "Key"="ActionsPane"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-19 06:16:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-19 13:16
    .
    Pre-Run: 80,174,125,056 bytes free
    Post-Run: 79,650,013,184 bytes free
    .
    - - End Of File - - 776E5CDADF44DC75D8E521E4A26A5F1A
     
  6. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      FCopy::
      c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll | c:\windows\SysWOW64\user32.dll
      
      DDS::
      uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3007394
      mStart Page = hxxp://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9852
      IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Steven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
      Trusted Zone: qq.com\cache.tv
      Trusted Zone: qq.com\qqlivecaption
      Trusted Zone: qq.com\qqlivehabit
      Trusted Zone: qq.com\qqlivesearch
      Trusted Zone: qq.com\video_1
      
      File::
      c:\program files (x86)\IMVU_Inc\prxtbIMVU.dll
      c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
      
      Registry::
      [-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
      "{90b49673-5506-483e-b92b-ca0265bd9ca8}"=-
      [-HKEY_CLASSES_ROOT\clsid\{90b49673-5506-483e-b92b-ca0265bd9ca8}]
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Advanced SystemCare 5"=-
      
      Driver::
      AdvancedSystemCareService5
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  7. Trumi

    Trumi Thread Starter

    Joined:
    Jul 18, 2012
    Messages:
    10
    ComboFix 12-07-20.02 - Ming-Ti 07/20/2012 6:31.2.8 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.2738 [GMT -7:00]
    Running from: c:\users\Ming-Ti\Desktop\ComboFix.exe
    Command switches used :: c:\users\Ming-Ti\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files (x86)\IMVU_Inc\prxtbIMVU.dll"
    "c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll --> c:\windows\SysWOW64\user32.dll
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_AdvancedSystemCareService5
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-20 to 2012-07-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-20 13:42 . 2012-07-20 13:42 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-07-20 13:42 . 2012-07-20 13:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-20 10:07 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys
    2012-07-19 12:39 . 2012-07-19 12:39 -------- d-----w- C:\_OTL
    2012-07-19 12:36 . 2012-07-19 12:36 -------- d-----w- c:\program files (x86)\ERUNT
    2012-07-18 12:00 . 2012-07-18 12:00 -------- d-----w- c:\users\Guest\AppData\Roaming\AVG2012
    2012-07-18 06:16 . 2012-07-18 06:16 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-18 06:16 . 2012-07-18 10:43 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-18 03:56 . 2012-07-18 12:01 -------- d-----w- c:\programdata\AVG2012
    2012-07-17 15:35 . 2012-07-18 10:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-07-17 15:22 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\Anna
    2012-07-17 13:03 . 2012-07-17 13:03 -------- d-----w- c:\program files (x86)\Common Files\DAZ
    2012-07-17 12:58 . 2012-07-18 10:46 -------- d-----w- c:\programdata\DAZ 3D
    2012-07-17 12:46 . 2012-07-18 10:46 -------- d-----w- c:\program files\DAZ 3D
    2012-07-16 06:01 . 2012-07-18 10:49 -------- d-----w- c:\programdata\McAfee Security Scan
    2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\McAfee Security Scan
    2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-07-16 05:59 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Oracle
    2012-07-16 05:59 . 2012-07-06 05:06 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-07-16 05:56 . 2012-07-16 05:56 -------- d-----w- c:\programdata\McAfee
    2012-07-16 01:40 . 2012-07-18 14:50 -------- d-----w- c:\program files (x86)\4game
    2012-07-14 01:48 . 2012-07-18 10:45 -------- d-----w- c:\program files (x86)\Audition Online
    2012-07-13 12:04 . 2012-07-14 01:03 -------- d-----w- c:\program files (x86)\1ClickDownload
    2012-07-12 06:41 . 2012-07-18 14:47 -------- d-----w- c:\program files (x86)\medit
    2012-07-09 20:23 . 2012-07-18 10:49 -------- d-----w- c:\users\Chateau
    2012-07-07 02:58 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\NCsoft
    2012-07-04 18:22 . 2012-07-18 10:46 -------- d-----w- c:\users\Steven
    2012-07-04 03:36 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\beanfun!
    2012-07-03 19:25 . 2012-07-19 13:05 -------- d-----w- c:\users\Ming-Ti
    2012-07-03 18:52 . 2012-07-18 10:46 -------- d-----w- c:\windows\system32\%LocalAppData%
    2012-07-03 18:30 . 2012-02-23 21:24 24408 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2012-07-03 17:47 . 2012-07-18 10:46 -------- d-----w- c:\program files\SmartPCFixer
    2012-07-03 17:22 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Uniblue
    2012-07-03 17:22 . 2012-07-03 17:22 -------- dc-h--w- c:\programdata\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
    2012-07-03 16:52 . 2012-07-18 10:46 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\programdata\AVG Secure Search
    2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
    2012-07-02 18:51 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\AVG Secure Search
    2012-07-02 17:38 . 2012-07-02 19:11 -------- d-----w- C:\e012b0bfc282bb9dec1ac0c1cd7087bb
    2012-07-02 17:37 . 2012-05-21 07:20 333216 ----a-w- c:\windows\SysWow64\MMInstaller.dll
    2012-07-02 17:35 . 2012-07-18 10:46 -------- d-----w- c:\program files\Tencent
    2012-07-02 17:34 . 2012-07-02 17:37 -------- d-----w- c:\programdata\Tencent
    2012-07-02 17:34 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Tencent
    2012-07-02 17:34 . 2012-07-18 14:52 -------- d-----w- c:\program files (x86)\Tencent
    2012-07-02 17:33 . 2012-07-02 18:53 18760 ----a-w- c:\windows\SysWow64\QQVistaHelper.dll
    2012-06-25 15:09 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-25 15:09 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-25 15:09 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-25 15:09 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-25 15:08 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-25 15:08 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-25 15:08 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-25 15:08 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-25 15:08 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 16:09 . 2012-04-14 19:43 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 16:09 . 2011-12-02 03:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-06 05:06 . 2011-12-03 06:47 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-07-01 18:26 . 2011-05-24 03:56 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2012-07-01 18:26 . 2011-11-30 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2012-07-01 18:26 . 2011-05-24 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2012-07-01 18:26 . 2011-05-24 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-06-25 22:35 . 2010-03-18 16:15 770384 ----a-w- c:\windows\SysWow64\MSVCR100.dll
    2012-06-25 22:35 . 2010-03-18 16:15 421200 ----a-w- c:\windows\SysWow64\MSVCP100.dll
    2012-06-18 10:32 . 2012-06-18 10:32 1409 ----a-w- c:\windows\Fonts\fsex2p00_public.fot
    2012-06-16 06:36 . 2011-11-30 03:57 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2012-06-16 06:36 . 2011-05-24 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2012-06-16 06:35 . 2011-11-30 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2012-06-16 06:35 . 2011-11-30 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2012-05-13 22:28 . 2011-12-28 22:56 121416 ----a-w- c:\windows\system32\drivers\MijXfilt.sys
