Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware redirects (google I think) unable to clean


  • This topic is locked This topic is locked
20 replies to this topic

#1 jbww24

jbww24

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 01 June 2012 - 12:18 PM

I have done everything I can possible use to clean this Windows 7 system.

I am still unable to run TDSSKiller (ends in error "unable to install" even after renaming it to iexplore, etc)

I've tried MalwareBytes, SpyBot S&D, Latest Symantec AntiVirus 12.2, combofix, rkill (rkill still kills rundll32 even after all these cleaners) CC Cleaner.

System was infected when user opened a .exe file from yahoo mail.

Here are the RKILL and COMBOFIX logs:

Please see logs below:

RKill log (pre and post combofix):

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 06/01/2012 at 11:55:48.
Operating System: Windows 7 Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\rundll32.exe


Rkill completed on 06/01/2012 at 11:57:21.

-----------
ComboFix log:

ComboFix 12-05-31.02 - jaredpc 05/31/2012 17:35:27.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2667.1542 [GMT -5:00]
Running from: c:\users\jaredpc\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\WevQSIhI68XE7a
.
.
((((((((((((((((((((((((( Files Created from 2012-05-01 to 2012-06-01 )))))))))))))))))))))))))))))))
.
.
2012-06-01 03:43 . 2012-06-01 03:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-31 20:44 . 2012-05-31 21:25 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-05-31 20:44 . 2012-05-31 20:45 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-05-31 20:02 . 2012-05-31 20:02 -------- d-----w- c:\program files\CCleaner
2012-05-31 19:59 . 2012-05-31 20:06 -------- d-----w- C:\sp
2012-05-31 19:50 . 2012-05-15 06:41 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6BB4CACD-1B39-4EB1-B1E0-A6641450B34E}\mpengine.dll
2012-05-31 19:40 . 2012-05-31 19:40 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-31 19:39 . 2012-05-31 19:39 -------- d-----w- c:\program files (x86)\Oracle
2012-05-31 19:38 . 2012-04-04 23:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-31 19:38 . 2012-04-04 23:47 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-05-31 19:37 . 2012-05-31 19:37 -------- d-----w- c:\program files (x86)\Java
2012-05-31 19:35 . 2012-05-31 19:35 -------- d-----w- c:\users\jaredpc\AppData\Local\Apps
2012-05-31 17:45 . 2012-05-31 17:45 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-05-31 04:13 . 2012-05-31 04:13 58288 ----a-w- c:\windows\SysWow64\snacnp.dll
2012-05-31 04:13 . 2012-05-31 04:13 58288 ----a-w- c:\windows\system32\snacnp.dll
2012-05-31 04:13 . 2012-05-31 04:13 42632 ----a-w- c:\windows\system32\drivers\WGX64.SYS
2012-05-31 04:13 . 2012-05-31 04:13 102832 ----a-w- c:\windows\system32\FwsVpn.dll
2012-05-31 04:04 . 2012-05-31 04:04 -------- d-----w- c:\users\jaredpc\AppData\Roaming\Malwarebytes
2012-05-31 04:03 . 2012-05-31 04:03 -------- d-----w- c:\programdata\Malwarebytes
2012-05-31 04:03 . 2012-05-31 04:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-31 04:00 . 2012-05-31 04:00 -------- d-----w- c:\windows\system32\drivers\SEP
2012-05-31 03:59 . 2012-05-31 03:52 10063000 ----a-w- C:\mbam-setup-1.61.0.1400.exe
2012-05-31 03:58 . 2012-05-31 03:58 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-31 03:56 . 2012-05-31 03:58 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-31 03:53 . 2012-05-31 03:54 -------- d-----w- C:\sepx
2012-05-22 13:48 . 2012-05-22 13:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-05-20 05:46 . 2012-05-20 05:46 -------- d-----w- c:\users\jaredpc\AppData\Local\Microsoft Games
2012-05-17 15:04 . 2012-05-31 01:55 -------- d-----w- c:\program files\Microsoft Silverlight
2012-05-17 15:04 . 2012-05-31 01:55 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-05-15 03:04 . 2012-05-31 01:55 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-05-15 03:04 . 2012-05-15 03:04 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-15 03:04 . 2012-05-15 03:04 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-05-13 17:10 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-13 17:10 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-13 17:09 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-13 17:09 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-13 17:09 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-13 17:09 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-13 12:24 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-13 12:22 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-13 12:21 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-13 12:21 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-06 22:33 . 2012-05-06 22:33 -------- d-----w- c:\programdata\TomTom
2012-05-06 22:32 . 2012-05-31 01:44 -------- d-----w- c:\users\jaredpc\AppData\Roaming\TomTom
2012-05-06 22:32 . 2012-05-31 01:44 -------- d-----w- c:\users\jaredpc\AppData\Local\TomTom
2012-05-06 22:32 . 2012-05-31 01:55 -------- d-----w- c:\program files (x86)\TomTom International B.V
2012-05-06 22:32 . 2012-05-31 02:00 -------- d-----w- c:\program files (x86)\TomTom HOME 2
2012-05-06 22:26 . 2012-05-06 22:26 -------- d-----w- c:\program files (x86)\TomTom DesktopSuite
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 04:54 . 2011-08-31 06:08 878184 ----a-w- c:\windows\system32\drivers\rtl8192ce.sys
2012-05-31 04:13 . 2009-11-10 01:03 287152 ----a-w- c:\windows\system32\SymVPN.dll
2012-05-31 04:01 . 2012-01-11 02:31 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-05-31 03:58 . 2011-07-07 01:36 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-31 03:52 . 2012-05-31 03:50 99773537 ----a-w- C:\sepx.zip
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-06-17 336384]
"HPQuickWebProxy"="c:\program files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [2011-06-28 168504]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-31 257696]
R3 EraserUtilDrv11122;EraserUtilDrv11122;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11122.sys [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-15 129976]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120517.011\BHDrvx64.sys [2012-05-18 1160824]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C01029F\136B.105\x64\Ironx64.SYS [x]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-06-17 365568]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-09-01 227896]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-03-05 35200]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2010-12-27 1817088]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [2011-06-17 137224]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-01-23 92592]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-05-31 138912]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-31 03:58]
.
2012-05-13 c:\windows\Tasks\HPCeeScheduleForjaredpc.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-01-21 7466600]
"SetDefault"="c:\program files\Hewlett-Packard\HP LaunchBox\SetDefault.exe" [2011-10-31 43320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\users\jaredpc\AppData\Roaming\Mozilla\Firefox\Profiles\nsqycbph.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-urlmon - c:\users\jaredpc\AppData\Local\urlmon.exe
Notify-SEP - c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll
SafeBoot-ccEvtMgr
SafeBoot-ccSetMgr
SafeBoot-Symantec Antivirus
SafeBoot-Symantec Antvirus
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\SPBBCDrv]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
.
**************************************************************************
.
Completion time: 2012-05-31 23:11:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-01 04:11
.
Pre-Run: 248,543,145,984 bytes free
Post-Run: 248,463,388,672 bytes free
.
- - End Of File - - 7F2D70B4238EA93A81222463BC019745


ANY ADVICE GREATLY APPRECIATED. SYSTEM IS AN HP LAPTOP 64BIT WITH WINDOWS HOME PREMIUM.

