Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another rootkit devil


  • This topic is locked This topic is locked
12 replies to this topic

#1 DrBrown54

DrBrown54

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 07 September 2012 - 09:02 AM

This is not my first rodeo with rootkits, but the one on my work PC is driving me nuts. I have TrendMicro but it did not find anything. The problem seems to just be Google/Bing/Yahoo redirects. Aside from that everything on the PC is running normal.

I had already gone through several protocols prior to signing up on the forum here, like MalwareBytes, Combofix and TDSSKiller, BUT those never found anything either. Also worth mentioning is I am in an office environment and have went through the steps to flush the IP and restore the network settings back to default. Those had worked for me in the past but not for this rootkit. I began the protocols outlined in this forum by using Defogger, FSS and OTL. I did not see anything that stuck out in the logs so hopefully someone here can give some advice. Here are the logs...

________________________________________________________________________________
Farbar Service Scanner Version: 06-08-2012
Ran by User (administrator) on 05-09-2012 at 09:51:28
Running from "C:\Users\User\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****




____________________________________________________________________

THIS IS THE OTL LOG FILE
____________________________________________________________________

OTL logfile created on: 9/5/2012 9:53:32 AM - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\User\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19298)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.76 Gb Available Physical Memory | 40.82% Memory free
3.98 Gb Paging File | 2.45 Gb Available in Paging File | 61.61% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 289.21 Gb Total Space | 150.15 Gb Free Space | 51.92% Space Free | Partition Type: NTFS
Drive D: | 8.88 Gb Total Space | 0.85 Gb Free Space | 9.53% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/05 09:52:11 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
PRC - [2012/09/05 09:50:48 | 000,693,235 | ---- | M] (Farbar) -- C:\Users\User\Desktop\FSS.exe
PRC - [2012/08/30 14:41:50 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/08/10 18:59:52 | 004,440,896 | ---- | M] (Akamai Technologies, Inc.) -- C:\Users\User\AppData\Local\Akamai\netsession_win.exe
PRC - [2012/07/20 09:03:43 | 001,536,712 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/08/20 01:34:06 | 001,175,912 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2011/08/20 01:32:40 | 001,178,984 | ---- | M] (Intuit Inc.) -- C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE
PRC - [2011/08/19 23:49:48 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/08/19 21:31:14 | 001,248,256 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
PRC - [2009/04/13 10:35:19 | 000,492,808 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/19 03:33:27 | 000,151,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe
PRC - [2008/01/15 11:26:18 | 004,874,240 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/08/02 21:08:00 | 000,095,504 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
PRC - [2007/04/18 11:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
PRC - [2007/02/15 07:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
PRC - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () -- C:\Windows\System32\PSIService.exe
PRC - [2006/11/02 05:45:59 | 000,215,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdSync.exe
PRC - [2004/06/16 07:02:54 | 000,471,040 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe


========== Modules (No Company Name) ==========

MOD - [2012/08/30 14:41:50 | 002,242,528 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/07/20 09:03:42 | 009,465,032 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_3_300_265.dll
MOD - [2011/08/20 01:33:30 | 000,138,088 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\QBMAPILibrary.dll
MOD - [2011/08/20 01:33:26 | 000,020,840 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\QBCompressor.DLL
MOD - [2011/08/20 01:33:12 | 000,042,344 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\mbpopup.dll
MOD - [2011/08/20 01:32:50 | 000,176,488 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\boost_serialization-vc90-mt-p-1_33.dll
MOD - [2011/08/20 01:32:48 | 000,268,648 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\boost_regex-vc90-mt-p-1_33.dll
MOD - [2011/08/20 01:32:46 | 000,379,752 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\BackupLib.dll
MOD - [2011/08/19 21:30:50 | 000,059,904 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\zlib1.dll
MOD - [2009/11/03 20:14:04 | 000,054,272 | ---- | M] () -- C:\Program Files\Notepad++\NppShell_01.dll
MOD - [2009/04/13 10:35:33 | 000,128,264 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEHook.dll
MOD - [2007/09/20 18:34:58 | 000,129,024 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2007/08/02 21:07:56 | 000,034,064 | ---- | M] () -- C:\Program Files\Common Files\Ulead Systems\AutoDetector\DetMethod.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/08/30 14:41:50 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/19 23:49:48 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2011/08/19 21:31:14 | 001,248,256 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe -- (QBVSS)
SRV - [2011/08/19 21:30:58 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2011/06/26 02:45:56 | 000,256,000 | R--- | M] () [Auto | Stopped] -- C:\ComboFix\pev.3XE -- (PEVSystemStart)
SRV - [2010/10/07 07:33:18 | 000,711,320 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom)
SRV - [2009/09/03 05:07:28 | 000,497,008 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe -- (TmPfw)
SRV - [2009/09/03 04:51:40 | 000,677,128 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy)
SRV - [2009/04/13 10:35:19 | 000,341,256 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/19 03:36:49 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2008/01/19 03:36:15 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SMARTVTabletPCx86.sys -- (SMARTVTabletPCx86)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SMARTVHidMini2000x86.sys -- (SMARTVHidMini2000x86)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SMARTMouseFilterx86.sys -- (SMARTMouseFilterx86)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/08/16 09:12:32 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/08/02 13:44:16 | 000,031,744 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Users\User\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/12 06:44:10 | 000,262,416 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2011/07/12 06:43:58 | 000,036,624 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2011/07/12 06:09:32 | 001,405,720 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vsapint.sys -- (vsapint)
DRV - [2010/07/05 11:20:02 | 000,050,256 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2010/07/05 11:19:56 | 000,050,256 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2010/07/05 11:19:50 | 000,154,192 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/04/13 10:35:37 | 000,256,528 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmwfp.sys -- (tmwfp)
DRV - [2009/04/13 10:35:37 | 000,145,424 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmlwf.sys -- (tmlwf)
DRV - [2009/04/13 10:35:37 | 000,080,400 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009/04/11 00:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2008/08/01 19:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/22 14:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/08 16:06:20 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2005/12/12 13:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\..\SearchScopes,DefaultScope = {122618CA-EDCC-4901-ADE3-676812245040}
IE - HKLM\..\SearchScopes\{122618CA-EDCC-4901-ADE3-676812245040}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
IE - HKLM\..\SearchScopes\{3A21D82B-ECB6-4ED7-BB40-27836C9E0C29}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKLM\..\SearchScopes\{AD54EB9D-22E5-4386-932F-83AE9E596077}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes,DefaultScope = {122618CA-EDCC-4901-ADE3-676812245040}
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{122618CA-EDCC-4901-ADE3-676812245040}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{3A21D82B-ECB6-4ED7-BB40-27836C9E0C29}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{AD54EB9D-22E5-4386-932F-83AE9E596077}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{E163AE6E-254C-5FF4-BE33-4CBD31D63F5C}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z125&form=ZGAIDF&install_date=20110916&iesrc={referrer:source}
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;<local>

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: seotoolbar@seobook.com:1.0.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {5911488E-9D1E-40ec-8CBB-06B231CC153F}:2.3.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z125&form=ZGAADF&install_date=20110916&q="
FF - prefs.js..network.proxy.type: 4
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Users\User\AppData\Roaming\nprhapengine.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/13 14:17:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/08/30 14:41:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/10 09:15:49 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/13 14:17:12 | 000,000,000 | ---D | M]

[2009/01/30 13:44:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Extensions
[2012/08/23 09:05:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\chcvr2ad.default\extensions
[2011/04/18 14:22:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\chcvr2ad.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/09/16 09:53:25 | 000,001,945 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\chcvr2ad.default\searchplugins\bing-zugo.xml
[2012/07/10 09:15:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/10 09:15:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2008/06/24 09:08:52 | 000,000,000 | ---D | M] (Smart Notebook Extension) -- C:\Program Files\Mozilla Firefox\extensions\{D6D05E6F-D5C1-4e03-8E33-73F92B05E262}
[2012/08/23 09:05:53 | 000,341,143 | ---- | M] () (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CHCVR2AD.DEFAULT\EXTENSIONS\{A7C6CF7F-112C-4500-A7EA-39801A327E5F}.XPI
[2012/08/01 15:07:14 | 000,221,589 | ---- | M] () (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CHCVR2AD.DEFAULT\EXTENSIONS\SEOTOOLBAR@SEOBOOK.COM.XPI
[2012/08/30 14:41:50 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/30 14:41:49 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/08/30 14:41:49 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.60\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.83\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.83\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java™ Platform SE 6 U33 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.330.3 (Enabled) = C:\Windows\system32\npdeployJava1.dll
CHR - plugin: RealNetworks Rhapsody Player Engine (Enabled) = C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Google Update (Enabled) = C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/08/03 10:28:18 | 000,000,732 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (CIEDownload Object) - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll (SMART Technologies ULC.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe (Ulead Systems, Inc.)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-18..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000..\Run: [Akamai NetSession Interface] C:\Users\User\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
O4 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O15 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.16.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A8AF857-B8D0-4BC1-9E14-B12EF29BC146}: DhcpNameServer = 192.168.16.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A8AF857-B8D0-4BC1-9E14-B12EF29BC146}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol\Handler\intu-help-qb5 {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\User\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\User\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/27 11:15:52 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{7cff693a-5350-11dd-b659-001d6065165b}\Shell - "" = AutoRun
O33 - MountPoints2\{7cff693a-5350-11dd-b659-001d6065165b}\Shell\AutoRun\command - "" = J:\LaunchU3.exe
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\wd_windows_tools\WDSetup.exe
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\wd_windows_tools\WDSetup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SMART Board Tools.lnk - - File not found
MsConfig - StartUpReg: SMART Board Service - hkey= - key= - File not found
MsConfig - StartUpReg: SMARTSNMPAgent.exe - hkey= - key= - File not found
MsConfig - State: "startup" - 2
MsConfig - State: "bootini" - 2