    2012-05-04 10:52 . 2012-06-15 09:38 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 10:08 . 2012-06-15 09:38 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:08 . 2012-06-15 09:38 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
    2012-05-03 02:54 . 2012-05-03 02:54 28056 ----a-w- c:\windows\system32\xfcodec64.dll
    2012-05-02 05:32 . 2012-06-15 09:38 208896 ----a-w- c:\windows\system32\profsvc.dll
    2012-04-28 03:50 . 2012-06-15 09:38 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-28 00:28 . 2012-04-28 01:12 258352 ----a-w- c:\windows\SysWow64\unicows.dll
    2012-04-26 05:34 . 2012-06-15 09:38 76288 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-04-26 05:34 . 2012-06-15 09:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-04-26 05:28 . 2012-06-15 09:38 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-04-24 05:59 . 2012-06-15 09:37 1460224 ----a-w- c:\windows\system32\crypt32.dll
    2012-04-24 05:59 . 2012-06-15 09:37 182272 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-04-24 05:59 . 2012-06-15 09:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
    2012-04-24 04:47 . 2012-06-15 09:37 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-04-24 04:47 . 2012-06-15 09:37 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-04-24 04:47 . 2012-06-15 09:37 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2010-11-20 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
    [7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
    [-] 2012-01-28 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-19_13.08.41 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-02-01 01:48 . 2011-11-17 05:35 96768 c:\windows\SysWOW64\sspicli.dll
    + 2012-07-17 17:42 . 2012-06-02 04:42 96768 c:\windows\SysWOW64\sspicli.dll
    + 2012-07-17 17:42 . 2012-06-02 04:48 22016 c:\windows\SysWOW64\secur32.dll
    - 2012-02-01 01:48 . 2011-11-17 05:39 22016 c:\windows\SysWOW64\secur32.dll
    + 2012-07-20 10:02 . 2012-06-02 08:17 73216 c:\windows\SysWOW64\mshtmled.dll
    - 2012-06-15 13:42 . 2012-05-17 22:25 73216 c:\windows\SysWOW64\mshtmled.dll
    + 2012-07-20 10:02 . 2012-06-02 08:22 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
    - 2012-06-15 13:42 . 2012-05-17 22:31 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
    + 2012-07-20 10:02 . 2012-06-02 08:21 65024 c:\windows\SysWOW64\jsproxy.dll
    - 2012-06-15 13:42 . 2012-05-17 22:31 65024 c:\windows\SysWOW64\jsproxy.dll
    + 2011-04-08 10:35 . 2012-07-20 10:14 65076 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-07-20 13:46 37060 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2012-07-20 10:02 . 2012-06-02 11:57 96768 c:\windows\system32\mshtmled.dll
    - 2012-06-15 13:42 . 2012-05-18 01:51 96768 c:\windows\system32\mshtmled.dll
    + 2012-07-20 10:02 . 2012-06-02 12:03 86528 c:\windows\system32\migration\WininetPlugin.dll
    - 2012-06-15 13:42 . 2012-05-18 01:56 86528 c:\windows\system32\migration\WininetPlugin.dll
    + 2012-07-20 10:02 . 2012-06-02 12:03 85504 c:\windows\system32\jsproxy.dll
    - 2012-06-15 13:42 . 2012-05-18 01:56 85504 c:\windows\system32\jsproxy.dll
    + 2012-07-17 17:42 . 2012-06-02 05:38 95088 c:\windows\system32\drivers\ksecdd.sys
    - 2012-02-01 01:49 . 2011-11-17 07:17 95088 c:\windows\system32\drivers\ksecdd.sys
    - 2012-04-08 07:05 . 2012-07-19 13:08 54594 c:\windows\system32\config\systemprofile\AppData\Roaming\WTablet\Pen_Tablet.dat
    + 2012-04-08 07:05 . 2012-07-20 13:44 54594 c:\windows\system32\config\systemprofile\AppData\Roaming\WTablet\Pen_Tablet.dat
    - 2011-04-08 09:29 . 2012-07-19 12:48 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-04-08 09:29 . 2012-07-20 10:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-07-19 12:48 . 2012-07-19 12:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2012-07-19 12:48 . 2012-07-20 10:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-07-19 12:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-07-20 10:47 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2012-01-19 06:08 . 2012-06-15 13:54 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
    + 2011-07-20 13:28 . 2011-07-20 13:28 54104 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\SCANOST.EXE
    + 2011-07-20 13:28 . 2011-07-20 13:28 75624 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\RM.DLL
    + 2011-07-20 13:28 . 2011-07-20 13:28 38248 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\RECALL.DLL
    + 2011-05-27 03:18 . 2011-05-27 03:18 52088 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OUTLVBA.DLL
    + 2011-07-20 13:28 . 2011-07-20 13:28 34208 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\DUMPSTER.DLL
    + 2011-07-20 13:28 . 2011-07-20 13:28 87408 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\DLGSETP.DLL
    + 2012-07-04 18:25 . 2012-07-20 13:46 5666 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4068807989-813300523-3891819274-1004_UserData.bin
    + 2012-07-20 13:44 . 2012-07-20 13:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-19 13:08 . 2012-07-19 13:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-19 13:08 . 2012-07-19 13:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-07-20 13:44 . 2012-07-20 13:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-06-15 13:42 . 2012-05-17 22:33 231936 c:\windows\SysWOW64\url.dll
    + 2012-07-20 10:02 . 2012-06-02 08:23 231936 c:\windows\SysWOW64\url.dll
    + 2012-07-17 17:42 . 2012-06-02 04:48 225280 c:\windows\SysWOW64\schannel.dll
    - 2009-07-13 23:33 . 2009-07-14 01:16 219136 c:\windows\SysWOW64\ncrypt.dll
    + 2012-07-17 17:42 . 2012-06-02 04:47 219136 c:\windows\SysWOW64\ncrypt.dll
    + 2012-07-20 10:02 . 2012-06-02 08:19 716800 c:\windows\SysWOW64\jscript.dll
    - 2012-06-15 13:42 . 2012-05-17 22:29 716800 c:\windows\SysWOW64\jscript.dll
    + 2012-07-20 10:02 . 2012-06-02 08:20 142848 c:\windows\SysWOW64\ieUnatt.exe
    - 2012-06-15 13:42 . 2012-05-17 22:29 142848 c:\windows\SysWOW64\ieUnatt.exe
    + 2012-07-20 10:02 . 2012-06-02 08:14 176640 c:\windows\SysWOW64\ieui.dll
    - 2012-06-15 13:42 . 2012-05-17 22:20 176640 c:\windows\SysWOW64\ieui.dll
    - 2009-07-14 04:54 . 2012-07-19 12:44 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-07-20 11:26 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-06-15 13:42 . 2012-05-18 01:58 237056 c:\windows\system32\url.dll
    + 2012-07-20 10:02 . 2012-06-02 12:04 237056 c:\windows\system32\url.dll
    - 2012-02-01 01:49 . 2011-11-17 07:10 340992 c:\windows\system32\schannel.dll
    + 2012-07-17 17:42 . 2012-06-02 05:27 340992 c:\windows\system32\schannel.dll
    - 2009-07-13 23:49 . 2009-07-14 01:41 307200 c:\windows\system32\ncrypt.dll
    + 2012-07-17 17:42 . 2012-06-02 05:27 307200 c:\windows\system32\ncrypt.dll
    + 2012-07-20 10:02 . 2012-06-02 12:00 818688 c:\windows\system32\jscript.dll
    - 2012-06-15 13:42 . 2012-05-18 01:55 818688 c:\windows\system32\jscript.dll
    - 2012-06-15 13:42 . 2012-05-18 01:55 173056 c:\windows\system32\ieUnatt.exe
    + 2012-07-20 10:02 . 2012-06-02 12:01 173056 c:\windows\system32\ieUnatt.exe
    + 2012-07-20 10:02 . 2012-06-02 11:54 248320 c:\windows\system32\ieui.dll
    - 2012-06-15 13:42 . 2012-05-18 01:47 248320 c:\windows\system32\ieui.dll
    - 2012-02-01 01:49 . 2011-11-17 07:17 152432 c:\windows\system32\drivers\ksecpkg.sys
    + 2012-07-17 17:42 . 2012-06-02 05:38 152432 c:\windows\system32\drivers\ksecpkg.sys
    + 2012-07-17 17:42 . 2012-06-02 05:37 459216 c:\windows\system32\drivers\cng.sys
    + 2009-07-14 05:01 . 2012-07-20 13:43 485976 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01 . 2012-07-19 13:07 485976 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-07-20 10:10 . 2012-07-20 10:10 833308 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4068807989-813300523-3891819274-1004-8192.dat