THANKS

JBWW24

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:21 PM

Posted 01 June 2012 - 01:15 PM

Hello jbww24,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



Please run the following tools and post there logs. Is the redirects happening in all your browsers? For instance is it happening in Firefox and Internet Explorer. Is this just happening in one or the other?


1.
Is your computer connected to the internet through a router? If so we need to reset that router.
How to reset your Router.


2.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

2.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 01 June 2012 - 02:05 PM

1. The router has been reset, I've also had the laptop at multiple different internet connections (behind a NAT/firewall). *As of this moment I have the laptop offline, as having it connected to the internet seems to cause more problems (malware communicating???) than when it is connected and hasn't made any difference. Obviously I connected it to get the latest "definitions" for all the programs I've tried. I can have it online or offline, whatever you think is best. Also to note, no matter how many times I try to set FireFox (v12) as the default browser, whenever I reboot the PC, FireFox isn't the default browser again, every time.



2. aswMBR *will not open* it acts very similar to how TDSSKiller will not open. Also to note, there is a strange drive letter Q: which says access denied when I double click it. If I right click and go to properties it says 0 bytes used 0 bytes available, and if I go to Manage Computer, Disk Management, Q: does not even show up at all there.


3. *RogueKiller opens successfully* and scan behaves as you described. Here is the log of output from RogueKiller:

RogueKiller V7.5.2 [05/30/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: jaredpc [Admin rights]
Mode: Scan -- Date: 06/01/2012 13:56:21

Bad processes: 0

Registry Entries: 4
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [NOT LOADED]

Infection : Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: TOSHIBA MK3276GSX SATA Disk Device +++++
--- User ---
[MBR] 47a267fece437047a7815c103861b3a7
[BSP] 18ebb6274c9f752c74947b2de0141979 : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 286067 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 586274816 | Size: 14914 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 616818688 | Size: 4063 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Kingston DT 101 G2 USB Device +++++
--- User ---
[MBR] ac848c4b1e6d0a4dea9feefc3ee29acb
[BSP] 6302c0fb54ad885fac824661b46f3eb7 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7635 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt




So I'm at the RogueKiller screen right now and haven't clicked delete/hotfix/etc yet, only Report as you requested.

jbww

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:21 PM

Posted 01 June 2012 - 03:01 PM

  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    c:\windows\*. /SL
    c:\windows\*. /RP 
    netsvcs
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav 
    %systemroot%\system32\drivers\*.sys /90
    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized



Please download Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.



Is this redirection happening in all browsers or just Firefox?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 02 June 2012 - 04:28 PM

OK -- Results for post #4 coming Shortly.

#6 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 02 June 2012 - 04:30 PM

The Redirects happen in _all_ browsers, tried Chrome, Internet Explorer, and FireFox, all redirects. It has to be a rootkit/TDSSKiller (which won't open).

Reply to post #4 will be in the next message.

#7 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 02 June 2012 - 05:07 PM

OTL OUTPUT PER REQUEST POST #4:

OTL logfile created on: 6/2/2012 4:40:21 PM - Run 1
OTL by OldTimer - Version 3.2.45.0 Folder = C:\Users\jaredpc\Desktop\sp2
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.60 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 56.10% Memory free
5.21 Gb Paging File | 3.80 Gb Available in Paging File | 72.91% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 279.36 Gb Total Space | 230.19 Gb Free Space | 82.40% Space Free | Partition Type: NTFS
Drive D: | 14.56 Gb Total Space | 1.62 Gb Free Space | 11.12% Space Free | Partition Type: NTFS
Drive E: | 3.96 Gb Total Space | 1.08 Gb Free Space | 27.33% Space Free | Partition Type: FAT32
Drive G: | 7.44 Gb Total Space | 7.41 Gb Free Space | 99.57% Space Free | Partition Type: FAT32