SafeBootMin: 79442435.sys - Driver
SafeBootMin: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - C:\ComboFix\pev.3XE ()
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {1897C549-AE52-4571-8996-44854F5612B2} - Microsoft .NET Framework 1.1 Security Update (KB2656370)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.tscc - C:\Windows\System32\tsccvid.dll (TechSmith Corporation)
Drivers32: vidc.XVID - C:\Windows\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/09/05 09:52:03 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2012/09/05 09:50:48 | 000,693,235 | ---- | C] (Farbar) -- C:\Users\User\Desktop\FSS.exe
[2012/08/16 09:12:32 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2012/08/15 17:02:06 | 002,047,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/08/15 15:55:17 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/08/15 15:55:16 | 000,629,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2012/08/15 15:55:16 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/08/15 15:55:15 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/08/15 15:55:15 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2012/08/15 15:55:15 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2012/08/15 15:55:15 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2012/08/15 15:55:15 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2012/08/15 15:55:15 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/08/15 15:55:15 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2012/08/15 15:55:15 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2012/08/15 15:55:14 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/08/15 15:55:14 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2012/08/15 15:55:14 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/08/15 15:55:14 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2012/08/15 15:55:14 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2012/08/15 15:55:14 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2012/08/15 15:55:14 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2012/08/07 15:13:32 | 000,000,000 | ---D | C] -- C:\ProgramData\EarthScape
[2012/08/07 14:54:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Corel DESIGNER Technical Suite X4
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\User\Desktop\*.tmp files -> C:\Users\User\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/05 09:52:11 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2012/09/05 09:50:48 | 000,693,235 | ---- | M] (Farbar) -- C:\Users\User\Desktop\FSS.exe
[2012/09/05 09:29:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2717635380-2294264606-1682586835-1000UA.job
[2012/09/05 09:29:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2717635380-2294264606-1682586835-1000Core.job
[2012/09/05 09:13:28 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/04 15:55:42 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/04 15:55:42 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/04 14:32:57 | 000,002,001 | ---- | M] () -- C:\Users\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/09/04 10:00:44 | 000,696,520 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/09/04 10:00:44 | 000,073,416 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/09/04 09:55:41 | 000,000,300 | -HS- | M] () -- C:\Windows\tasks\TKGK.job
[2012/08/30 09:31:55 | 000,699,272 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/08/30 09:31:55 | 000,141,760 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/08/23 16:52:58 | 000,129,536 | ---- | M] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/22 13:44:35 | 000,312,025 | ---- | M] () -- C:\Users\User\Desktop\Verbena-Red1.psd
[2012/08/22 13:43:26 | 001,520,920 | ---- | M] () -- C:\Users\User\Desktop\Verbena-Red2.psd
[2012/08/16 09:12:32 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2012/08/16 09:07:49 | 001,858,840 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/08/15 09:07:51 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9622C7AB-5BF1-4F37-9706-2EC12BBF707D}.job
[2012/08/13 05:56:27 | 209,899,800 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/08/09 16:38:51 | 000,000,918 | ---- | M] () -- C:\Users\User\Desktop\Dropbox.lnk
[2012/08/09 16:38:51 | 000,000,898 | ---- | M] () -- C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2012/08/09 14:47:26 | 000,000,940 | ---- | M] () -- C:\Users\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/08/09 14:43:16 | 000,060,304 | ---- | M] () -- C:\Users\User\g2mdlhlpx.exe
[2012/08/07 15:13:27 | 000,001,924 | ---- | M] () -- C:\Users\Public\Desktop\EarthScapes 1.0.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\User\Desktop\*.tmp files -> C:\Users\User\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/08/22 13:44:35 | 000,312,025 | ---- | C] () -- C:\Users\User\Desktop\Verbena-Red1.psd
[2012/08/22 13:43:26 | 001,520,920 | ---- | C] () -- C:\Users\User\Desktop\Verbena-Red2.psd
[2012/08/13 05:56:27 | 209,899,800 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/08/07 15:13:27 | 000,001,924 | ---- | C] () -- C:\Users\Public\Desktop\EarthScapes 1.0.lnk
[2012/08/07 15:13:27 | 000,001,924 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EarthScapes 1.0.lnk
[2012/06/21 12:52:37 | 000,000,095 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2012/01/05 14:36:33 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/05 14:36:33 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/05 14:36:33 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/05 14:36:33 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/05 14:36:33 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/09 13:54:27 | 000,151,552 | ---- | C] () -- C:\Windows\System32\nvRegDev.dll
[2011/11/18 14:10:14 | 000,000,680 | ---- | C] () -- C:\Users\User\AppData\Local\d3d9caps.dat
[2011/11/18 14:00:30 | 000,000,440 | ---- | C] () -- C:\ProgramData\hVFsJRFx4U2WTR
[2011/11/03 10:34:05 | 000,094,720 | RHS- | C] () -- C:\Windows\System32\C_210257.dll
[2011/09/16 09:53:24 | 000,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011/09/16 09:53:24 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2011/08/10 13:10:03 | 000,000,005 | ---- | C] () -- C:\Users\User\AppData\Roaming\DACalendar.prefs
[2011/06/09 13:39:44 | 000,060,304 | ---- | C] () -- C:\Users\User\g2mdlhlpx.exe
[2011/02/10 10:47:25 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2008/05/07 11:36:12 | 000,000,092 | ---- | C] () -- C:\Users\User\AppData\Local\fusioncache.dat
[2008/01/23 12:38:38 | 000,129,536 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." /30 >

< C:\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2011/11/03 10:34:05 | 000,094,720 | RHS- | M] () Unable to obtain MD5 -- C:\Windows\system32\C_210257.dll

< %systemroot%\Tasks\*.job /lockedfiles >
[2012/09/04 09:55:41 | 000,000,300 | -HS- | M] () Unable to obtain MD5 -- C:\Windows\Tasks\TKGK.job

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\system32\drivers\mbam.sys
[2012/08/16 09:12:32 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\system32\drivers\mbamswissarmy.sys

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AFD.SYS >
[2011/04/21 09:58:27 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=3911B972B55FEA0478476B2E777B29FA -- C:\Windows\System32\drivers\afd.sys
[2011/04/21 09:58:27 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=3911B972B55FEA0478476B2E777B29FA -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys
[2011/04/21 09:16:42 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=48EB99503533C27AC6135648E5474457 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
[2006/11/02 04:58:43 | 000,270,336 | ---- | M] (Microsoft Corporation) MD5=5D24CAF8EFD924A875698FF28384DB8B -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys
[2011/04/21 09:28:53 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=70EE0FC7A0F384DBD929A01384AEEB4B -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
[2008/01/19 01:57:03 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=763E172A55177E478CB419F88FD0BA03 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
[2009/04/11 00:47:03 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=A201207363AA900ABF1A388468688570 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
[2011/04/21 09:12:21 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=C8AF25017CECB75906A571AC70D2D306 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 03:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 03:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/02/14 04:04:19 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/02/14 04:04:19 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/02/14 04:04:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: EXPLORER.EXE >
[2008/10/29 02:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 23:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2007/11/17 15:03:58 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[2007/11/17 15:03:57 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 22:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2006/11/02 05:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2008/01/19 03:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: NETBT.SYS >
[2008/01/19 01:55:35 | 000,184,320 | ---- | M] (Microsoft Corporation) MD5=7C5FEE5B1C5728507CD96FB4A13E7A02 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
[2006/11/02 04:57:20 | 000,184,320 | ---- | M] (Microsoft Corporation) MD5=E3A168912E7EEFC3BD3B814720D68B41 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys
[2009/04/11 00:45:37 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=ECD64230A59CBD93C85F1CD1CAB9F3F6 -- C:\Windows\System32\drivers\netbt.sys
[2009/04/11 00:45:37 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=ECD64230A59CBD93C85F1CD1CAB9F3F6 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