    - 2012-01-19 06:08 . 2012-06-15 13:54 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
    + 2011-07-20 13:28 . 2011-07-20 13:28 282032 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\SCNPST64.DLL
    + 2011-07-20 13:28 . 2011-07-20 13:28 273832 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\SCNPST32.DLL
    + 2011-07-27 11:55 . 2011-07-27 11:55 410992 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\RTFHTML.DLL
    + 2011-07-20 14:06 . 2011-07-20 14:06 770480 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\REGFORM.EXE
    + 2011-07-20 13:28 . 2011-07-20 13:28 421736 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\PSTPRX32.DLL
    + 2011-05-31 23:15 . 2011-05-31 23:15 177040 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OUTLPH.DLL
    + 2011-07-27 11:55 . 2011-07-27 11:55 596888 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OUTLMIME.DLL
    + 2011-05-27 03:18 . 2011-05-27 03:18 136536 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OUTLCTL.DLL
    + 2011-07-27 13:03 . 2011-07-27 13:03 194448 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OMSXP32.DLL
    + 2011-07-27 13:03 . 2011-07-27 13:03 661888 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OMSMAIN.DLL
    + 2011-07-20 13:28 . 2011-07-20 13:28 253824 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OLKFSTUB.DLL
    + 2011-07-20 13:28 . 2011-07-20 13:28 340320 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\MIMEDIR.DLL
    + 2012-03-29 03:54 . 2012-03-29 03:54 117160 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\IPOMINT.DLL
    + 2011-07-20 14:06 . 2011-07-20 14:06 176024 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\IPOLK.DLL
    + 2011-07-20 13:28 . 2011-07-20 13:28 138088 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\IMPMAIL.DLL
    + 2009-02-26 19:09 . 2009-02-26 19:09 154000 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\ENVELOPE.DLL
    + 2011-05-27 03:18 . 2011-05-27 03:18 115584 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\EMABLT32.DLL
    + 2011-07-27 11:55 . 2011-07-27 11:55 128376 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\CONTAB32.DLL
    + 2012-07-20 10:13 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\7-20-2012\ERDNT.EXE
    - 2012-03-29 03:54 . 2012-03-29 03:54 117160 c:\windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.Interop.dll
    + 2012-07-20 10:04 . 2012-07-20 10:04 117160 c:\windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.Interop.dll
    + 2012-07-20 10:02 . 2012-06-02 08:25 1129472 c:\windows\SysWOW64\wininet.dll
    - 2012-06-15 13:42 . 2012-05-17 22:35 1129472 c:\windows\SysWOW64\wininet.dll
    + 2012-07-20 10:02 . 2012-06-02 08:26 1103872 c:\windows\SysWOW64\urlmon.dll
    - 2012-06-15 13:42 . 2012-05-17 22:36 1103872 c:\windows\SysWOW64\urlmon.dll
    - 2012-01-19 01:46 . 2010-12-21 05:36 1389568 c:\windows\SysWOW64\msxml6.dll
    + 2012-07-17 17:42 . 2012-06-06 05:09 1389568 c:\windows\SysWOW64\msxml6.dll
    - 2012-01-19 01:46 . 2010-12-21 05:36 1236992 c:\windows\SysWOW64\msxml3.dll
    + 2012-07-17 17:42 . 2012-06-06 05:09 1236992 c:\windows\SysWOW64\msxml3.dll
    + 2012-07-20 10:02 . 2012-06-02 08:33 1800192 c:\windows\SysWOW64\jscript9.dll
    - 2012-06-15 13:42 . 2012-05-17 22:45 1800192 c:\windows\SysWOW64\jscript9.dll
    + 2012-07-20 10:02 . 2012-06-02 08:19 1793024 c:\windows\SysWOW64\iertutil.dll
    - 2012-06-15 13:42 . 2012-05-17 22:27 1793024 c:\windows\SysWOW64\iertutil.dll
    - 2012-06-15 13:42 . 2012-05-17 22:48 9737728 c:\windows\SysWOW64\ieframe.dll
    + 2012-07-20 10:02 . 2012-06-02 08:43 9737728 c:\windows\SysWOW64\ieframe.dll
    + 2009-07-14 04:54 . 2012-07-20 11:26 2048000 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-07-19 12:44 2048000 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2012-06-15 13:42 . 2012-05-18 01:59 1392128 c:\windows\system32\wininet.dll
    + 2012-07-20 10:02 . 2012-06-02 12:05 1392128 c:\windows\system32\wininet.dll
    - 2012-06-15 13:42 . 2012-05-18 01:59 1346048 c:\windows\system32\urlmon.dll
    + 2012-07-20 10:02 . 2012-06-02 12:05 1346048 c:\windows\system32\urlmon.dll
    + 2012-07-17 17:42 . 2012-06-06 05:50 2003968 c:\windows\system32\msxml6.dll
    - 2012-01-19 01:46 . 2010-12-21 06:13 2003968 c:\windows\system32\msxml6.dll
    + 2012-07-17 17:42 . 2012-06-06 05:50 1880064 c:\windows\system32\msxml3.dll
    - 2012-06-15 13:42 . 2012-05-18 02:06 2311680 c:\windows\system32\jscript9.dll
    + 2012-07-20 10:02 . 2012-06-02 12:12 2311680 c:\windows\system32\jscript9.dll
    + 2012-07-20 10:02 . 2012-06-02 11:59 2144768 c:\windows\system32\iertutil.dll
    - 2012-06-15 13:42 . 2012-05-18 01:54 2144768 c:\windows\system32\iertutil.dll
    + 2009-07-14 04:45 . 2012-07-20 10:12 4990008 c:\windows\system32\FNTCACHE.DAT
    - 2009-07-14 04:45 . 2012-07-18 10:00 4990008 c:\windows\system32\FNTCACHE.DAT
    + 2012-07-04 08:45 . 2012-07-20 13:43 5074016 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4068807989-813300523-3891819274-1004-12288.dat
    + 2012-05-30 14:18 . 2012-05-30 14:18 1739264 c:\windows\Installer\47b574c.msp
    + 2012-06-19 19:54 . 2012-06-19 19:54 2239488 c:\windows\Installer\47b5743.msp
    + 2012-06-19 19:54 . 2012-06-19 19:54 5009920 c:\windows\Installer\47b572d.msp
    + 2012-04-05 05:37 . 2012-04-05 05:37 2540544 c:\windows\Installer\47b5718.msp
    + 2012-04-05 05:37 . 2012-04-05 05:37 3149824 c:\windows\Installer\47b56f4.msp
    - 2012-01-19 06:08 . 2012-06-15 13:54 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
    + 2012-01-19 06:08 . 2012-07-20 10:07 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
    - 2012-01-19 06:08 . 2012-06-15 13:54 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
    + 2011-07-27 11:55 . 2011-07-27 11:55 3004800 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OLMAPI32.DLL
    + 2011-07-27 12:09 . 2011-07-27 12:09 5310848 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\IPEDITOR.DLL
    + 2011-07-27 12:09 . 2011-07-27 12:09 5484416 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\IPDESIGN.DLL
    + 2011-07-27 12:09 . 2011-07-27 12:09 1460088 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\INFOPATH.EXE
    + 2012-07-20 10:13 . 2012-07-20 10:13 1470464 c:\windows\ERDNT\AutoBackup\7-20-2012\Users\00000002\UsrClass.dat
    + 2012-07-20 10:13 . 2012-07-20 10:13 2617344 c:\windows\ERDNT\AutoBackup\7-20-2012\Users\00000001\ntuser.dat
    + 2012-07-17 17:42 . 2012-06-09 04:46 12868608 c:\windows\SysWOW64\shell32.dll
    + 2012-07-20 10:02 . 2012-06-02 09:07 12314624 c:\windows\SysWOW64\mshtml.dll
    - 2012-06-15 13:42 . 2012-05-17 23:11 12314624 c:\windows\SysWOW64\mshtml.dll
    - 2009-07-14 04:54 . 2012-07-19 12:44 11304960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-07-20 11:26 11304960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 02:34 . 2012-07-20 10:26 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2012-07-17 17:42 . 2012-06-09 05:30 14165504 c:\windows\system32\shell32.dll
    + 2012-07-20 10:02 . 2012-06-02 12:49 17807360 c:\windows\system32\mshtml.dll
    - 2012-06-15 13:42 . 2012-05-18 02:47 17807360 c:\windows\system32\mshtml.dll
    - 2012-06-15 13:42 . 2012-05-18 02:16 10924032 c:\windows\system32\ieframe.dll
    + 2012-07-20 10:02 . 2012-06-02 12:17 10924032 c:\windows\system32\ieframe.dll
    + 2012-05-30 14:18 . 2012-05-30 14:18 11885056 c:\windows\Installer\47b577b.msp
    + 2011-08-04 01:18 . 2011-08-04 01:18 12997488 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6612\OUTLOOK.EXE