Computer Name: JAREDPC-HP | User Name: jaredpc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/02 16:29:44 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\jaredpc\Desktop\sp2\OTL.exe
PRC - [2012/03/05 13:38:38 | 000,578,944 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
PRC - [2012/03/05 13:38:38 | 000,035,200 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
PRC - [2012/01/22 23:43:08 | 000,247,728 | ---- | M] (TomTom) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2012/01/22 23:43:08 | 000,092,592 | ---- | M] (TomTom) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/09/01 18:06:50 | 000,227,896 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
PRC - [2011/08/19 15:48:44 | 000,379,960 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
PRC - [2011/06/28 04:41:08 | 000,168,504 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
PRC - [2011/06/17 16:32:02 | 000,198,576 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
PRC - [2011/06/17 16:32:00 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2011/06/17 16:32:00 | 000,082,352 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\DoScan.exe
PRC - [2011/06/15 19:58:28 | 000,136,488 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
PRC - [2010/12/27 18:30:00 | 001,817,088 | ---- | M] (Realsil Microelectronics Inc.) -- C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
PRC - [2010/11/26 09:09:12 | 000,399,344 | ---- | M] (Roxio) -- C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/13 14:46:42 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/05/13 14:46:26 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2012/05/09 08:58:58 | 000,877,952 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\HP.SupportFramework\1.0.0.0__2a4860322af7ba08\HP.SupportFramework.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/07/05 16:08:28 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2011/06/17 00:20:20 | 000,365,568 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV:64bit: - [2010/11/20 22:24:42 | 000,084,992 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\Mcx2Svc.dll -- (Mcx2Svc)
SRV:64bit: - [2010/10/11 04:48:14 | 000,346,168 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe -- (HPClientSvc)
SRV:64bit: - [2010/09/22 20:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/11/17 20:14:00 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:41:27 | 000,097,792 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\mprdim.dll -- (RemoteAccess)
SRV - [2012/05/30 22:58:25 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/05/14 22:04:22 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/05 13:38:38 | 000,035,200 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe -- (HPWMISVC)
SRV - [2012/01/22 23:43:08 | 000,092,592 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/09/09 17:10:28 | 000,086,072 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe -- (HP Support Assistant Service)
SRV - [2011/09/01 18:06:50 | 000,227,896 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe -- (HPDrvMntSvc.exe)
SRV - [2011/06/17 16:32:04 | 002,591,232 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe -- (SmcService)
SRV - [2011/06/17 16:32:04 | 000,324,528 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\snac64.exe -- (SNAC)
SRV - [2011/06/17 16:32:00 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2010/12/27 18:30:00 | 001,817,088 | ---- | M] (Realsil Microelectronics Inc.) [Auto | Running] -- C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe -- (IconMan_R)
SRV - [2010/11/26 09:09:12 | 000,399,344 | ---- | M] (Roxio) [Auto | Running] -- C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe -- (RoxioNow Service)
SRV - [2010/10/12 12:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/07/13 20:15:41 | 000,075,264 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysWOW64\mprdim.dll -- (RemoteAccess)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/06/10 15:39:58 | 000,089,920 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/05/30 23:54:00 | 000,878,184 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rtl8192ce.sys -- (RTL8192Ce)
DRV:64bit: - [2012/05/30 23:01:49 | 000,174,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/10/14 04:37:44 | 000,396,848 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2011/10/01 09:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 09:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 09:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 09:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/07/06 20:11:20 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/07/06 20:11:20 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/07/05 16:50:30 | 009,359,872 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/07/05 15:32:22 | 000,309,760 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/06/17 16:32:06 | 000,928,888 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\SymEFA64.sys -- (SymEFA)
DRV:64bit: - [2011/06/17 16:32:06 | 000,745,592 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2011/06/17 16:32:06 | 000,451,192 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\SymDS64.sys -- (SymDS)
DRV:64bit: - [2011/06/17 16:32:06 | 000,386,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\symnets.sys -- (SYMNETS)
DRV:64bit: - [2011/06/17 16:32:06 | 000,170,104 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\Ironx64.sys -- (SymIRON)
DRV:64bit: - [2011/06/17 16:32:06 | 000,040,568 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\srtspx64.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV:64bit: - [2011/06/10 07:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/04/15 17:37:50 | 000,079,488 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata)
DRV:64bit: - [2011/04/15 17:37:50 | 000,040,064 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata)
DRV:64bit: - [2011/02/15 13:37:00 | 000,335,464 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtsPStor.sys -- (RSPCIESTOR)
DRV:64bit: - [2010/11/29 07:50:38 | 000,044,672 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:23:55 | 000,328,192 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\udfs.sys -- (udfs)
DRV:64bit: - [2010/11/20 22:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/07/28 11:13:50 | 000,031,088 | ---- | M] (CyberLink Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\clwvd.sys -- (clwvd)
DRV:64bit: - [2010/02/18 11:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,024,144 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\crcdisk.sys -- (crcdisk)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 18:19:47 | 000,092,160 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\cdfs.sys -- (cdfs)
DRV:64bit: - [2009/06/10 16:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 16:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 16:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 15:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 15:34:38 | 001,311,232 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2012/05/30 23:16:48 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2012/05/30 23:16:48 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/05/17 23:37:24 | 001,160,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120517.011\BHDrvx64.sys -- (BHDrvx64)
DRV - [2012/05/15 03:00:00 | 002,068,600 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120531.020\EX64.SYS -- (NAVEX15)
DRV - [2012/05/15 03:00:00 | 000,120,440 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120531.020\ENG64.SYS -- (NAVENG)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT/1
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{034FB976-5E5B-45FC-8957-82FA74E62783}: "URL" = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
IE:64bit: - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF
IE:64bit: - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
IE:64bit: - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE:64bit: - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT/1
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{034FB976-5E5B-45FC-8957-82FA74E62783}: "URL" = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF
IE - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
IE - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT/1
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{034FB976-5E5B-45FC-8957-82FA74E62783}: "URL" = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF
IE - HKCU\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
IE - HKCU\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKCU\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_235.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/05/30 20:55:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/05/06 17:32:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jaredpc\AppData\Roaming\Mozilla\Extensions
[2012/05/06 17:32:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jaredpc\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
[2012/05/04 09:09:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jaredpc\AppData\Roaming\Mozilla\Firefox\Profiles\nsqycbph.default\extensions
[2012/01/10 21:46:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/01/10 21:47:52 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\JAREDPC\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NSQYCBPH.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/05/14 22:04:22 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/02/28 18:36:23 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/02/28 18:36:23 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/06/01 14:32:26 | 000,000,021 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [SetDefault] C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [HPQuickWebProxy] C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62 65.24.0.169
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C5B08667-7AB3-415F-913E-90C7106EC226}: DhcpNameServer = 209.18.47.61 209.18.47.62 65.24.0.169
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)


ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/06/02 16:39:21 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\Desktop\sp2
[2012/06/01 13:53:58 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\Desktop\RK_Quarantine
[2012/06/01 13:50:59 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\jaredpc\Desktop\aswMBR.exe
[2012/05/31 23:11:54 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/05/31 22:48:06 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012/05/31 17:23:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/05/31 17:23:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/05/31 17:23:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/05/31 17:22:38 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/05/31 17:22:31 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/05/31 17:11:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/31 17:09:41 | 004,533,668 | ---- | C] (Swearware) -- C:\ComboFix.exe
[2012/05/31 17:09:33 | 004,533,668 | R--- | C] (Swearware) -- C:\Users\jaredpc\Desktop\ComboFix.exe
[2012/05/31 15:44:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/05/31 15:44:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/05/31 15:44:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/05/31 15:35:15 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\Desktop\sp
[2012/05/31 15:14:29 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\Desktop\tdsskiller
[2012/05/31 15:02:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/05/31 15:02:35 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/05/31 14:59:40 | 000,000,000 | ---D | C] -- C:\sp
[2012/05/31 14:52:08 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\spybotsd162.exe
[2012/05/31 14:40:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2012/05/31 14:40:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/05/31 14:39:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Oracle
[2012/05/31 14:37:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2012/05/31 14:35:11 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\AppData\Local\Apps
[2012/05/31 12:45:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2012/05/30 23:13:15 | 000,102,832 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\FwsVpn.dll
[2012/05/30 23:13:15 | 000,058,288 | ---- | C] (Symantec Corporation) -- C:\Windows\SysWow64\snacnp.dll
[2012/05/30 23:13:15 | 000,058,288 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\snacnp.dll
[2012/05/30 23:13:15 | 000,042,632 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\WGX64.SYS
[2012/05/30 23:04:02 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\AppData\Roaming\Malwarebytes
[2012/05/30 23:03:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/30 23:03:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/05/30 23:03:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/05/30 23:00:02 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64
[2012/05/30 23:00:02 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\SEP
[2012/05/30 23:00:02 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105
[2012/05/30 23:00:02 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\SEP\0C01029F
[2012/05/30 22:59:41 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\mbam-setup-1.61.0.1400.exe
[2012/05/30 22:53:12 | 000,000,000 | ---D | C] -- C:\sepx
[2012/05/22 11:19:29 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Recovery
[2012/05/22 08:48:35 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2012/05/21 12:01:47 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\Documents\Label_Parcel_postal-NR104-145
[2012/05/20 00:46:23 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\AppData\Local\Microsoft Games
[2012/05/17 21:32:17 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\AppData\Local\{EB4F0353-CBB9-40A0-9E8D-7C7C4A8FB49E}
[2012/05/17 10:07:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012/05/17 10:04:02 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012/05/17 10:04:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2012/05/14 22:04:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/05/14 22:04:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/05/06 17:33:12 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\Documents\TomTom
[2012/05/06 17:33:09 | 000,000,000 | ---D | C] -- C:\ProgramData\TomTom
[2012/05/06 17:32:37 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\AppData\Roaming\TomTom
[2012/05/06 17:32:37 | 000,000,000 | ---D | C] -- C:\Users\jaredpc\AppData\Local\TomTom
[2012/05/06 17:32:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TomTom
[2012/05/06 17:32:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TomTom International B.V
[2012/05/06 17:32:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TomTom HOME 2
[2012/05/06 17:26:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TomTom DesktopSuite