< MD5 for: TDX.SYS >
[2009/04/11 00:45:56 | 000,072,192 | ---- | M] (Microsoft Corporation) MD5=76B06EB8A01FC8624D699E7045303E54 -- C:\Windows\System32\drivers\tdx.sys
[2009/04/11 00:45:56 | 000,072,192 | ---- | M] (Microsoft Corporation) MD5=76B06EB8A01FC8624D699E7045303E54 -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys
[2006/11/02 04:57:35 | 000,068,096 | ---- | M] (Microsoft Corporation) MD5=AB4FDE8AF4A0270A46A001C08CBCE1C2 -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys
[2008/01/19 01:55:58 | 000,071,680 | ---- | M] (Microsoft Corporation) MD5=D09276B1FAB033CE1D40DCBDF303D10F -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys

< MD5 for: VOLSNAP.SYS >
[2006/11/02 05:51:18 | 000,208,488 | ---- | M] (Microsoft Corporation) MD5=11EF6C1CAEF76B685233450A126125D6 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys
[2009/04/11 02:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\Windows\System32\drivers\volsnap.sys
[2009/04/11 02:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys
[2009/04/11 02:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys
[2008/01/09 04:02:46 | 000,211,000 | ---- | M] (Microsoft Corporation) MD5=327639D2EC931B057F3826A51ADC73E9 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6000.20709_none_146318401803edb5\volsnap.sys
[2008/01/09 04:02:46 | 000,211,000 | ---- | M] (Microsoft Corporation) MD5=80DC0C9BCB579ED9815001A4D37CBFD5 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_f47b2c78\volsnap.sys
[2008/01/09 04:02:46 | 000,211,000 | ---- | M] (Microsoft Corporation) MD5=80DC0C9BCB579ED9815001A4D37CBFD5 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6000.16586_none_137ff950ff29e447\volsnap.sys
[2008/01/19 03:42:48 | 000,227,896 | ---- | M] (Microsoft Corporation) MD5=D8B4A53DD2769F226B3EB374374987C9 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys
[2008/01/19 03:42:48 | 000,227,896 | ---- | M] (Microsoft Corporation) MD5=D8B4A53DD2769F226B3EB374374987C9 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys

< MD5 for: WININIT.EXE >
[2008/01/19 03:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe
[2008/01/19 03:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[2006/11/02 05:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2006/11/02 05:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2008/01/19 03:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/08/30 14:41:49 | 000,883,864 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/08/30 14:41:49 | 000,883,864 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/08/30 14:41:49 | 000,883,864 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/08/30 14:41:50 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/08/30 14:41:50 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/08/30 14:41:50 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome.Q5IJGI2LLN4JTKVR3INQHJPERQ\InstallInfo\\ShowIconsCommand: "C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe" --show-icons [2012/08/29 22:58:46 | 001,229,848 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome.Q5IJGI2LLN4JTKVR3INQHJPERQ\InstallInfo\\HideIconsCommand: "C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe" --hide-icons [2012/08/29 22:58:46 | 001,229,848 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome.Q5IJGI2LLN4JTKVR3INQHJPERQ\InstallInfo\\ReinstallCommand: "C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/08/29 22:58:46 | 001,229,848 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome.Q5IJGI2LLN4JTKVR3INQHJPERQ\shell\open\command\\: "C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe" [2012/08/29 22:58:46 | 001,229,848 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2012/06/28 04:19:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2012/06/28 04:19:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2012/06/28 04:19:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/06/28 07:40:41 | 000,638,048 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012/06/28 07:40:41 | 000,638,048 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/08/30 14:41:49 | 000,883,864 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/08/30 14:41:49 | 000,883,864 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/08/30 14:41:49 | 000,883,864 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/08/30 14:41:50 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/08/30 14:41:50 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/08/30 14:41:50 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome.Q5IJGI2LLN4JTKVR3INQHJPERQ\InstallInfo\\ShowIconsCommand: "C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe" --show-icons [2012/08/29 22:58:46 | 001,229,848 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome.Q5IJGI2LLN4JTKVR3INQHJPERQ\InstallInfo\\HideIconsCommand: "C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe" --hide-icons [2012/08/29 22:58:46 | 001,229,848 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome.Q5IJGI2LLN4JTKVR3INQHJPERQ\InstallInfo\\ReinstallCommand: "C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/08/29 22:58:46 | 001,229,848 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome.Q5IJGI2LLN4JTKVR3INQHJPERQ\shell\open\command\\: "C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe" [2012/08/29 22:58:46 | 001,229,848 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2012/06/28 04:19:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2012/06/28 04:19:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2012/06/28 04:19:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/06/28 07:40:41 | 000,638,048 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012/06/28 07:40:41 | 000,638,048 | ---- | M] (Microsoft Corporation)