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~2\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-25 19:47 297808 ----a-w- c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{46F9BE77-3DD9-0ECB-98F9-1793D13B9886}]
    2012-06-27 23:25 1404320 ----a-w- c:\program files\Tencent\SSPlus\SAddr.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-02 18:52 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-02 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128]
    "QQIntl"="c:\program files (x86)\Tencent\QQIntl\Bin\QQ.exe" [2012-07-02 128416]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-05 17344176]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-12-03 1242448]
    "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-07-13 895376]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
    "BambooCore"="c:\program files (x86)\Bamboo Dock\BambooCore.exe" [2011-09-27 646232]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-02 1107552]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    c:\users\Ming-Ti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    MSPANotify - Shortcut.lnk - c:\users\Ming-Ti\Downloads\MSPANotify-0.4.1\MSPANotify.exe [2012-7-16 410112]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-2 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-07-05 5160568]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
    R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [x]
    R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
    R3 iscFlash;iscFlash;c:\users\Steven\AppData\Local\Temp\7zSB6F0.tmp\iscflashx64.sys [x]
    R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-01-11 34304]
    R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-02-22 28160]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
    R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-05-13 121416]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
    R3 qkm;qkm;c:\koramgame\GDOnline\mqkwy64.sys [2012-02-04 48048]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-10-24 291328]
    R3 sj;sj;c:\aeriagames\EdenEternal\sjcs64.sys [2011-12-09 47224]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712]
    R3 usj;usj;c:\aeriagames\EdenEternal\avital\ussjcs64.sys [2012-07-06 89560]
    R3 vtany;vtany;c:\windows\vtany.sys [x]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2011-09-09 13312]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-21 1255736]
    R3 X6va005;X6va005;c:\users\Steven\AppData\Local\Temp\0057DA7.tmp [x]
    R3 X6va006;X6va006;c:\users\Steven\AppData\Local\Temp\006F845.tmp [x]
    R3 X6va008;X6va008;c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp [x]
    R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-03-04 55856]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872]
    S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_70dacb64382a61a7\AESTSr64.exe [2009-03-03 89600]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-14 30520]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2011-09-09 6583160]
    S2 TBUpdate;Tencent Toolbar Update Service;c:\program files\Tencent\barupdate\TBUpdate.exe [2012-07-03 197536]
    S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-23 2886528]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2011-09-09 528760]
    S2 UpdaterService;WhiteSmoke Updater Service;c:\programdata\UpdaterService\wsupdsvc.exe [2012-04-29 549744]
    S2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-07-02 935008]
    S2 WajamUpdater;WajamUpdater;c:\program files\Wajam\Updater\WajamUpdater.exe [2012-03-09 109064]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
    S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-14 32880]
    S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
    S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 70656]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-07-20 140712]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2009-08-22 84512]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-06-16 20:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-20 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 16:09]
    .
    2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004Core.job
    - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51]
    .
    2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004UA.job
    - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51]
    .
    2012-07-20 c:\windows\Tasks\Norton Security Scan for Steven.job
    - c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2011-12-23 09:45]
    .
    2012-07-20 c:\windows\Tasks\RegistryBooster.job
    - c:\program files (x86)\Uniblue\RegistryBooster\rbmonitor.exe [2012-07-03 18:56]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-25 19:47 444752 ----a-w- c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-24 487424]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-29 16395880]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "combofix"="c:\combofix\CF9317.3XE" [2009-07-14 344576]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Steven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}: NameServer = 4.2.2.1
    TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}\46C696E6B6: NameServer = 4.2.2.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {12193C65-F0E1-4DD1-AD4E-DB73C6911011} - file:///D:/activeX/DCP.cab
    DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://sslpx-ccas01.edmc.edu/auth/taweb.cab
    DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - file:///D:/activeX/aplugLiteDL.cab
    FF - ProfilePath - c:\users\Ming-Ti\AppData\Roaming\Mozilla\Firefox\Profiles\4fiohuq8.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://isearch.avg.com/?cid={D1E1E66B-09C0-42E2-9FAC-CAB67704104F}&mid=4d27b50357d247d68b6f1a671b6c1e32-ec7a1d4c2e9b3a9a0ad0219ec7c4e08c4f2893c9&lang=en&ds=yu012&pr=sa&d=2012-07-02 11:52&v=11.1.0.12&sap=hp
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{127AD70F-B2B7-4f6a-ACD9-C7B1FE48C8C0} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
    "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\0057DA7.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va006]
    "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\006F845.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va008]
    "ImagePath"="\??\c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\xsherlock]
    "ImagePath"="c:\windows\system32\xsherlock.xem"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4068807989-813300523-3891819274-1004\Software\SecuROM\License information*]
    "datasecu"=hex:c2,9b,a8,d5,ff,34,0c,8d,a8,da,43,7f,e9,ad,ea,b1,2e,8b,cc,c1,83,
    60,32,d6,ab,98,e7,03,0a,97,f3,50,f0,ee,06,e6,17,5a,1e,4b,da,38,ab,cf,73,e0,\
    "rkeysecu"=hex:14,03,a4,25,64,92,b7,ea,61,f6,b5,af,0e,39,52,ee
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{47BF077C-44C6-42B1-8F88-ADE2585DD2ED}*]
    @=hex:21,08,4a,87,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{97A98033-9FA1-4E80-A339-59787B43CC89}*]
    @=hex:ed,b8,9e,87,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{A82EB336-567D-4F41-A63E-8113AD8B6903}*]
    @=hex:56,b0,46,84,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{C4B20040-7D5A-4558-9E19-B7DF94366F97}*]
    @=hex:22,6d,17,88,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
    "value"="?\05\02\1f\15\05\19?"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
    @Denied: (A) (Everyone)
    "Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
    "Key"="ActionsPane"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-20 06:52:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-20 13:52
    ComboFix2.txt 2012-07-19 13:16
    .
    Pre-Run: 91,073,351,680 bytes free
    Post-Run: 90,928,418,816 bytes free
    .
    - - End Of File - - 1419EDFF231334530869B22848C58ED4
     