========== Files - Modified Within 30 Days ==========

[2012/06/02 16:44:44 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/02 16:44:44 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/02 16:41:56 | 000,727,182 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/06/02 16:41:56 | 000,624,622 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/06/02 16:41:56 | 000,106,708 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/06/02 16:37:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/02 16:37:04 | 2097,340,416 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/01 14:32:26 | 000,000,021 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/06/01 13:58:04 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/06/01 13:49:32 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\jaredpc\Desktop\aswMBR.exe
[2012/06/01 13:49:24 | 001,506,304 | ---- | M] () -- C:\Users\jaredpc\Desktop\RogueKiller.exe
[2012/06/01 13:45:54 | 000,000,426 | -H-- | M] () -- C:\Windows\SysNative\Rebecca.dat
[2012/06/01 12:25:22 | 000,853,862 | ---- | M] () -- C:\Users\jaredpc\Desktop\SecurityCheck.exe
[2012/05/31 17:10:02 | 004,533,668 | R--- | M] (Swearware) -- C:\Users\jaredpc\Desktop\ComboFix.exe
[2012/05/31 17:09:41 | 004,533,668 | ---- | M] (Swearware) -- C:\ComboFix.exe
[2012/05/31 15:44:36 | 000,001,286 | ---- | M] () -- C:\Users\jaredpc\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/05/31 15:02:36 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/05/31 14:51:49 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\spybotsd162.exe
[2012/05/31 14:15:59 | 001,489,640 | ---- | M] () -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\Cat.DB
[2012/05/30 23:13:16 | 000,058,288 | ---- | M] (Symantec Corporation) -- C:\Windows\SysWow64\snacnp.dll
[2012/05/30 23:13:15 | 000,287,152 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\SymVPN.dll
[2012/05/30 23:13:15 | 000,102,832 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\FwsVpn.dll
[2012/05/30 23:13:15 | 000,058,288 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\snacnp.dll
[2012/05/30 23:13:15 | 000,042,632 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\WGX64.SYS
[2012/05/30 23:12:07 | 001,544,413 | -H-- | M] () -- C:\Users\jaredpc\AppData\Local\.oldold.db
[2012/05/30 23:03:47 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/30 23:01:49 | 000,174,200 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2012/05/30 23:01:49 | 000,007,530 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2012/05/30 23:01:49 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2012/05/30 23:00:36 | 000,000,114 | ---- | M] () -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\isolate.ini
[2012/05/30 22:52:59 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.61.0.1400.exe
[2012/05/30 22:52:15 | 099,773,537 | ---- | M] () -- C:\sepx.zip
[2012/05/23 08:31:18 | 000,000,000 | ---- | M] () -- C:\ProgramData\-WevQSIhI68XE7a
[2012/05/22 12:36:10 | 000,000,168 | ---- | M] () -- C:\ProgramData\-WevQSIhI68XE7ar
[2012/05/13 14:22:45 | 000,000,340 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForjaredpc.job
[2012/05/13 14:22:25 | 000,274,320 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2012/06/01 13:51:00 | 001,506,304 | ---- | C] () -- C:\Users\jaredpc\Desktop\RogueKiller.exe
[2012/06/01 13:51:00 | 000,853,862 | ---- | C] () -- C:\Users\jaredpc\Desktop\SecurityCheck.exe
[2012/06/01 12:50:33 | 000,000,426 | -H-- | C] () -- C:\Windows\SysNative\Rebecca.dat
[2012/05/31 17:23:44 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/05/31 17:23:44 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/05/31 17:23:44 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/05/31 17:23:44 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/05/31 17:23:44 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/05/31 15:44:36 | 000,001,286 | ---- | C] () -- C:\Users\jaredpc\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/05/31 15:02:36 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/05/31 13:24:35 | 000,002,598 | ---- | C] () -- C:\Users\jaredpc\Desktop\WildTangent Games App - hp.lnk
[2012/05/31 13:24:35 | 000,002,362 | ---- | C] () -- C:\Users\jaredpc\Desktop\Walmart Photo Center.lnk
[2012/05/31 13:24:35 | 000,002,314 | ---- | C] () -- C:\Users\jaredpc\Desktop\Zya Music...FREE!.lnk
[2012/05/31 13:24:35 | 000,002,179 | ---- | C] () -- C:\Users\jaredpc\Desktop\HP Support Assistant.lnk
[2012/05/31 13:24:35 | 000,002,109 | ---- | C] () -- C:\Users\jaredpc\Desktop\Microsoft Office 2010.lnk
[2012/05/31 13:24:35 | 000,001,142 | ---- | C] () -- C:\Users\jaredpc\Desktop\Mozilla Firefox.lnk
[2012/05/31 13:24:35 | 000,001,070 | ---- | C] () -- C:\Users\jaredpc\Desktop\VLC media player.lnk
[2012/05/31 13:24:35 | 000,000,228 | ---- | C] () -- C:\Users\jaredpc\Desktop\VUDU - Streaming Movies.url
[2012/05/31 13:24:34 | 000,002,368 | ---- | C] () -- C:\Users\jaredpc\Desktop\Discover HP webOS.lnk
[2012/05/31 13:24:34 | 000,002,260 | ---- | C] () -- C:\Users\jaredpc\Desktop\eBay.lnk
[2012/05/30 23:13:18 | 001,489,640 | ---- | C] () -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\Cat.DB
[2012/05/30 23:03:47 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/30 23:00:36 | 000,000,114 | ---- | C] () -- C:\Windows\SysNative\drivers\SEP\0C01029F\136B.105\x64\isolate.ini
[2012/05/30 22:56:40 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/30 22:50:08 | 099,773,537 | ---- | C] () -- C:\sepx.zip
[2012/05/22 12:36:10 | 000,000,168 | ---- | C] () -- C:\ProgramData\-WevQSIhI68XE7ar
[2012/05/22 12:36:10 | 000,000,000 | ---- | C] () -- C:\ProgramData\-WevQSIhI68XE7a
[2012/01/25 19:43:02 | 000,743,534 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/01/10 20:31:53 | 001,544,413 | -H-- | C] () -- C:\Users\jaredpc\AppData\Local\.oldold.db
[2011/08/31 01:15:36 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/08/31 01:08:52 | 000,451,072 | ---- | C] () -- C:\Windows\SysWow64\ISSRemoveSP.exe
[2011/06/17 00:34:50 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/05/13 09:33:18 | 000,007,736 | ---- | C] () -- C:\Windows\hpDSTRES.DLL
[2011/03/17 16:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