< End of report >




________________________________________________________

OTL EXTRAS LOG
________________________________________________________

OTL Extras logfile created on: 9/5/2012 9:53:32 AM - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\User\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19298)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.76 Gb Available Physical Memory | 40.82% Memory free
3.98 Gb Paging File | 2.45 Gb Available in Paging File | 61.61% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 289.21 Gb Total Space | 150.15 Gb Free Space | 51.92% Space Free | Partition Type: NTFS
Drive D: | 8.88 Gb Total Space | 0.85 Gb Free Space | 9.53% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2717635380-2294264606-1682586835-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- "%1" %*
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00D747E4-01C5-4373-8FE8-E2200E72085D}" = lport=2869 | protocol=6 | dir=in | name=tcp 2869 |
"{08E43AF0-336B-4477-902F-51E362E848CF}" = lport=5207 | protocol=6 | dir=in | name=windows core service |
"{46BD7556-3B91-4F7C-BEA3-2350AC117017}" = lport=1900 | protocol=17 | dir=in | name=udp 1900 |
"{9D921772-D6F9-4361-BBE4-0AAC6D118D90}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{13E93BA6-4511-45B2-9CDB-A4613ADAD7D2}" = protocol=6 | dir=in | app=c:\windows\installer\{4182e42e-33b1-4f9b-8d70-7854e1a992aa}\_34d351a8a6fa16d1f8829a.exe |
"{1AB1FB8C-5B45-4288-88CF-B9ECC904E5BE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |
"{1F5CC3B1-A5BA-4E2E-9D06-2F045D3A6C77}" = protocol=6 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{25DF000C-8352-4C95-86BD-D90FA79DEA37}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{2C49A7B7-AF9B-4BCC-B73D-6EC125D607EB}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{35A068F9-CD7F-4F80-8DEE-091095149BEF}" = protocol=17 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{3A539E39-5DB0-4B02-8A66-69DCC4934938}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe |
"{3FE4DD3D-AC4C-47E6-8386-96C05C67E660}" = protocol=17 | dir=in | app=c:\users\user\appdata\roaming\dropbox\bin\dropbox.exe |
"{4F53CDDB-67BD-4385-9F61-3DCA26811808}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe |
"{60E4330D-03B3-45C1-B204-23753562E295}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe |
"{8A711136-98A0-45A1-A8BC-58A53C926231}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |
"{9443997F-61F8-4B50-9E81-7E62EFE07763}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{94EB73F5-6EEF-4872-ACBA-1BD7AC4B0C61}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{975D25E8-9AEF-4CA4-88C9-964F4F41CB75}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{A1E3DCF2-0427-467A-B707-E6F191D191CD}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe |
"{A1EAF321-72CD-4CF8-8D7A-EC66C5B073C2}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{A2FD8508-D466-48D9-B55E-9144B36486AC}" = protocol=17 | dir=in | app=c:\windows\installer\{4182e42e-33b1-4f9b-8d70-7854e1a992aa}\_34d351a8a6fa16d1f8829a.exe |
"{B4C2C5DB-84A4-48F1-A358-23BB782EED4F}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe |
"{C889BB29-2DCA-4F74-9104-485F2316C5CE}" = protocol=6 | dir=in | app=c:\users\user\appdata\local\akamai\netsession_win.exe |
"{CDE7A216-88F1-476F-9B96-525D5F7DBDAB}" = protocol=6 | dir=in | app=c:\users\user\appdata\roaming\dropbox\bin\dropbox.exe |
"{E460F9A3-3215-454E-BB3D-5D404963FF35}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe |
"{FB7BB98B-82F3-4EA5-96D5-4E8D662E2365}" = protocol=17 | dir=in | app=c:\users\user\appdata\local\akamai\netsession_win.exe |
"{FB9424B3-ABB1-4B19-B671-B5CD1CF32328}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe |
"TCP Query User{29FE8DFA-813E-4ADF-83E1-5B6D5E047091}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{D224FE11-D45D-4812-8FCB-F704FDAB2158}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{26EB0D27-3960-41E7-AB29-1800AAD4ED1A}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{E3559912-2A9D-4EAF-A5A7-3B48D482E8B5}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{18355D5F-FABE-49A2-B359-92020DBD51B1}" = Corel DESIGNER Technical Suite X4 - Windows Shell Extension
"_{870DCAE9-E488-48C9-A512-F67914695750}" = Corel DESIGNER Technical Suite X4
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{029B5901-1F27-4347-9923-E8ACC8F54E15}" = Snapfish Picture Mover
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0670F9EB-3862-48A3-87B3-358064A01CAF}" = Unilock Paver Hatch Patterns v9.0.1
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0A2C5854-557E-48C8-835A-3B9F074BDCAA}" = Python 2.5
"{0A47BAFF-D4FF-4BD3-96CA-02A22EA62722}" = HP Active Support Library
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive
"{12E75B98-8463-4C1F-8DDA-F6CF31566A55}" = Google SketchUp Pro 6
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{14AF024E-2E3B-49D0-A175-D1C1A06B155A}" = muvee autoProducer 6.0
"{15803703-25FA-4C01-A062-3F4A59937E87}" = Ulead PhotoImpact X3
"{15C70064-2463-49dd-9A88-B700F75BB428}" = dj_sf_ProductContext
"{1635620D-E548-406C-A74E-7492DC23AE71}" = Corel Designer Technical Suite X4 - IPM
"{18355D5F-FABE-49A2-B359-92020DBD51B1}" = Corel DESIGNER Technical Suite X4 - Windows Shell Extension
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{209CDA54-D390-46A2-A97C-7BF61734418D}" = WeatherBug Gadget
"{22057D8D-7CC8-46FF-AD8C-9BD24F9014F3}" = QuickBooks Pro 2012
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{23F79416-CAD1-41BF-99A3-040F6C814AAA}" = NVIDIA Photoshop Plug-ins
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{25E202D1-D8E7-46AF-B4B0-157D9993A93E}" = QuickBooks
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java™ 6 Update 33
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3BF317C6-64FF-4931-91B3-6DE4BD5989C8}" = Corel DESIGNER Technical Suite X4 - Lang DE
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40E12A55-C504-4223-AFAC-7672DBF1ACDE}" = Trend Micro Internet Security
"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
"{4182E42E-33B1-4F9B-8D70-7854E1A992AA}" = EarthScapes 1.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D63CBA6-3563-45E7-8D0C-97E92259542D}" = Visual Basic for Applications ® Core
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro Internet Security
"{730837D4-FF5E-48DB-BA49-33E732DFF0B3}" = PanoStandAlone
"{73A43E42-3658-4DD9-8551-FACDA3632538}" = HP Advisor
"{75C22B40-6D12-4439-80DC-CAB3313EADA5}" = dj_sf_software_req
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{870DCAE9-E488-48C9-A512-F67914695750}" = Corel DESIGNER Technical Suite X4 - ICA
"{87885939-F824-42bf-B790-231B1E8EF2BB}" = dj_sf_software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D8024F1-2945-49A5-9B78-5AB7B11D7942}_is1" = Auslogics Registry Cleaner
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{99041921-18B5-4d36-9729-BE5A671B1932}" = D4200
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BB86A32-E255-40F8-97CD-F65FD7BA5180}" = Visual Basic for Applications ® Core - English
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback
"{9FE94C17-25AD-4142-A012-E0BBE923C711}" = D4200_Help
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B0FE14F0-85BB-4CBF-A7C5-FE95475C1D1B}" = Corel DESIGNER Technical Suite X4 - Lang EN
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B395BC1D-CC06-425E-9049-4CD985EFF004}" = LightScribe 1.8.15.1
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BF63B535-6649-4272-B831-157E0E27FA6D}" = Deep Exploration 5.7 CE
"{C0E8FE43-C35B-451D-B35F-D4BD056D70E7}" = Camtasia Studio 7
"{C12D609B-EB71-411B-82C3-9BE6D40435D7}" = Google SketchUp LayOut 6
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1E2E687-4DA2-4124-89E1-2B0B7CC65C89}" = MobileMapper Office ver. 3.40
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{E9E9C6AE-1D9D-4A6F-B5F4-AA673E9861BD}" = Deep Exploration 5 CE
"{EB459C2F-41CA-4222-B9CA-F8EBA40B8DAB}" = Google SketchUp 6 Exporters
"{EF147A9D-D94E-4875-910D-2AF98CBDFE2E}" = Corel DESIGNER Technical Suite X4 - Lang FR
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3CBA4E6-436E-4B51-9651-93830EE38616}" = Windows Messenger 5.1 MUI Pack
"{F581DF68-CAE9-4064-A6CD-705D95D1C756}" = Notebook Software
"{F5936267-D467-4e7b-8940-A7D9F0398EF3}" = HP Deskjet Printer Driver Software 9.0
"{FC7FFBD9-853B-4D16-BACC-852FE46E5E85}" = Corel DESIGNER Technical Suite X4
"{FD95FDC1-418F-4C6A-B8B8-658707875D59}" = Corel DESIGNER Technical Suite X4 - VBA
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Akamai" = Akamai NetSession Interface Service
"Any Video Converter_is1" = Any Video Converter 3.0.3
"Bomgar Representative Console [support.visualimpactimaging.com]" = Bomgar Representative Console [support.visualimpactimaging.com]
"CCleaner" = CCleaner
"Click'N Design 3D (V5)" = Click'N Design 3D (V5) (Help File Patch Applied)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Soft Data Fax Modem with SmartCP
"CutePDF Writer Installation" = CutePDF Writer 2.7
"DDS Converter 2.1" = DDS Converter 2.1
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Google Desktop" = Google Desktop
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"InstallShield_{15803703-25FA-4C01-A062-3F4A59937E87}" = Ulead PhotoImpact X3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Mozilla Firefox 15.0 (x86 en-US)" = Mozilla Firefox 15.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"OsdMaestro" = HP On-Screen Cap/Num/Scroll Lock Indicator
"PC-Doctor 5 for Windows" = Hardware Diagnostic Tools
"PROPLUS" = Microsoft Office Professional Plus 2007
"Rhapsody" = Rhapsody
"Shop for HP Supplies" = Shop for HP Supplies
"Visual Impact Library" = Visual Impact Library
"VLC media player" = VLC media player 2.0.1
"WildTangent hp Master Uninstall" = My HP Games
"WinRAR archiver" = WinRAR archiver
"Xvid_is1" = Xvid 1.2.2 final uninstall
"YTdetect" = Yahoo! Detect

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2717635380-2294264606-1682586835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Akamai" = Akamai NetSession Interface
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"GoToMeeting" = GoToMeeting 5.1.0.880

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/12/2009 3:18:04 PM | Computer Name = User-PC | Source = Application Hang | ID = 1002
Description = The program CorelPP.exe version 12.5.0.479 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 14c0 Start Time: 01ca63ccbae357e0 Termination Time: 11

Error - 11/12/2009 4:09:31 PM | Computer Name = User-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/12/2009 4:09:31 PM | Computer Name = User-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/16/2009 5:48:54 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application Explorer.EXE, version 6.0.6001.18164, time stamp
0x4907e242, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x9899c9cb, process id 0x71c, application start time
0x01ca66c5e8e3c1ab.

Error - 11/24/2009 2:16:51 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18319, time stamp
0x4a966702, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6,
exception code 0xc0000005, fault offset 0x00043387, process id 0x18a8, application
start time 0x01ca6d0f71e01b90.

Error - 11/24/2009 2:27:01 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18319, time stamp
0x4a966702, faulting module hpswp_framework.dll, version 2.15.7.0, time stamp 0x45e7d710,
exception code 0xc000000d, fault offset 0x0000d03e, process id 0x20d0, application
start time 0x01ca6d324ea63bf0.

Error - 12/1/2009 10:49:38 AM | Computer Name = User-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 12/1/2009 2:11:51 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18319, time stamp
0x4a966702, faulting module hpswp_selection_ie7.dll, version 2.15.7.0, time stamp
0x45e7d609, exception code 0xc0000005, fault offset 0x000284d4, process id 0xee0,
application start time 0x01ca7290572b5860.

Error - 12/1/2009 2:14:36 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18319, time stamp
0x4a966702, faulting module hpswp_selection_ie7.dll, version 2.15.7.0, time stamp
0x45e7d609, exception code 0xc0000005, fault offset 0x000284d4, process id 0x1538,
application start time 0x01ca72b1c53a61e0.

Error - 12/3/2009 4:38:37 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18319, time stamp
0x4a966702, faulting module hpswp_selection_ie7.dll, version 2.15.7.0, time stamp
0x45e7d609, exception code 0xc0000005, fault offset 0x000284d4, process id 0x5e4,
application start time 0x01ca7421c9427900.