  8. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Malwarebytes

    I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
    ----------

    Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
    ----------
     
  9. Trumi

    Trumi Thread Starter

    Joined:
    Jul 18, 2012
    Messages:
    10
    Malwarebytes


    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.21.02

    Windows 7 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Ming-Ti :: STEVENPC [administrator]

    Protection: Disabled

    7/20/2012 8:56:55 PM
    mbam-log-2012-07-20 (21-00-45).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 249051
    Time elapsed: 3 minute(s), 44 second(s)

    Memory Processes Detected: 2
    C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> 2912 -> No action taken.
    C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> 2976 -> No action taken.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 12
    HKLM\SYSTEM\CurrentControlSet\Services\UpdaterService (PUP.BundleInstaller.IB) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke Updater Service (PUP.BundleInstaller.IB) -> No action taken.
    HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (PUP.MyWebSearch) -> No action taken.
    HKCR\Typelib\{B1A7C2CF-BF40-4597-8142-7615D74D0CC3} (Trojan.Agent) -> No action taken.
    HKCR\Interface\{3084BC3D-C0D6-4A28-A8A4-5857165886EE} (Trojan.Agent) -> No action taken.
    HKCR\CLSID\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken.
    HKLM\SOFTWARE\VooMuu (Adware.HotBar.VM) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VooMuuSA (Adware.HotBar.VM) -> No action taken.

    Registry Values Detected: 2
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> Data: SOSO&#24037;&#20855;&#26639; -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> No action taken.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> No action taken.
    C:\Program Files\Tencent\QQToolbar\IEBar.dll (Trojan.Agent) -> No action taken.
    C:\Users\Ming-Ti\Downloads\SoftonicDownloader_for_speaker.exe (PUP.ToolbarDownloader) -> No action taken.
    C:\Users\Ming-Ti\Downloads\SoftonicDownloader_for_sumotori-dreams.exe (PUP.ToolbarDownloader) -> No action taken.
    C:\Users\Ming-Ti\Downloads\WhiteSmokeWriter8940_en.exe (Trojan.Downloader) -> No action taken.

    (end)
    ------

    Eset


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=5bfbb8548cf0194490f1d1f0202f77bd
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-07-21 07:34:20
    # local_time=2012-07-21 12:34:20 (-0700, US Mountain Standard Time)
    # country="United States"
    # lang=1033
    # osver=6.1.7600 NT
    # compatibility_mode=1024 16777215 100 0 0 0 0 0
    # compatibility_mode=5893 16776574 100 94 39666183 94387684 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=548435
    # found=30
    # cleaned=0
    # scan_time=11826
    C:\Program Files (x86)\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files (x86)\Uniblue\RegistryBooster\Launcher.exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files (x86)\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files (x86)\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files (x86)\Uniblue\RegistryBooster\rb_ubm.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files (x86)\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files (x86)\WhiteSmokeTranslator\WSRegistrationDictMode.exe probably a variant of Win32/WhiteSmoke application (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files (x86)\WhiteSmokeTranslator\html\english\dictClientDic\index.html HTML/WhiteSmoke application (unable to clean) 00000000000000000000000000000000 I
    C:\ProgramData\UpdaterService\wsupdsvc.exe a variant of Win32/Obfuscated.NEU trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files (x86)\DealBulldog Toolbar\UninstallToolbar.exe.vir Win32/Somoto application (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ReactivateIE.exe.vir Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\Toolbar32.dll.vir Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarBroker.exe.vir Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files (x86)\VooMuu\bin\1.0.36.0\VooMuuSA.exe.vir probably a variant of Win32/Adware.180Solutions application (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files (x86)\VooMuu\bin\1.0.36.0\VooMuuSAHook.dll.vir a variant of Win32/Adware.180Solutions application (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Program Files (x86)\VooMuu\bin\1.0.36.0\VooMuuUninstaller.exe.vir a variant of Win32/Adware.HotBar.E application (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir Win64/Patched.A.Gen trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Users\All Users\UpdaterService\wsupdsvc.exe a variant of Win32/Obfuscated.NEU trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Ming-Ti\AppData\LocalLow\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\UninstallToolbar.exe Win32/Somoto application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Ming-Ti\Downloads\CheatEngine61.exe Win32/Somoto application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Ming-Ti\Downloads\cnet2_rpc412_zip.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Ming-Ti\Downloads\SoftonicDownloader_for_speaker.exe Win32/SoftonicDownloader.D application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Ming-Ti\Downloads\SoftonicDownloader_for_sumotori-dreams.exe a variant of Win32/SoftonicDownloader.D application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Ming-Ti\Downloads\WhiteSmokeWriter8940_en.exe a variant of Win32/TrojanDownloader.FraudLoad.NAH trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\07192012_053916\C_Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\U\00000008.@ Win64/Agent.BA trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\07192012_053916\C_Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\U\80000000.@ Win64/Sirefef.AE trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\07192012_053916\C_Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\U\80000032.@ a variant of Win32/Sirefef.FD trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTL\MovedFiles\07192012_053916\C_Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\U\80000064.@ Win64/Sirefef.AN trojan (unable to clean) 00000000000000000000000000000000 I
     