========== LOP Check ==========

[2012/01/11 22:05:19 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Blio
[2012/05/30 20:44:31 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\SoftGrid Client
[2012/01/10 20:17:51 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Synaptics
[2012/05/30 20:44:31 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\TomTom
[2012/01/25 19:45:03 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\TP
[2009/07/14 00:08:49 | 000,016,134 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< c:\windows\*. /SL >

< c:\windows\*. /RP >

< %ALLUSERSPROFILE%\Application Data\*. >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >

< %APPDATA%\*. >
[2012/05/30 20:44:18 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Adobe
[2012/01/10 20:18:51 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\ATI
[2012/01/11 22:05:19 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Blio
[2012/01/19 13:27:45 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\CyberLink
[2012/06/01 12:07:14 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Hewlett-Packard
[2012/01/21 17:31:26 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\hpqlog
[2012/01/10 20:17:02 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Identities
[2012/01/10 20:59:33 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Macromedia
[2012/05/30 23:04:02 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Malwarebytes
[2011/08/31 01:59:21 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Media Center Programs
[2012/05/30 20:56:42 | 000,000,000 | --SD | M] -- C:\Users\jaredpc\AppData\Roaming\Microsoft
[2012/05/30 20:44:29 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Mozilla
[2012/05/30 20:44:31 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\SoftGrid Client
[2012/01/10 20:17:51 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\Synaptics
[2012/05/30 20:44:31 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\TomTom
[2012/01/25 19:45:03 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\TP
[2012/05/30 20:56:43 | 000,000,000 | ---D | M] -- C:\Users\jaredpc\AppData\Roaming\vlc

< %APPDATA%\*.exe /s >

< %SYSTEMDRIVE%\*.exe >
[2012/05/31 17:09:41 | 004,533,668 | ---- | M] (Swearware) -- C:\ComboFix.exe
[2012/05/30 22:52:59 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.61.0.1400.exe
[2012/05/31 14:51:49 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\spybotsd162.exe

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >

< End of report >

-------------------------

EXTRAS.TXT OUTPUT PER REQUEST #4:

OTL Extras logfile created on: 6/2/2012 4:40:21 PM - Run 1
OTL by OldTimer - Version 3.2.45.0 Folder = C:\Users\jaredpc\Desktop\sp2
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.60 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 56.10% Memory free
5.21 Gb Paging File | 3.80 Gb Available in Paging File | 72.91% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 279.36 Gb Total Space | 230.19 Gb Free Space | 82.40% Space Free | Partition Type: NTFS
Drive D: | 14.56 Gb Total Space | 1.62 Gb Free Space | 11.12% Space Free | Partition Type: NTFS
Drive E: | 3.96 Gb Total Space | 1.08 Gb Free Space | 27.33% Space Free | Partition Type: FAT32
Drive G: | 7.44 Gb Total Space | 7.41 Gb Free Space | 99.57% Space Free | Partition Type: FAT32