[ Media Center Events ]
Error - 2/15/2008 11:09:49 AM | Computer Name = User-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
returned 0D Process: DefaultDomain Object Name: Media Center Guide

Error - 2/15/2008 11:14:49 AM | Computer Name = User-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
returned 0D Process: DefaultDomain Object Name: Media Center Guide

Error - 2/15/2008 11:19:49 AM | Computer Name = User-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
returned 0D Process: DefaultDomain Object Name: Media Center Guide

Error - 2/15/2008 11:24:49 AM | Computer Name = User-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
returned 0D Process: DefaultDomain Object Name: Media Center Guide

Error - 2/15/2008 11:29:49 AM | Computer Name = User-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
returned 0D Process: DefaultDomain Object Name: Media Center Guide

Error - 2/21/2008 11:11:07 AM | Computer Name = User-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 6/2/2008 9:36:16 AM | Computer Name = User-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 6/7/2008 5:37:01 PM | Computer Name = User-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 8/28/2008 9:19:34 AM | Computer Name = User-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 6/9/2009 9:14:19 AM | Computer Name = User-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 8/21/2012 9:03:50 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 8/24/2012 9:12:22 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 8/24/2012 9:13:42 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 8/27/2012 9:12:04 AM | Computer Name = User-PC | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 001D6065165B. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 9/4/2012 9:57:25 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/4/2012 9:57:25 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 9/4/2012 9:57:25 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/4/2012 9:59:22 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 9/4/2012 10:00:01 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 9/4/2012 10:00:05 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7000
Description =


< End of report >

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 11 September 2012 - 08:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Run OTL - Double-click OTL.exe Posted Image to start it.

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    SRV - [2011/06/26 02:45:56 | 000,256,000 | R--- | M] () [Auto | Stopped] -- C:\ComboFix\pev.3XE -- (PEVSystemStart)
    FF - prefs.js..extensions.enabledItems: {5911488E-9D1E-40ec-8CBB-06B231CC153F}:2.3.0
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O13 - gopher Prefix: missing
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

===

Remove the AdWare, PUP (Potentially Unwanted Program) found.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Please post the logs and let me know if the problem persists.

#3 DrBrown54

DrBrown54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 11 September 2012 - 02:18 PM

I tried to follow your instructions but had an issue...

I successfully ran your Custom Scan code. When I rebooted the DDS and OTL shortcuts were gone from my Desktop?? Crazy! So I had to redownload it and run the quick scan. Here is that log:

OTL logfile created on: 9/11/2012 2:50:22 PM - Run 1
OTL by OldTimer - Version 3.2.61.3 Folder = C:\Users\User\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19298)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.81 Gb Available Physical Memory | 43.24% Memory free
3.98 Gb Paging File | 2.74 Gb Available in Paging File | 68.72% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 289.21 Gb Total Space | 143.12 Gb Free Space | 49.49% Space Free | Partition Type: NTFS
Drive D: | 8.88 Gb Total Space | 0.95 Gb Free Space | 10.76% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/11 14:42:51 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
PRC - [2012/09/07 15:11:19 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/08/10 18:59:52 | 004,440,896 | ---- | M] (Akamai Technologies, Inc.) -- C:\Users\User\AppData\Local\Akamai\netsession_win.exe
PRC - [2012/07/20 09:03:43 | 001,536,712 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
PRC - [2012/02/27 09:44:06 | 000,133,424 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
PRC - [2011/08/19 23:49:48 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/08/19 21:31:14 | 005,828,952 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
PRC - [2011/08/19 21:31:14 | 001,248,256 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/19 03:33:27 | 000,151,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe
PRC - [2008/01/15 11:26:18 | 004,874,240 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/04/18 11:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
PRC - [2007/02/15 07:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
PRC - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () -- C:\Windows\System32\PSIService.exe
PRC - [2006/11/02 05:45:59 | 000,215,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdSync.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/07 15:11:18 | 002,244,064 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/07/20 09:03:42 | 009,465,032 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_3_300_265.dll
MOD - [2012/06/22 03:22:43 | 018,058,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\cfece6f67593b4d8bb58d23b7fdcc470\System.ServiceModel.ni.dll
MOD - [2012/06/22 03:20:50 | 001,925,632 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\dbe597aa9c12df5d08fb2f3f9872b834\System.Web.Services.ni.dll
MOD - [2012/06/22 03:20:03 | 001,782,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\d234eceae699d070b5a5712ce776c01f\System.Xaml.ni.dll
MOD - [2012/06/22 03:09:31 | 018,000,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\199683f6e79076b634ee6cc0a82c0654\PresentationFramework.ni.dll
MOD - [2012/06/22 03:09:15 | 011,451,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\e7dc084827f8df2dbdc819db5c633a0d\PresentationCore.ni.dll
MOD - [2012/06/22 03:09:04 | 013,198,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\3971e166cf827b6726e142f344061dc9\System.Windows.Forms.ni.dll
MOD - [2012/06/22 03:09:03 | 003,858,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\21f37f9f5162af7efb52169012bd111e\WindowsBase.ni.dll
MOD - [2012/06/22 03:08:55 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d1f299160424bad90fe9f658661389e2\System.Xml.ni.dll
MOD - [2012/06/22 03:08:55 | 001,666,048 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\8c40f40ef36622109793788049fbe9ab\System.Drawing.ni.dll
MOD - [2012/06/22 03:08:52 | 000,982,528 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\623d2a0f11dd82bb9bc13d1cb981b239\System.Configuration.ni.dll
MOD - [2012/06/22 03:08:01 | 007,069,184 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\ed91b57205429a23bb91f4499059a459\System.Core.ni.dll
MOD - [2012/06/22 03:07:50 | 009,091,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\6f9f0467e8b2dd3f69b015c8e30ac945\System.ni.dll
MOD - [2012/06/22 03:07:39 | 014,412,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\3953b1d8b9b57e4957bff8f58145384e\mscorlib.ni.dll
MOD - [2007/05/11 01:50:00 | 000,017,024 | ---- | M] () -- C:\Program Files\Adobe\Reader 8.0\Reader\ViewerPS.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe -- (Amsp)
SRV - [2012/09/07 15:11:18 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/08/19 23:49:48 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2011/08/19 21:31:14 | 001,248,256 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe -- (QBVSS)
SRV - [2011/08/19 21:30:58 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/19 03:36:49 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2008/01/19 03:36:15 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SMARTVTabletPCx86.sys -- (SMARTVTabletPCx86)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SMARTVHidMini2000x86.sys -- (SMARTVHidMini2000x86)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SMARTMouseFilterx86.sys -- (SMARTMouseFilterx86)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/09/06 09:03:26 | 000,092,432 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2012/09/06 09:03:26 | 000,068,368 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2012/09/06 09:03:25 | 000,205,072 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2012/09/06 09:03:25 | 000,081,168 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2009/04/11 00:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2008/08/01 19:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/22 14:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/08 16:06:20 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2005/12/12 13:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
IE - HKLM\..\SearchScopes,DefaultScope = {122618CA-EDCC-4901-ADE3-676812245040}
IE - HKLM\..\SearchScopes\{122618CA-EDCC-4901-ADE3-676812245040}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
IE - HKLM\..\SearchScopes\{3A21D82B-ECB6-4ED7-BB40-27836C9E0C29}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKLM\..\SearchScopes\{AD54EB9D-22E5-4386-932F-83AE9E596077}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&amp;entrypoint={referrer:source?}&amp;FORM=HVDUS7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes,DefaultScope = {122618CA-EDCC-4901-ADE3-676812245040}
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{122618CA-EDCC-4901-ADE3-676812245040}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{3A21D82B-ECB6-4ED7-BB40-27836C9E0C29}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{AD54EB9D-22E5-4386-932F-83AE9E596077}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&amp;entrypoint={referrer:source?}&amp;FORM=HVDUS7
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..\SearchScopes\{E163AE6E-254C-5FF4-BE33-4CBD31D63F5C}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z125&form=ZGAIDF&install_date=20110916&iesrc={referrer:source}
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;<local>

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledAddons: seotoolbar@seobook.com:1.1.36
FF - prefs.js..extensions.enabledAddons: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:2.0.7
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}:6.0.33
FF - prefs.js..extensions.enabledAddons: {38783831-6098-4faa-A9C9-1EE1E343F4D2}:7.1.0.1102
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Users\User\AppData\Roaming\nprhapengine.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\User\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/13 14:17:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{38783831-6098-4faa-A9C9-1EE1E343F4D2}: C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\firefoxextension [2012/09/08 15:26:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ [2012/09/08 15:26:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/07 15:11:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/07 15:11:13 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/01/13 14:17:12 | 000,000,000 | ---D | M]