  10. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Please run Malwarebytes again and remove all the entries that are found and post the new log.
    -------------

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      File::
      C:\Program Files (x86)\WhiteSmokeTranslator\WSRegistrationDictMode.exe	
      C:\Program Files (x86)\WhiteSmokeTranslator\html\english\dictClientDic\index.html	
      C:\ProgramData\UpdaterService\wsupdsvc.exe	
      C:\Users\All Users\UpdaterService\wsupdsvc.exe	
      C:\Users\Ming-Ti\AppData\LocalLow\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\UninstallToolbar.exe	
      C:\Users\Ming-Ti\Downloads\CheatEngine61.exe	
      C:\Users\Ming-Ti\Downloads\WhiteSmokeWriter8940_en.exe	
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    Download Security Check by screen317 from here or here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt
    • Please post the contents of that document.
    ----------

    In your next reply please post the logs made by Malwarebytes, ComboFix and Security Check. Also let me know how your system is running. :)
     
  11. Trumi

    Trumi Thread Starter

    Joined:
    Jul 18, 2012
    Messages:
    10
    My computer's been running great since the first scan/fix! When I did the second one I didn't realize there were so many other problems. n n; Thanks for your help by the way. :p

    ComboFix:

    ComboFix 12-07-21.01 - Ming-Ti 07/22/2012 4:09.3.8 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.2447 [GMT -7:00]
    Running from: c:\users\Ming-Ti\Desktop\ComboFix.exe
    Command switches used :: c:\users\Ming-Ti\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files (x86)\WhiteSmokeTranslator\html\english\dictClientDic\index.html"
    "c:\program files (x86)\WhiteSmokeTranslator\WSRegistrationDictMode.exe"
    "c:\programdata\UpdaterService\wsupdsvc.exe"
    "c:\users\All Users\UpdaterService\wsupdsvc.exe"
    "c:\users\Ming-Ti\AppData\LocalLow\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\UninstallToolbar.exe"
    "c:\users\Ming-Ti\Downloads\CheatEngine61.exe"
    "c:\users\Ming-Ti\Downloads\WhiteSmokeWriter8940_en.exe"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-22 to 2012-07-22 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-22 11:21 . 2012-07-22 11:21 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-07-22 11:21 . 2012-07-22 11:21 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-21 17:52 . 2012-07-21 17:52 -------- d-----w- c:\program files (x86)\SplitMediaLabs
    2012-07-21 17:52 . 2012-07-21 17:52 -------- d-----w- c:\programdata\SplitMediaLabs
    2012-07-21 04:12 . 2012-07-21 04:12 -------- d-----w- c:\program files (x86)\ESET
    2012-07-21 03:56 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-20 10:07 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys
    2012-07-19 12:39 . 2012-07-19 12:39 -------- d-----w- C:\_OTL
    2012-07-19 12:36 . 2012-07-19 12:36 -------- d-----w- c:\program files (x86)\ERUNT
    2012-07-18 12:00 . 2012-07-18 12:00 -------- d-----w- c:\users\Guest\AppData\Roaming\AVG2012
    2012-07-18 06:16 . 2012-07-18 06:16 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-18 06:16 . 2012-07-21 03:56 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-18 03:56 . 2012-07-18 12:01 -------- d-----w- c:\programdata\AVG2012
    2012-07-17 15:35 . 2012-07-18 10:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-07-17 15:22 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\Anna
    2012-07-17 13:03 . 2012-07-17 13:03 -------- d-----w- c:\program files (x86)\Common Files\DAZ
    2012-07-17 12:58 . 2012-07-18 10:46 -------- d-----w- c:\programdata\DAZ 3D
    2012-07-17 12:46 . 2012-07-18 10:46 -------- d-----w- c:\program files\DAZ 3D
    2012-07-16 06:01 . 2012-07-18 10:49 -------- d-----w- c:\programdata\McAfee Security Scan
    2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\McAfee Security Scan
    2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-07-16 05:59 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Oracle
    2012-07-16 05:59 . 2012-07-06 05:06 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-07-16 05:56 . 2012-07-16 05:56 -------- d-----w- c:\programdata\McAfee
    2012-07-16 01:40 . 2012-07-18 14:50 -------- d-----w- c:\program files (x86)\4game
    2012-07-14 01:48 . 2012-07-18 10:45 -------- d-----w- c:\program files (x86)\Audition Online
    2012-07-13 12:04 . 2012-07-14 01:03 -------- d-----w- c:\program files (x86)\1ClickDownload
    2012-07-12 06:41 . 2012-07-18 14:47 -------- d-----w- c:\program files (x86)\medit
    2012-07-09 20:23 . 2012-07-18 10:49 -------- d-----w- c:\users\Chateau
    2012-07-07 02:58 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\NCsoft
    2012-07-04 18:22 . 2012-07-18 10:46 -------- d-----w- c:\users\Steven
    2012-07-04 03:36 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\beanfun!
    2012-07-03 19:25 . 2012-07-19 13:05 -------- d-----w- c:\users\Ming-Ti
    2012-07-03 18:52 . 2012-07-18 10:46 -------- d-----w- c:\windows\system32\%LocalAppData%
    2012-07-03 18:30 . 2012-02-23 21:24 24408 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2012-07-03 17:47 . 2012-07-18 10:46 -------- d-----w- c:\program files\SmartPCFixer
    2012-07-03 17:22 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Uniblue
    2012-07-03 17:22 . 2012-07-03 17:22 -------- dc-h--w- c:\programdata\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46}
    2012-07-03 16:52 . 2012-07-18 10:46 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\programdata\AVG Secure Search
    2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
    2012-07-02 18:51 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\AVG Secure Search
    2012-07-02 17:38 . 2012-07-02 19:11 -------- d-----w- C:\e012b0bfc282bb9dec1ac0c1cd7087bb
    2012-07-02 17:37 . 2012-05-21 07:20 333216 ----a-w- c:\windows\SysWow64\MMInstaller.dll
    2012-07-02 17:35 . 2012-07-18 10:46 -------- d-----w- c:\program files\Tencent
    2012-07-02 17:34 . 2012-07-02 17:37 -------- d-----w- c:\programdata\Tencent
    2012-07-02 17:34 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Tencent
    2012-07-02 17:34 . 2012-07-18 14:52 -------- d-----w- c:\program files (x86)\Tencent
    2012-07-02 17:33 . 2012-07-02 18:53 18760 ----a-w- c:\windows\SysWow64\QQVistaHelper.dll
    2012-06-25 15:09 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-25 15:09 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-25 15:09 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-25 15:09 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-25 15:08 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-25 15:08 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-25 15:08 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-25 15:08 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-25 15:08 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 16:09 . 2012-04-14 19:43 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 16:09 . 2011-12-02 03:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-06 05:06 . 2011-12-03 06:47 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-07-01 18:26 . 2011-05-24 03:56 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2012-07-01 18:26 . 2011-11-30 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2012-07-01 18:26 . 2011-05-24 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2012-07-01 18:26 . 2011-05-24 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-06-25 22:35 . 2010-03-18 16:15 770384 ----a-w- c:\windows\SysWow64\MSVCR100.dll
    2012-06-25 22:35 . 2010-03-18 16:15 421200 ----a-w- c:\windows\SysWow64\MSVCP100.dll
    2012-06-18 10:32 . 2012-06-18 10:32 1409 ----a-w- c:\windows\Fonts\fsex2p00_public.fot
    2012-06-16 06:36 . 2011-11-30 03:57 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2012-06-16 06:36 . 2011-05-24 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2012-06-16 06:35 . 2011-11-30 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2012-06-16 06:35 . 2011-11-30 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2012-05-13 22:28 . 2011-12-28 22:56 121416 ----a-w- c:\windows\system32\drivers\MijXfilt.sys
    2012-05-04 10:52 . 2012-06-15 09:38 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-04 10:08 . 2012-06-15 09:38 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-05-04 10:08 . 2012-06-15 09:38 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
    2012-05-03 02:54 . 2012-05-03 02:54 28056 ----a-w- c:\windows\system32\xfcodec64.dll
    2012-05-02 05:32 . 2012-06-15 09:38 208896 ----a-w- c:\windows\system32\profsvc.dll
    2012-04-28 03:50 . 2012-06-15 09:38 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-28 00:28 . 2012-04-28 01:12 258352 ----a-w- c:\windows\SysWow64\unicows.dll
    2012-04-26 05:34 . 2012-06-15 09:38 76288 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-04-26 05:34 . 2012-06-15 09:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-04-26 05:28 . 2012-06-15 09:38 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-04-24 05:59 . 2012-06-15 09:37 1460224 ----a-w- c:\windows\system32\crypt32.dll
    2012-04-24 05:59 . 2012-06-15 09:37 182272 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-04-24 05:59 . 2012-06-15 09:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
    2012-04-24 04:47 . 2012-06-15 09:37 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-04-24 04:47 . 2012-06-15 09:37 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-04-24 04:47 . 2012-06-15 09:37 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2010-11-20 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
    [7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
    [-] 2012-01-28 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-07-20_13.45.37 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-04-08 10:35 . 2012-07-22 10:44 65292 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-07-22 10:44 37296 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2012-04-08 07:05 . 2012-07-22 10:41 54594 c:\windows\system32\config\systemprofile\AppData\Roaming\WTablet\Pen_Tablet.dat
    - 2012-04-08 07:05 . 2012-07-20 13:44 54594 c:\windows\system32\config\systemprofile\AppData\Roaming\WTablet\Pen_Tablet.dat