Computer Name: JAREDPC-HP | User Name: jaredpc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2A6B30AD-3CC1-42E3-AA70-FC5B9C7FB543}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{B927E893-5945-4FD8-9A0B-822F522DB4A1}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{257BEA93-44F1-4EFC-8FE7-D8FE4E83F32D}" = protocol=6 | dir=in | app=c:\program files (x86)\roxio\roxionow player\rnowshell.exe |
"{350BF55D-EA32-4378-9006-5E27F5D9CDB7}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{373543E5-BA7B-45EC-BF0D-15EA125205AE}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{37F7D1FD-F66F-4608-B5AC-74F900F6E0B8}" = protocol=17 | dir=in | app=c:\program files (x86)\roxio\roxionow player\rnowshell.exe |
"{5014C391-BE7F-478D-905A-7A55F624D1A6}" = protocol=6 | dir=in | app=c:\program files (x86)\symantec\symantec endpoint protection\snac64.exe |
"{6D3559FA-E5DA-4DBD-A0DF-F5B0FC110EED}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe |
"{843A2CAF-7355-4976-9E8A-27E12616074E}" = protocol=6 | dir=in | app=c:\program files (x86)\symantec\symantec endpoint protection\smc.exe |
"{891D3C29-F37F-4002-AEEC-16382576166D}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\symantec shared\ccapp.exe |
"{89868C44-2406-45C8-BD93-42112A95DAAF}" = protocol=17 | dir=in | app=c:\program files (x86)\symantec\symantec endpoint protection\smc.exe |
"{A8E541FA-B235-47DE-9D75-ED4A330968DA}" = protocol=17 | dir=in | app=c:\program files (x86)\symantec\symantec endpoint protection\12.1.671.4971.105\bin64\smc.exe |
"{AFE64636-35B0-45F8-AA2A-68EA1C4F2712}" = protocol=6 | dir=in | app=c:\program files (x86)\symantec\symantec endpoint protection\12.1.671.4971.105\bin64\snac64.exe |
"{BF3AFB28-9612-4926-BDCD-1DC2F33BD103}" = protocol=17 | dir=in | app=c:\program files (x86)\symantec\symantec endpoint protection\12.1.671.4971.105\bin64\snac64.exe |
"{BF6CD862-F9AF-4DB1-9FFF-6458F9632095}" = protocol=6 | dir=in | app=c:\program files (x86)\hewlett-packard\mediasmart\roxionow\rnow.exe |
"{C2955A68-DAFE-4435-8775-58947DE450C4}" = protocol=17 | dir=in | app=c:\program files (x86)\symantec\symantec endpoint protection\snac64.exe |
"{C7598521-94C0-40A0-A76B-141AA6212CF4}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\symantec shared\ccapp.exe |
"{CC1899D7-4441-451C-9DA8-8765883888CE}" = protocol=6 | dir=in | app=c:\program files (x86)\symantec\symantec endpoint protection\12.1.671.4971.105\bin64\smc.exe |
"{F72CB198-A78D-4DE3-8923-17B2D90F4F03}" = protocol=17 | dir=in | app=c:\program files (x86)\hewlett-packard\mediasmart\roxionow\rnow.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{1E4F85D3-21AE-5965-B58F-ADA152087438}" = ccc-utility64
"{2856A1C2-70C5-4EC3-AFF7-E5B51E5530A2}" = HP Client Services
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{72927D2A-ADEF-786D-91E3-06CEFD60D107}" = ATI Catalyst Install Manager
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{87C925D6-F6BF-4FBD-840B-53BAE2648B7B}" = Symantec Endpoint Protection
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{C4EACDFC-4BD3-4553-8445-A55B55818835}" = HP Launch Box
"{CC4D56B7-6F18-470B-8734-ABCD75BCF4F1}" = HP Auto
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{D2F5AD37-740F-4A4E-257C-AB1B1577FB03}" = AMD Media Foundation Decoders
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F25DF24C-44F4-CA28-AE93-C50E637677E1}" = AMD Fuel
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"SynTPDeinstKey" = Synaptics TouchPad Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0DC04A49-75C8-234A-459A-56E90120C9BF}" = Catalyst Control Center Graphics Previews Common
"{0EDEB615-1A60-425E-8306-0E10519C7B55}" = RoxioNow Player
"{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
"{120262A6-7A4B-4889-AE85-F5E5688D3683}" = HP MovieStore
"{12222C69-B349-23B5-EE29-2A02B68A56C7}" = CCC Help Greek
"{131D3479-CA72-DEDE-5764-7083B7B1F547}" = CCC Help Danish
"{1854100A-B46D-290C-0E1B-29EC1C4276D1}" = CCC Help Spanish
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java™ 7 Update 4
"{28FE073B-1230-4BF6-830C-7434FD0C0069}" = HP Software Framework
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2A2414C2-829B-1617-A858-3E7A95E2F776}" = CCC Help Norwegian
"{2CBC1636-7754-CC40-9FDD-537F6B9576E3}" = Catalyst Control Center Localization All
"{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App" = Update Installer for WildTangent Games App
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A6F089C-BB4B-D768-9E1A-CDBCD6B9654E}" = Catalyst Control Center InstallProxy
"{5036764A-435D-40C9-869C-31085A3D741D}" = HP Setup
"{51B57AC2-5B19-8EBD-C875-1ABE27B8805F}" = CCC Help German
"{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
"{53A79F0B-4D17-5D2A-9212-2167C84892EA}" = CCC Help Chinese Standard
"{53B17A98-5BF0-40BC-AAFF-850A357975AC}" = HP Quick Launch
"{559C58CD-F800-A374-DA37-D98FF4F440F6}" = CCC Help Chinese Traditional
"{5723D1D9-E745-DEB4-3EFC-699B36CF04F8}" = CCC Help Japanese
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5EC11835-8CB9-846B-B3DC-B8C99C748D7B}" = CCC Help Dutch
"{60382BCF-CD62-ED26-F920-30ACDDB13E89}" = CCC Help Thai
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{62280713-38D6-DC4B-1AF5-B6145A9D64EE}" = CCC Help English
"{646ADDE8-F6A6-E311-7A17-6744944F4B8A}" = CCC Help Swedish
"{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
"{6737D9E5-E5EE-5BCC-5214-8D988AE88FC9}" = CCC Help French
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{68A55875-B6DD-41E8-8CF6-F193D9C47051}" = HP Documentation
"{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.2.0
"{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}" = HP Support Assistant
"{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-hp" = WildTangent Games App (HP Games)
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{8B52057C-15DB-433E-957C-E279BC7D07E3}" = HP QuickWeb
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8C9CA7D5-93F8-A8CD-61D1-BF8A288F1FF2}" = CCC Help Portuguese
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E53C421-F248-DEFF-68AC-20691AA1DE59}" = CCC Help Finnish
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{9008D736-35CA-40DB-A2BE-5F32D954E5AA}" = HP MovieStore
"{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{9368DDD5-CE7F-4BD7-A83A-F00FABE338EC}" = Blio
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{95A46A36-EEF8-A4A2-19F6-45A994E42E29}" = CCC Help Hungarian
"{9A452B33-CA88-CB24-F2C5-7123106600EE}" = CCC Help Italian
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D3D8C60-A55F-4123-B2B9-173F09590E16}" = REALTEK Wireless LAN Driver
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A834E3B6-C376-1C25-301E-20F16E9FCE00}" = CCC Help Turkish
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{AE856388-AFAD-4753-81DF-D96B19D0A17C}" = HP Setup Manager
"{AF01C37B-FCCB-50C3-64A9-A16811F045C7}" = AMD VISION Engine Control Center
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C0F0F180-AAC4-0564-FFD4-8810D6CE3BAB}" = CCC Help Korean
"{C1594429-8296-4652-BF54-9DBE4932A44C}" = Realtek PCIE Card Reader
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CF173F8A-9F41-B92D-E516-E96166FD0CDD}" = CCC Help Polish
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DBCD5E64-7379-4648-9444-8A6558DCB614}" = Recovery Manager
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E00C1D49-FDFE-AD68-7C8F-6F021AAAF212}" = CCC Help Russian
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E44578C7-4667-4124-8BC2-1161BCA54978}" = HP Power Manager
"{E96CAA2A-0244-4A2A-8403-0C3C9534778B}" = ESU for Microsoft Windows 7 SP1
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{ED1BD69A-07E3-418C-91F1-D856582581BF}" = HP On Screen Display
"{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F30403FF-0146-4633-AAC5-D5CD5C50AE70}" = Catalyst Control Center - Branding
"{F6F65734-697D-CBF9-416C-9BFF34AF2C0A}" = CCC Help Czech
"{F761359C-9CED-45AE-9A51-9D6605CD55C4}" = Evernote v. 4.2.3
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"TomTom HOME" = TomTom HOME 2.8.3.2499
"VLC media player" = VLC media player 1.1.11
"WildTangent hp Master Uninstall" = HP Games
"WinLiveSuite" = Windows Live Essentials
"WTA-119c0c51-cfb9-4317-a220-4fbf25981a1a" = Agatha Christie - Peril at End House
"WTA-179de5ea-67ad-4e33-a33e-f034f99880a0" = Zuma Deluxe
"WTA-1b0f0f3f-4c91-48b1-b744-20eefad68793" = Blackhawk Striker 2
"WTA-32a87b37-4e35-4796-84b1-53c2e38475e6" = Namco All-Stars: PAC-MAN
"WTA-356126c7-d89d-4f5c-891c-86ed0abf6701" = Plants vs. Zombies - Game of the Year
"WTA-38474588-4b53-4f7f-8e28-cf8eed0e463b" = Jewel Quest: The Sleepless Star - Collector's Edition
"WTA-8870fbec-7873-45e6-b8e8-07b818b3079f" = Cradle of Rome 2
"WTA-8959d8e6-776b-4d98-90c3-22d8894d44fe" = FATE
"WTA-a1e8fc7d-b409-4bb2-bf5c-d842348c67fa" = Polar Golfer
"WTA-a6b3c4e0-4c03-41f2-b836-d52c9795bdd7" = Virtual Villagers 5 - New Believers
"WTA-a78bdb29-818b-4192-bcf1-c80095a4966a" = Farm Frenzy
"WTA-aa965f3a-3e9e-4573-b30d-2c42e3772164" = Cake Mania
"WTA-ac6d320e-1fa4-4343-b2b2-c578fc407270" = Poker Superstars III
"WTA-b2572f39-665c-4b6f-b497-d688bbad175c" = Governor of Poker 2 Premium Edition
"WTA-b6ad4866-c56f-42ee-b968-177b16587fd6" = Bounce Symphony
"WTA-b7f15645-7cff-462a-9219-e92c4281632e" = Slingo Supreme
"WTA-bf8c5fc4-8f09-42fc-a056-428f83a5da37" = Bejeweled 3
"WTA-c56347ea-a0a2-4e58-be53-da8f4d3c4b18" = Chronicles of Albian
"WTA-cb0f3cd3-be33-49c5-abd5-15d36669c65e" = Polar Bowler
"WTA-cff3de22-a66c-4c22-b34a-5138919cf04f" = Blasterball 3
"WTA-dd18deb6-7ddc-4515-b1f6-1dceb068a32e" = Chuzzle Deluxe
"WTA-e486a45f-e39a-4ce7-b585-feb4beb2d6f6" = Mystery of Mortlake Mansion
"WTA-e66791d3-9ffa-4ad3-af0d-f5e892b601fb" = Penguins!
"WTA-e76194e3-6145-4a24-a836-bf57e0713fb1" = Mah Jong Medley
"WTA-ea744253-f52c-497f-8459-b41cffe4ac62" = Vacation Quest - The Hawaiian Islands