[2009/01/30 13:44:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Extensions
[2012/08/23 09:05:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\chcvr2ad.default\extensions
[2011/04/18 14:22:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\chcvr2ad.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/08/01 15:07:14 | 000,221,589 | ---- | M] () (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\chcvr2ad.default\extensions\seotoolbar@seobook.com.xpi
[2012/08/23 09:05:53 | 000,341,143 | ---- | M] () (No name found) -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\chcvr2ad.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}.xpi
[2011/09/16 09:53:25 | 000,001,945 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\chcvr2ad.default\searchplugins\bing-zugo.xml
[2012/09/07 15:11:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/09/07 15:11:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2012/09/07 15:11:12 | 000,000,000 | ---D | M] (Smart Notebook Extension) -- C:\Program Files\Mozilla Firefox\extensions\{D6D05E6F-D5C1-4e03-8E33-73F92B05E262}
[2012/09/08 15:26:21 | 000,000,000 | ---D | M] (Trend Micro BEP Firefox Extension) -- C:\PROGRAM FILES\TREND MICRO\AMSP\MODULE\20002\7.1.1102\7.1.1102\FIREFOXEXTENSION
[2012/09/07 15:11:19 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/30 14:41:49 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/08/30 14:41:49 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.60\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.83\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\User\AppData\Local\Google\Chrome\Application\21.0.1180.83\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java™ Platform SE 6 U33 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.330.3 (Enabled) = C:\Windows\system32\npdeployJava1.dll
CHR - plugin: RealNetworks Rhapsody Player Engine (Enabled) = C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Google Update (Enabled) = C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/08/03 10:28:18 | 000,000,732 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll (Trend Micro Inc.)
O2 - BHO: (CIEDownload Object) - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Notebook Software\NotebookPlugin.dll (SMART Technologies ULC.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll (Trend Micro Inc.)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe (Ulead Systems, Inc.)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-18..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000..\Run: [Akamai NetSession Interface] C:\Users\User\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
O4 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe File not found
O4 - Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O15 - HKU\S-1-5-21-2717635380-2294264606-1682586835-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.16.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A8AF857-B8D0-4BC1-9E14-B12EF29BC146}: DhcpNameServer = 192.168.16.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A8AF857-B8D0-4BC1-9E14-B12EF29BC146}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol\Handler\intu-help-qb5 {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll (Trend Micro Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\User\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\User\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/27 11:15:52 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{7cff693a-5350-11dd-b659-001d6065165b}\Shell - "" = AutoRun
O33 - MountPoints2\{7cff693a-5350-11dd-b659-001d6065165b}\Shell\AutoRun\command - "" = J:\LaunchU3.exe
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\wd_windows_tools\WDSetup.exe
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\wd_windows_tools\WDSetup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/11 14:42:49 | 000,600,064 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2012/09/11 14:40:06 | 000,607,260 | ---- | C] (Swearware) -- C:\Users\User\Desktop\dds.com
[2012/09/08 15:13:18 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trend Micro Titanium Internet Security 2012
[2012/09/08 15:07:44 | 000,092,432 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmtdi.sys
[2012/09/08 15:06:17 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2012/09/08 15:06:17 | 000,081,168 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmactmon.sys
[2012/09/08 15:06:17 | 000,068,368 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmevtmgr.sys
[2012/09/07 15:11:10 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/09/05 10:27:05 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\Avery Templates
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\User\Desktop\*.tmp files -> C:\Users\User\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/11 14:42:51 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2012/09/11 14:40:58 | 000,302,592 | ---- | M] () -- C:\Users\User\Desktop\i959y82o.exe
[2012/09/11 14:40:09 | 000,607,260 | ---- | M] (Swearware) -- C:\Users\User\Desktop\dds.com
[2012/09/11 14:29:43 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2717635380-2294264606-1682586835-1000UA.job
[2012/09/11 14:28:18 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/11 14:28:16 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/11 14:27:31 | 001,858,840 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/09/11 14:27:04 | 000,000,300 | -HS- | M] () -- C:\Windows\tasks\TKGK.job
[2012/09/11 14:26:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/11 09:29:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2717635380-2294264606-1682586835-1000Core.job
[2012/09/08 15:06:15 | 000,710,792 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/09/08 15:06:15 | 000,145,620 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/09/08 15:04:11 | 000,000,056 | ---- | M] () -- C:\Windows\System32\SupportTool.exe.bat
[2012/09/06 09:03:26 | 000,092,432 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmtdi.sys
[2012/09/06 09:03:26 | 000,068,368 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmevtmgr.sys
[2012/09/06 09:03:25 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2012/09/06 09:03:25 | 000,081,168 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmactmon.sys
[2012/09/04 14:32:57 | 000,002,001 | ---- | M] () -- C:\Users\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/08/23 16:52:58 | 000,129,536 | ---- | M] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/22 13:44:35 | 000,312,025 | ---- | M] () -- C:\Users\User\Desktop\Verbena-Red1.psd
[2012/08/22 13:43:26 | 001,520,920 | ---- | M] () -- C:\Users\User\Desktop\Verbena-Red2.psd
[2012/08/15 09:07:51 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9622C7AB-5BF1-4F37-9706-2EC12BBF707D}.job
[2012/08/13 05:56:27 | 209,899,800 | ---- | M] () -- C:\Windows\MEMORY.DMP
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\User\Desktop\*.tmp files -> C:\Users\User\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/11 14:40:43 | 000,302,592 | ---- | C] () -- C:\Users\User\Desktop\i959y82o.exe
[2012/09/08 15:04:11 | 000,000,056 | ---- | C] () -- C:\Windows\System32\SupportTool.exe.bat
[2012/08/22 13:44:35 | 000,312,025 | ---- | C] () -- C:\Users\User\Desktop\Verbena-Red1.psd
[2012/08/22 13:43:26 | 001,520,920 | ---- | C] () -- C:\Users\User\Desktop\Verbena-Red2.psd
[2012/08/13 05:56:27 | 209,899,800 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/06/21 12:52:37 | 000,000,095 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2011/12/09 13:54:27 | 000,151,552 | ---- | C] () -- C:\Windows\System32\nvRegDev.dll
[2011/11/18 14:10:14 | 000,000,680 | ---- | C] () -- C:\Users\User\AppData\Local\d3d9caps.dat
[2011/11/18 14:00:30 | 000,000,440 | ---- | C] () -- C:\ProgramData\hVFsJRFx4U2WTR
[2011/11/03 10:34:05 | 000,094,720 | RHS- | C] () -- C:\Windows\System32\C_210257.dll
[2011/09/16 09:53:24 | 000,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011/09/16 09:53:24 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2011/08/10 13:10:03 | 000,000,005 | ---- | C] () -- C:\Users\User\AppData\Roaming\DACalendar.prefs
[2011/06/09 13:39:44 | 000,060,304 | ---- | C] () -- C:\Users\User\g2mdlhlpx.exe
[2011/02/10 10:47:25 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2008/05/07 11:36:12 | 000,000,092 | ---- | C] () -- C:\Users\User\AppData\Local\fusioncache.dat
[2008/01/23 12:38:38 | 000,129,536 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2010/03/23 15:48:20 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\AnvSoft
[2012/09/11 14:31:09 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Dropbox
[2010/10/29 12:48:03 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Notepad++
[2009/12/08 11:45:16 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\quickhit.football.QHFootball.4D5206CA741FBF5FD6AAD1A97F5076E917382B34.1
[2008/06/24 10:10:33 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\SMART Technologies
[2008/06/24 09:09:47 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\SMART Technologies Inc
[2007/11/17 14:54:59 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Snapfish
[2009/06/09 15:09:38 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Ulead Systems
[2008/02/07 10:03:55 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\WinBatch
[2009/10/16 15:31:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\WTouch
[2012/09/11 14:25:41 | 000,032,566 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/09/11 14:27:04 | 000,000,300 | -HS- | M] () -- C:\Windows\Tasks\TKGK.job
[2012/08/15 09:07:51 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{9622C7AB-5BF1-4F37-9706-2EC12BBF707D}.job

========== Purity Check ==========


< End of report >




And this is the adwcleaner log:
# AdwCleaner v2.001 - Logfile created 09/11/2012 at 15:03:33
# Updated 09/09/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : User - USER-PC
# Boot Mode : Normal
# Running from : C:\Users\User\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.19298

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0.1 (en-US)

-\\ Google Chrome v21.0.1180.89

*************************

AdwCleaner[S1].txt - [1575 octets] - [11/09/2012 15:03:33]

########## EOF - C:\AdwCleaner[S1].txt - [1635 octets] ##########




The end result is if I go to Google in Firefox and do a search, the first link always goes where it's supposed to. If I go back and do a 2nd search the links get redirected. In IE it gets redirected on the first try. Chrome is still redirected as well. Thanks again for your help! Unfortunately this one is a tough booger!

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 12 September 2012 - 07:21 AM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
Click Go and copy/paste the log (Result.txt) into your next post.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

If still no joy check all your Browser"s add-ons and Extentions.

If you find any that you are not sure of disable it.

These are the ones I know are causing issues.

Firebit
Extension version 1.29
XUL Cache 1.0
safe browsing 2.0.14


Delete any of them if found. If you identify a new bad one please give me the name.

If still having issues

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Keep me posted.

#5 DrBrown54

DrBrown54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 12 September 2012 - 11:11 AM

MiniToolBox by Farbar Version: 23-07-2012
Ran by User (administrator) on 12-09-2012 at 09:11:54
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.