    - 2011-04-08 09:29 . 2012-07-20 10:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-04-08 09:29 . 2012-07-22 10:48 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-07-19 12:48 . 2012-07-20 10:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2012-07-19 12:48 . 2012-07-22 10:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-07-22 10:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-07-20 10:47 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-07-21 17:52 . 2012-07-21 17:52 14534 c:\windows\Installer\{15C49338-59E5-472E-94F7-D5AE15EE23C9}\SystemFolder_msiexec.exe
    + 2012-07-04 18:25 . 2012-07-22 10:44 6252 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4068807989-813300523-3891819274-1004_UserData.bin
    + 2012-07-22 10:40 . 2012-07-22 10:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-20 13:44 . 2012-07-20 13:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-07-20 13:44 . 2012-07-20 13:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-07-22 10:40 . 2012-07-22 10:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-07-21 17:52 . 2012-07-21 17:52 9662 c:\windows\Installer\{15C49338-59E5-472E-94F7-D5AE15EE23C9}\XSplit.Core.exe
    + 2009-07-14 04:54 . 2012-07-22 10:40 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-07-20 11:26 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 05:01 . 2012-07-20 13:43 485976 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-07-21 20:26 485976 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-06-02 01:13 . 2012-06-02 01:13 886272 c:\windows\Installer\30a6634.msi
    + 2012-07-22 10:42 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\7-22-2012\ERDNT.EXE
    + 2009-07-14 04:54 . 2012-07-22 10:40 2048000 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-07-20 11:26 2048000 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2012-07-04 08:45 . 2012-07-21 20:26 5325852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4068807989-813300523-3891819274-1004-12288.dat
    + 2012-07-22 10:42 . 2012-07-22 10:42 2527232 c:\windows\ERDNT\AutoBackup\7-22-2012\Users\00000002\UsrClass.dat
    + 2012-07-22 10:42 . 2012-07-22 10:42 2654208 c:\windows\ERDNT\AutoBackup\7-22-2012\Users\00000001\ntuser.dat
    - 2009-07-14 04:54 . 2012-07-20 11:26 11304960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-07-22 10:40 11304960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 02:34 . 2012-07-20 10:26 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2009-07-14 02:34 . 2012-07-22 10:56 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~2\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-25 19:47 297808 ----a-w- c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{46F9BE77-3DD9-0ECB-98F9-1793D13B9886}]
    2012-06-27 23:25 1404320 ----a-w- c:\program files\Tencent\SSPlus\SAddr.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-02 18:52 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-02 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128]
    "QQIntl"="c:\program files (x86)\Tencent\QQIntl\Bin\QQ.exe" [2012-07-02 128416]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-05 17344176]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-12-03 1242448]
    "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-07-13 895376]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
    "BambooCore"="c:\program files (x86)\Bamboo Dock\BambooCore.exe" [2011-09-27 646232]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-02 1107552]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    c:\users\Ming-Ti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    MSPANotify - Shortcut.lnk - c:\users\Ming-Ti\Downloads\MSPANotify-0.4.1\MSPANotify.exe [2012-7-16 410112]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-2 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-07-05 5160568]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
    R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [x]
    R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
    R3 iscFlash;iscFlash;c:\users\Steven\AppData\Local\Temp\7zSB6F0.tmp\iscflashx64.sys [x]
    R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-01-11 34304]
    R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-02-22 28160]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
    R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-05-13 121416]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
    R3 qkm;qkm;c:\koramgame\GDOnline\mqkwy64.sys [2012-02-04 48048]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-10-24 291328]
    R3 sj;sj;c:\aeriagames\EdenEternal\sjcs64.sys [2011-12-09 47224]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712]
    R3 usj;usj;c:\aeriagames\EdenEternal\avital\ussjcs64.sys [2012-07-06 89560]
    R3 vtany;vtany;c:\windows\vtany.sys [x]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2011-09-09 13312]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-21 1255736]
    R3 X6va005;X6va005;c:\users\Steven\AppData\Local\Temp\0057DA7.tmp [x]
    R3 X6va006;X6va006;c:\users\Steven\AppData\Local\Temp\006F845.tmp [x]
    R3 X6va008;X6va008;c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp [x]
    R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
    S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-03-04 55856]
    S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872]
    S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
    S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_70dacb64382a61a7\AESTSr64.exe [2009-03-03 89600]
    S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-14 30520]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2011-09-09 6583160]
    S2 TBUpdate;Tencent Toolbar Update Service;c:\program files\Tencent\barupdate\TBUpdate.exe [2012-07-03 197536]
    S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-23 2886528]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2011-09-09 528760]
    S2 UpdaterService;WhiteSmoke Updater Service;c:\programdata\UpdaterService\wsupdsvc.exe [2012-04-29 549744]
    S2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-07-02 935008]
    S2 WajamUpdater;WajamUpdater;c:\program files\Wajam\Updater\WajamUpdater.exe [2012-03-09 109064]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
    S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-14 32880]
    S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
    S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 70656]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-07-20 140712]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2009-08-22 84512]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMPROTECTOR
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-06-16 20:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-22 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 16:09]
    .
    2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004Core.job
    - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51]
    .
    2012-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004UA.job
    - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51]
    .
    2012-07-20 c:\windows\Tasks\Norton Security Scan for Steven.job
    - c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2011-12-23 09:45]
    .
    2012-07-22 c:\windows\Tasks\RegistryBooster.job
    - c:\program files (x86)\Uniblue\RegistryBooster\rbmonitor.exe [2012-07-03 18:56]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-25 19:47 444752 ----a-w- c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-24 487424]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-29 16395880]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Steven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}: NameServer = 4.2.2.1
    TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}\46C696E6B6: NameServer = 4.2.2.1
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    DPF: {12193C65-F0E1-4DD1-AD4E-DB73C6911011} - file:///D:/activeX/DCP.cab
    DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://sslpx-ccas01.edmc.edu/auth/taweb.cab
    DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - file:///D:/activeX/aplugLiteDL.cab
    FF - ProfilePath - c:\users\Ming-Ti\AppData\Roaming\Mozilla\Firefox\Profiles\4fiohuq8.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://isearch.avg.com/?cid={D1E1E66B-09C0-42E2-9FAC-CAB67704104F}&mid=4d27b50357d247d68b6f1a671b6c1e32-ec7a1d4c2e9b3a9a0ad0219ec7c4e08c4f2893c9&lang=en&ds=yu012&pr=sa&d=2012-07-02 11:52&v=11.1.0.12&sap=hp
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{127AD70F-B2B7-4f6a-ACD9-C7B1FE48C8C0} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
    "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\0057DA7.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va006]
    "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\006F845.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va008]
    "ImagePath"="\??\c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\xsherlock]
    "ImagePath"="c:\windows\system32\xsherlock.xem"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4068807989-813300523-3891819274-1004\Software\SecuROM\License information*]
    "datasecu"=hex:34,ba,59,bc,fe,c5,16,38,e7,50,e2,eb,4e,5b,05,28,4e,f3,5f,61,b2,
    93,63,8b,db,e0,ba,e4,ae,f4,ee,df,af,12,79,23,db,7a,cc,12,db,41,bc,b4,c4,eb,\
    "rkeysecu"=hex:3a,d6,8d,b9,70,08,bc,18,cb,d3,05,7d,1d,91,ec,a8
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{47BF077C-44C6-42B1-8F88-ADE2585DD2ED}*]
    @=hex:21,08,4a,87,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{97A98033-9FA1-4E80-A339-59787B43CC89}*]
    @=hex:ed,b8,9e,87,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{A82EB336-567D-4F41-A63E-8113AD8B6903}*]
    @=hex:56,b0,46,84,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\{C4B20040-7D5A-4558-9E19-B7DF94366F97}*]
    @=hex:22,6d,17,88,32,1f,cc,01
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
    "value"="?\05\02\1f\15\05\19?"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
    @Denied: (A) (Everyone)
    "Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
    "Key"="ActionsPane"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-07-22 04:25:45
    ComboFix-quarantined-files.txt 2012-07-22 11:25
    ComboFix2.txt 2012-07-20 13:52
    ComboFix3.txt 2012-07-19 13:16
    .
    Pre-Run: 85,097,787,392 bytes free
    Post-Run: 84,810,027,008 bytes free
    .
    - - End Of File - - 04E70C137A1E247A40F5956D52D5C351
    ------