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/31/2012 6:12:11 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\LICENSE\IEXPLORE.EXE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:11 PM

Error - 5/31/2012 6:12:11 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\LICENSE\IEXPLORE.EXE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:11 PM

Error - 5/31/2012 6:12:12 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\LICENSE\IEXPLORE.EXE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:12 PM

Error - 5/31/2012 6:12:12 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\LICENSE\IEXPLORE.EXE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:12 PM

Error - 5/31/2012 6:12:12 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\LICENSE\IEXPLORE.EXE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:12 PM

Error - 5/31/2012 6:12:12 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\LICENSE\IEXPLORE.EXE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:12 PM

Error - 5/31/2012 6:12:18 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\LICENSE\IEXPLORE.EXE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:18 PM

Error - 5/31/2012 6:12:41 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\PEV.3XE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:41 PM

Error - 5/31/2012 6:12:41 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\PEV.3XE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:41 PM

Error - 5/31/2012 6:12:41 PM | Computer Name = jaredpc-HP | Source = Symantec AntiVirus | ID = 16711725
Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\32788R22FWJFW\PEV.3XE
File:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
Location:
Deleted or access blocked Computer: JAREDPC-HP User: jaredpc Action taken: Date found:
Thursday, May 31, 2012 5:12:41 PM

[ Hewlett-Packard Events ]
Error - 4/5/2012 8:59:11 AM | Computer Name = jaredpc-HP | Source = hpsa_service.exe | ID = 2000
Description = HP Error ID: -2146233088hpsa_service.exe at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Message: One HP Active Check Local Mode job already running. StackTrace:
at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager Name: hpsa_service.exe
Version:
06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
Format:
en-US RAM: 2666 Ram Utilization: 50 TargetSite: Void UpdateAndDetect()

Error - 4/11/2012 5:11:21 PM | Computer Name = jaredpc-HP | Source = hpsa_service.exe | ID = 2000
Description = HP Error ID: -2146233088 at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Message: One HP Active Check Local Mode job already running. StackTrace:
at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager Name: hpsa_service.exe
Version:
06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
Format:
en-US RAM: 2666 Ram Utilization: 60 TargetSite: Void UpdateAndDetect()

Error - 4/18/2012 6:12:12 PM | Computer Name = jaredpc-HP | Source = hpsa_service.exe | ID = 2000
Description = HP Error ID: -2146233088 at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Message: One HP Active Check Local Mode job already running. StackTrace:
at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetect()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager Name: hpsa_service.exe
Version:
06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
Format:
en-US RAM: 2666 Ram Utilization: 50 TargetSite: Void UpdateAndDetect()

Error - 4/25/2012 6:32:49 PM | Computer Name = jaredpc-HP | Source = hpsa_service.exe | ID = 2000
Description = HP Error ID: -2146233088 at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateDetail(String
category) at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetectCore()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Message: Failed to perform update. StackTrace: at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateDetail(String
category) at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetectCore()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager InnerException.Message:
Object '/8d85c1c5_1527_4e0f_9a98_a7f13022b0da/opqmrbe42plbn5rlj9dannv4_5.rem' has
been disconnected or does not exist at the server. Name: hpsa_service.exe Version:
06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
Format:
en-US RAM: 2666 Ram Utilization: 60 TargetSite: Void UpdateDetail(System.String)

Error - 4/25/2012 6:33:24 PM | Computer Name = jaredpc-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 5/2/2012 10:00:33 AM | Computer Name = jaredpc-HP | Source = hpsa_service.exe | ID = 2000
Description = HP Error ID: -2146233088 at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateDetail(String
category) at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetectCore()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Message: Failed to perform update. StackTrace: at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateDetail(String
category) at HP.ActiveCheckLocalMode.SessionManager.ActiveCheckManager.UpdateAndDetectCore()

at HP.SupportAssistant.Service.ACLM.ActiveCheck.LaunchActiveCheck(Boolean singleScan,
Boolean localScan) Source: HP.ActiveCheckLocalMode.SessionManager InnerException.Message:
Object '/1c680183_ac31_4e38_8356_0106f930466b/rkszj06v9uws9zza6a3mvq0n_5.rem' has
been disconnected or does not exist at the server. Name: hpsa_service.exe Version:
06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
Format:
en-US RAM: 2666 Ram Utilization: TargetSite: Void UpdateDetail(System.String)

Error - 5/2/2012 10:00:38 AM | Computer Name = jaredpc-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 5/9/2012 9:56:01 AM | Computer Name = jaredpc-HP | Source = HPSF.exe | ID = 4000
Description =