**** End of log ****


I also opened Firefox and disabled all add-ons and extensions just to be sure, as there are only a handful in Firefox. I installed Chrome right after the redirects started and Chrome redirected right away. So I don't think it's anything specific to one browser or its extensions, or Chrome would not have been redirecting immediately after installation. I never use Chrome either, it's just there for cross browser compatibility testing. Just figured I should explain more in case that would help. Just for giggles I got a screen shot of the Firefox add-ons and it's attached to this reply


The ESET has been running all morning and is taking forever, it keeps getting stuck on certain files. I'm at 42% but it did find 2 threats thus far. When it's finished and I've completed the rest of your instructions I will report back later this afternoon. Thanks again for the prompt help!! :thumbsup:

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 12 September 2012 - 12:27 PM

If Eset does not find the culprit run these tools.

>>> Download to your Desktop GooredFix by jpshortstuff from here or here
Ensure all Firefox windows are closed and right-click on GooredFix.exe and select Run As Administrator. Click Yes when prompted to run the scan.
GooredFix will check for infections, and then a log will appear and can also be found on your desktop, called GooredFix.txt.
Please copy and paste the contents of this log in your next reply.

p.s. On a Vista or Windows 7 computer right-click and select Run As Administrator.
===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


#7 DrBrown54

DrBrown54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 12 September 2012 - 12:57 PM

The results found by ESET are in the attached screen shot.


Here is the GooredFix log:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 13:50 on 12/09/2012 (User)
Firefox version 15.0.1 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:11 07/09/2012]
{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [19:11 07/09/2012]
{D6D05E6F-D5C1-4e03-8E33-73F92B05E262} [19:11 07/09/2012]

C:\Users\User\Application Data\Mozilla\Firefox\Profiles\chcvr2ad.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [18:22 18/04/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [16:27 03/03/2009]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [18:17 13/01/2010]
"{38783831-6098-4faa-A9C9-1EE1E343F4D2}"="C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\firefoxextension" [19:26 08/09/2012]
"{22C7F6C6-8D67-4534-92B5-529A0EC09405}"="C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\" [19:26 08/09/2012]

-=E.O.F=-




Results of screen317's Security Check version 0.99.50
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Trend Micro Internet Security
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Auslogics Registry Cleaner
Java™ 6 Update 33
Java™ SE Runtime Environment 6 Update 1
Java version out of Date!
Adobe Flash Player 11.3.300.265
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (15.0.1)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

Attached Files


Edited by DrBrown54, 12 September 2012 - 12:58 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 12 September 2012 - 01:25 PM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 33
Java™ SE Runtime Environment 6 Update 1


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

Is the problem persisting?

#9 DrBrown54

DrBrown54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 17 September 2012 - 10:57 AM

Sorry I didn't reply sooner, the reply notification email went in spam. I did as suggested and updated both Java and Adobe Reader. But the problem hasn't changed at all. Still redirects in all browsers.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 17 September 2012 - 12:28 PM

Download this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a flash drive.

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

p.s.
Please not that this is not the same Farbar tool that we previously used.

#11 DrBrown54

DrBrown54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 17 September 2012 - 02:09 PM

Redirects are still occurring. But here is the log:


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-09-2012 01
Ran by SYSTEM at 17-09-2012 14:57:08
Running from J:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM\...\Run: [KBD] C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
HKLM\...\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [118784 2007-02-15] (OsdMaestro)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [71176 2007-05-24] (Hewlett-Packard)
HKLM\...\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe" [54936 2007-04-07] (Sun Microsystems, Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2004-06-16] (InstallShield Software Corporation)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [x]
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13539872 2008-05-22] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-05-22] (NVIDIA Corporation)
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [1838592 2008-10-09] (Google)
HKLM\...\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe [95504 2007-08-02] (Ulead Systems, Inc.)
HKLM\...\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-03-17] (Apple Inc.)
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1874264 2011-08-19] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL "" [1304824 2012-07-05] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [133424 2012-02-27] (Trend Micro Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1644088 2009-08-05] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1644088 2009-08-05] (Hewlett-Packard)
HKU\User\...\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY [1644088 2009-08-05] (Hewlett-Packard)
HKU\User\...\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2004-06-16] (InstallShield Software Corporation)
HKU\User\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\User\...\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [x]
HKU\User\...\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe" "/Trigger RunAtLogon" [39816 2012-02-07] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\User\...\Run: [Akamai NetSession Interface] "C:\Users\User\AppData\Local\Akamai\netsession_win.exe" [4440896 2012-08-10] (Akamai Technologies, Inc.)
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-03] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.16.1
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
Tcpip\..\Interfaces\{1A8AF857-B8D0-4BC1-9E14-B12EF29BC146}: [NameServer]8.8.8.8,8.8.4.4
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bomgar Representative Client [support.visualimpactimaging.com].lnk
ShortcutTarget: Bomgar Representative Client [support.visualimpactimaging.com].lnk -> C:\Program Files\Bomgar\Representative\support.visualimpactimaging.com\bomgar-rep.exe (Bomgar Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\User\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\windows\system32\config\systemprofile\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)

==================== Services (Whitelisted) ===================

3 GoogleDesktopManager; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [1838592 2008-10-09] (Google)
2 ProtexisLicensing; C:\Windows\system32\PSIService.exe [174656 2006-11-02] ()
2 QBVSS; "C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe" [1248256 2011-08-19] (Intuit Inc.)
2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [x]
2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
3 IDriverT; "c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [x]
2 LightScribeService; "c:\Program Files\Common Files\LightScribe\LSSrvc.exe" [x]
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
4 NetMsmqActivator; "c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [x]
4 NetPipeActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpPortSharing; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
3 RoxMediaDB9; "c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe" [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

==================== Drivers (Whitelisted) ====================

2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2008-05-08] (RealNetworks, Inc.)
0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [43872 2007-06-20] (Sonic Solutions)
1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [81168 2012-09-06] (Trend Micro Inc.)
1 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [205072 2012-09-06] (Trend Micro Inc.)
1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [68368 2012-09-06] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [92432 2012-09-06] (Trend Micro Inc.)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 SMARTMouseFilterx86; C:\Windows\System32\DRIVERS\SMARTMouseFilterx86.sys [x]
3 SMARTVHidMini2000x86; C:\Windows\System32\DRIVERS\SMARTVHidMini2000x86.sys [x]
3 SMARTVTabletPCx86; C:\Windows\System32\DRIVERS\SMARTVTabletPCx86.sys [x]
2 TMAgent; [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-09-17 14:57 - 2012-09-17 14:57 - 00000000 ____D C:\FRST
2012-09-17 08:05 - 2012-09-17 08:59 - 00204674 ____A C:\Users\User\Desktop\TEST LIST.xlsx
2012-09-17 07:18 - 2012-09-17 07:16 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-17 07:17 - 2012-09-17 07:17 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-09-17 07:17 - 2012-09-17 07:16 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-17 07:17 - 2012-09-17 07:16 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-17 05:38 - 2012-09-17 05:38 - 05127511 ____A C:\Users\User\Desktop\WARNICK PROPERTY ESTIMATE.DES
2012-09-17 05:38 - 2012-09-17 05:38 - 00012785 ____A C:\Users\User\Desktop\Warnick Property.epx
2012-09-12 10:13 - 2012-09-12 10:14 - 00008390 ____A C:\Users\User\Desktop\calendar.html
2012-09-12 09:50 - 2012-09-12 09:50 - 00002376 ____A C:\Users\User\Desktop\GooredFix.txt
2012-09-12 09:50 - 2012-09-12 09:50 - 00000000 ____D C:\Users\User\Desktop\GooredFix Backups
2012-09-12 09:27 - 2012-09-14 12:23 - 00054363 ____A C:\Users\User\Desktop\Backup_of_Plan1.des
2012-09-12 08:16 - 2012-09-17 10:42 - 00055966 ____A C:\Users\User\Desktop\Plan1.des
2012-09-12 08:08 - 2012-09-12 08:08 - 00000424 ____A C:\Users\User\Desktop\video-demo-2012-09-11 (3).csv
2012-09-12 07:48 - 2012-09-12 07:48 - 00000441 ____A C:\Users\User\Desktop\Web Demo Lead Instructions.txt
2012-09-12 07:43 - 2012-09-12 11:04 - 00004526 ____A C:\Users\User\Desktop\landscape-software-demo-2012-09-11 (2).csv
2012-09-12 05:32 - 2012-09-12 05:32 - 00000000 ____D C:\Program Files\ESET
2012-09-12 05:11 - 2012-09-12 05:11 - 00000772 ____A C:\Users\User\Desktop\Result.txt
2012-09-11 11:19 - 2012-09-11 11:19 - 00001704 ____A C:\Users\User\Desktop\AdwCleaner[S1].txt
2012-09-11 11:03 - 2012-09-11 11:19 - 00001704 ____A C:\AdwCleaner[S1].txt
2012-09-11 10:58 - 2012-09-11 10:58 - 00065450 ____A C:\Users\User\Desktop\Extras.Txt
2012-09-11 10:57 - 2012-09-11 10:57 - 00073186 ____A C:\Users\User\Desktop\OTL.Txt
2012-09-11 09:55 - 2012-09-11 11:02 - 00038102 ____A C:\Users\User\Desktop\BLEEPING PC.txt
2012-09-08 11:07 - 2012-09-06 05:03 - 00092432 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmtdi.sys
2012-09-08 11:06 - 2012-09-06 05:03 - 00205072 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
2012-09-08 11:06 - 2012-09-06 05:03 - 00081168 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmactmon.sys
2012-09-08 11:06 - 2012-09-06 05:03 - 00068368 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmevtmgr.sys
2012-09-08 11:04 - 2012-09-08 11:04 - 00000056 ____A C:\Windows\System32\SupportTool.exe.bat
2012-09-07 11:11 - 2012-09-10 06:14 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-09-05 08:02 - 2012-09-05 08:03 - 00537748 ____A C:\Users\User\Desktop\AllItemsForImport_Dan (Autosaved).xlsx
2012-08-22 09:44 - 2012-08-22 09:44 - 00312025 ____A C:\Users\User\Desktop\Verbena-Red1.psd
2012-08-22 09:43 - 2012-08-22 09:43 - 01520920 ____A C:\Users\User\Desktop\Verbena-Red2.psd
2012-08-22 06:05 - 2012-08-22 06:24 - 00006330 ____A C:\Users\User\Desktop\VINGS.txt