    SecurityCheck:
    Results of screen317's Security Check version 0.99.43
    Windows 7 x64 (UAC is disabled!)
    Out of date service pack!!
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    AVG Anti-Virus Free Edition 2012
    Antivirus up to date! (On Access scanning disabled!)
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    JavaFX 2.1.1
    Java(TM) 6 Update 31
    Java(TM) 7 Update 5
    Mozilla Firefox (8.0.1)
    Google Chrome 20.0.1132.47
    Google Chrome 20.0.1132.57
    Google Chrome Plugins...
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    AVG avgwdsvc.exe
    AVG avgtray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 3%
    ````````````````````End of Log``````````````````````
    ------

    Malwarebytes:

    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.21.02

    Windows 7 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Ming-Ti :: STEVENPC [administrator]

    Protection: Enabled

    7/22/2012 4:31:33 AM
    mbam-log-2012-07-22 (04-35-15).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 249022
    Time elapsed: 3 minute(s), 13 second(s)

    Memory Processes Detected: 2
    C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> 896 -> No action taken.
    C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> 5208 -> No action taken.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 12
    HKLM\SYSTEM\CurrentControlSet\Services\UpdaterService (PUP.BundleInstaller.IB) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke Updater Service (PUP.BundleInstaller.IB) -> No action taken.
    HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (PUP.MyWebSearch) -> No action taken.
    HKCR\Typelib\{B1A7C2CF-BF40-4597-8142-7615D74D0CC3} (Trojan.Agent) -> No action taken.
    HKCR\Interface\{3084BC3D-C0D6-4A28-A8A4-5857165886EE} (Trojan.Agent) -> No action taken.
    HKCR\CLSID\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken.
    HKLM\SOFTWARE\VooMuu (Adware.HotBar.VM) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VooMuuSA (Adware.HotBar.VM) -> No action taken.

    Registry Values Detected: 2
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> Data: SOSO&#24037;&#20855;&#26639; -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> No action taken.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> No action taken.
    C:\Program Files\Tencent\QQToolbar\IEBar.dll (Trojan.Agent) -> No action taken.
    C:\Users\Ming-Ti\Downloads\SoftonicDownloader_for_speaker.exe (PUP.ToolbarDownloader) -> No action taken.
    C:\Users\Ming-Ti\Downloads\SoftonicDownloader_for_sumotori-dreams.exe (PUP.ToolbarDownloader) -> No action taken.
    C:\Users\Ming-Ti\Downloads\WhiteSmokeWriter8940_en.exe (Trojan.Downloader) -> No action taken.

    (end)
     
  12. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Why have you not removed the entries found by Malwarebytes? :)
     
  13. Trumi

    Trumi Thread Starter

    Joined:
    Jul 18, 2012
    Messages:
    10
    Oh! Eheh, I have a bad experience with not doing thing to the word, so if it doesn't come up in the instructions I usually don't bother. But the entries have been removed. Is there anything else needed?
     
  14. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Ok great!! How is the system running now? :)
     
  15. Trumi

    Trumi Thread Starter

    Joined:
    Jul 18, 2012
    Messages:
    10
    My system's running wonderfully! Thanks again for your help! :D
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1061555