Error - 5/22/2012 12:54:45 AM | Computer Name = jaredpc-HP | Source = HPSF.exe | ID = 4000
Description = HP Error ID: -2146233087 Server stack trace: at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
message) Exception rethrown at [0] Message: The server did not provide a meaningful
reply; this might be caused by a contract mismatch, a premature session shutdown
or an internal server error. StackTrace: Server stack trace: at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type) at HP.SupportFramework.Communicator.MessengerComm.IMessengerCommunicator.UpdateTimer()

at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: mscorlib

Name:
HPSF.exe Version: 06.00.01.01 Path: C:\Program Files (x86)\Hewlett-Packard\HP Support
Framework\HPSF.exe Format: en-US RAM: 2666 Ram Utilization: 50 TargetSite: Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage,
System.Runtime.Remoting.Messaging.IMessage)

Error - 5/22/2012 1:05:02 AM | Computer Name = jaredpc-HP | Source = HPSF.exe | ID = 4000
Description =

[ HP Software Framework Events ]
Error - 5/22/2012 1:03:48 AM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/05/22 00:03:48.509|00001160|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 5/22/2012 1:03:53 AM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/05/22 00:03:53.726|00001F80|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 5/22/2012 1:38:34 AM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/05/22 00:38:34.497|00001E28|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 5/22/2012 1:38:37 AM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/05/22 00:38:37.990|00000DD8|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 5/31/2012 12:25:02 AM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/05/30 23:25:02.299|000011C4|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 5/31/2012 12:43:14 AM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/05/30 23:43:14.279|000002C8|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 5/31/2012 12:43:19 AM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/05/30 23:43:19.490|00000B40|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 6/1/2012 1:09:31 PM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/06/01 12:09:31.146|000001B4|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 6/1/2012 1:09:36 PM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/06/01 12:09:36.206|00001020|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

Error - 6/1/2012 1:21:24 PM | Computer Name = jaredpc-HP | Source = CaslWmi | ID = 5
Description = 2012/06/01 12:21:24.863|00000C3C|Error |[CaslWmi]CommandFolio::A{hpCasl.enReturnCode(int&)}|Error
0xe_BIOS_INVALID_COMMAND_TYPE from BIOS WMI call Read/2Eh while getting Folio state

[ System Events ]
Error - 6/1/2012 3:32:56 PM | Computer Name = jaredpc-HP | Source = DCOM | ID = 10010
Description =

Error - 6/1/2012 3:35:39 PM | Computer Name = jaredpc-HP | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description = WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\Rtlihvs.dll
Error
Code: 126

Error - 6/1/2012 3:44:31 PM | Computer Name = jaredpc-HP | Source = DCOM | ID = 10010
Description =

Error - 6/2/2012 5:22:11 PM | Computer Name = jaredpc-HP | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description = WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\Rtlihvs.dll
Error
Code: 126

Error - 6/2/2012 5:35:03 PM | Computer Name = jaredpc-HP | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 6/2/2012 5:35:03 PM | Computer Name = jaredpc-HP | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 6/2/2012 5:35:04 PM | Computer Name = jaredpc-HP | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 6/2/2012 5:35:04 PM | Computer Name = jaredpc-HP | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 6/2/2012 5:36:13 PM | Computer Name = jaredpc-HP | Source = DCOM | ID = 10010
Description =

Error - 6/2/2012 5:37:15 PM | Computer Name = jaredpc-HP | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description = WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\Rtlihvs.dll
Error
Code: 126


< End of report >

#8 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 02 June 2012 - 05:09 PM

OUTPUT REQUEST FROM RESULTS.TXT PER POST #4:


ListParts by Farbar Version: 03-06-2012
Ran by jaredpc (administrator) on 02-06-2012 at 17:01:45
Windows 7 (X64)
Running From: C:\Users\jaredpc\Desktop\sp2
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 38%
Total physical RAM: 2666.91 MB
Available physical RAM: 1652.37 MB
Total Pagefile: 5332 MB
Available Pagefile: 3893.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:279.36 GB) (Free:229.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (Recovery) (Fixed) (Total:14.56 GB) (Free:1.62 GB) NTFS
3 Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.08 GB) FAT32
5 Drive g: (8GTHUMB) (Removable) (Total:7.44 GB) (Free:7.41 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 7636 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 279 GB 200 MB
Partition 3 Primary 14 GB 279 GB
Partition 4 Primary 4063 MB 294 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 279 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Recovery NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E HP_TOOLS FAT32 Partition 4063 MB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7635 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 G 8GTHUMB FAT32 Removable 7635 MB Healthy

======================================================================================================
==========================================================
TDL4: custom:26000022


****** End Of Log ******

#9 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 03 June 2012 - 02:34 PM

fireman4it *bump*

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:21 PM

Posted 03 June 2012 - 03:52 PM

Hello

Please don't bump your topic



1.
Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
OK any security prompts.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.


2.
Download the yorkyt.exe disinfection tool (1,31 MB).

Save the file to your hard disk; to the Windows Desktop, for example.
Double click the yorkyt.exe file.
A reboot will be requested to install a driver.
Another reboot will be requested to complete the disinfection.
When the disinfection is completed, accept the message that will be displayed.
In order to ensure a full cleanup, run a scan of your PC with the antivirus installed.

3.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

4.
Download Bootkit Remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose Select All.
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.


Things to include in your next reply::
Fixtdss.exe log
yorkyt.exe log
MBAm log
Bootkit remover log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 03 June 2012 - 04:03 PM

I am unable to get

"4. Download Bootkit Remover to your desktop"

from any source on the internet, including your link. EAGLELAB's says they aren't allowing it to be downloaded anymore.

Even the mirrors are removed for Bootkit Remover. If you have another mirror/download source for EAGLELABS bootkit Remover I'd greatly appreciate it.


I will post the results from post #10 in the next message, without the Bootkit Remover since I cannot find it for download.

thanks

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:21 PM

Posted 03 June 2012 - 04:29 PM

My link

Here a link to bootkit remover.

Edited by fireman4it, 03 June 2012 - 04:30 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 03 June 2012 - 04:48 PM

REPLY TO POST #10



1. After reboot TDSS Fix Tool states: "Suspicious use of the kernel callback but MBR appears intact. Repair not done. No infections were found." Unable to click repair, only let's me choose Close.


2. "Detected and infected bad files, reboot?" Clicked Yes to reboot and clean. After reboot Panda reports "Cleanup completed."


3. Running MalwareBytes now and just got your new link for Bootkit Cleaner. All logs requested from post #10 will be in next message. Computer seems to be running faster/better since Panda cleanup. Haven't tried surfing to check if redirects are still happening. Will also put in next post, malwarebytes quickscan currently in progress.

#14 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 03 June 2012 - 04:56 PM

Boot_cleaner reports:

"298 GB \\.\PhysicalDrive0 MBR STATUS: Controlled by rootkit!" This is the primary hard disk drive/OS Drive.... :-(

Attempted to use cleaner, cleaner fails with: "ERROR: Can't write first sector of the disk"


All logs coming shortly in next post.

#15 jbww24

jbww24
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 03 June 2012 - 04:57 PM

MalwareBytes reports No infected items found. :-(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users