==================== 3 Months Modified Files ==================

2012-09-17 10:51 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-17 10:51 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-17 10:50 - 2007-10-11 20:29 - 02060098 ____A C:\Windows\WindowsUpdate.log
2012-09-17 10:50 - 2006-11-02 05:01 - 00032566 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-17 10:50 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-17 10:49 - 2012-06-04 11:31 - 00544991 ____A C:\Users\User\Desktop\AllItemsForImport_Dan.xlsx
2012-09-17 10:42 - 2012-09-12 08:16 - 00055966 ____A C:\Users\User\Desktop\Plan1.des
2012-09-17 10:34 - 2012-08-03 05:19 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2717635380-2294264606-1682586835-1000UA.job
2012-09-17 10:17 - 2006-11-02 02:33 - 00855902 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-17 08:59 - 2012-09-17 08:05 - 00204674 ____A C:\Users\User\Desktop\TEST LIST.xlsx
2012-09-17 07:17 - 2012-09-17 07:17 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-09-17 07:16 - 2012-09-17 07:18 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-17 07:16 - 2012-09-17 07:17 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-17 07:16 - 2012-09-17 07:17 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-17 07:16 - 2010-04-28 05:38 - 00746984 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-09-17 05:43 - 2010-06-11 10:23 - 00000452 ____A C:\Users\User\Application Data\Recent.txt
2012-09-17 05:43 - 2010-06-11 10:23 - 00000452 ____A C:\Users\User\AppData\Roaming\Recent.txt
2012-09-17 05:38 - 2012-09-17 05:38 - 05127511 ____A C:\Users\User\Desktop\WARNICK PROPERTY ESTIMATE.DES
2012-09-17 05:38 - 2012-09-17 05:38 - 00012785 ____A C:\Users\User\Desktop\Warnick Property.epx
2012-09-17 05:34 - 2012-08-03 05:19 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2717635380-2294264606-1682586835-1000Core.job
2012-09-17 05:03 - 2011-11-03 06:34 - 00000300 __ASH C:\Windows\Tasks\TKGK.job
2012-09-14 12:23 - 2012-09-12 09:27 - 00054363 ____A C:\Users\User\Desktop\Backup_of_Plan1.des
2012-09-14 06:05 - 2012-05-11 05:03 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-09-14 06:05 - 2011-06-30 05:05 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-12 11:04 - 2012-09-12 07:43 - 00004526 ____A C:\Users\User\Desktop\landscape-software-demo-2012-09-11 (2).csv
2012-09-12 10:14 - 2012-09-12 10:13 - 00008390 ____A C:\Users\User\Desktop\calendar.html
2012-09-12 09:50 - 2012-09-12 09:50 - 00002376 ____A C:\Users\User\Desktop\GooredFix.txt
2012-09-12 09:31 - 2006-11-02 02:24 - 62164608 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-09-12 08:08 - 2012-09-12 08:08 - 00000424 ____A C:\Users\User\Desktop\video-demo-2012-09-11 (3).csv
2012-09-12 07:48 - 2012-09-12 07:48 - 00000441 ____A C:\Users\User\Desktop\Web Demo Lead Instructions.txt
2012-09-12 05:11 - 2012-09-12 05:11 - 00000772 ____A C:\Users\User\Desktop\Result.txt
2012-09-11 11:19 - 2012-09-11 11:19 - 00001704 ____A C:\Users\User\Desktop\AdwCleaner[S1].txt
2012-09-11 11:19 - 2012-09-11 11:03 - 00001704 ____A C:\AdwCleaner[S1].txt
2012-09-11 11:02 - 2012-09-11 09:55 - 00038102 ____A C:\Users\User\Desktop\BLEEPING PC.txt
2012-09-11 10:58 - 2012-09-11 10:58 - 00065450 ____A C:\Users\User\Desktop\Extras.Txt
2012-09-11 10:57 - 2012-09-11 10:57 - 00073186 ____A C:\Users\User\Desktop\OTL.Txt
2012-09-11 10:29 - 2007-11-17 10:55 - 00161064 ____A C:\Users\User\Local Settings\GDIPFONTCACHEV1.DAT
2012-09-11 10:29 - 2007-11-17 10:55 - 00161064 ____A C:\Users\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-09-11 10:29 - 2007-11-17 10:55 - 00161064 ____A C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-11 10:27 - 2006-11-02 04:47 - 01858840 ____A C:\Windows\System32\FNTCACHE.DAT
2012-09-11 10:26 - 2012-08-01 11:22 - 00009002 ____A C:\Windows\PFRO.log
2012-09-08 11:04 - 2012-09-08 11:04 - 00000056 ____A C:\Windows\System32\SupportTool.exe.bat
2012-09-06 05:03 - 2012-09-08 11:07 - 00092432 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmtdi.sys
2012-09-06 05:03 - 2012-09-08 11:06 - 00205072 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
2012-09-06 05:03 - 2012-09-08 11:06 - 00081168 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmactmon.sys
2012-09-06 05:03 - 2012-09-08 11:06 - 00068368 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmevtmgr.sys
2012-09-05 08:03 - 2012-09-05 08:02 - 00537748 ____A C:\Users\User\Desktop\AllItemsForImport_Dan (Autosaved).xlsx
2012-09-05 07:22 - 2012-08-01 11:23 - 00209644 ____A C:\Windows\TmComm.log
2012-08-23 12:52 - 2008-01-23 08:38 - 00129536 ____A C:\Users\User\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-23 12:52 - 2008-01-23 08:38 - 00129536 ____A C:\Users\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-23 12:52 - 2008-01-23 08:38 - 00129536 ____A C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-22 09:44 - 2012-08-22 09:44 - 00312025 ____A C:\Users\User\Desktop\Verbena-Red1.psd
2012-08-22 09:43 - 2012-08-22 09:43 - 01520920 ____A C:\Users\User\Desktop\Verbena-Red2.psd
2012-08-22 06:24 - 2012-08-22 06:05 - 00006330 ____A C:\Users\User\Desktop\VINGS.txt
2012-08-15 05:07 - 2007-12-18 08:07 - 00000416 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{9622C7AB-5BF1-4F37-9706-2EC12BBF707D}.job
2012-08-13 05:28 - 2012-08-01 12:09 - 00000908 ____A C:\Windows\TMFilter.log
2012-08-13 01:56 - 2012-08-13 01:56 - 209899800 ____A C:\Windows\MEMORY.DMP
2012-08-13 01:56 - 2012-08-13 01:56 - 00140352 ____A C:\Windows\Minidump\Mini081312-01.dmp
2012-08-09 12:38 - 2012-01-09 07:31 - 00000918 ____A C:\Users\User\Desktop\Dropbox.lnk
2012-08-09 10:43 - 2011-06-09 09:39 - 00060304 ____A C:\Users\User\g2mdlhlpx.exe
2012-08-03 06:09 - 2012-08-03 06:09 - 00980480 ____A C:\Users\User\Downloads\MicrosoftFixit50267.msi
2012-08-03 05:44 - 2012-08-03 05:43 - 47732618 ____A C:\Users\User\Desktop\DansRegistry.reg
2012-08-01 12:27 - 2012-08-01 12:27 - 00000000 ____A C:\Windows\setuperr.log
2012-08-01 12:27 - 2012-08-01 12:27 - 00000000 ____A C:\Windows\setupact.log
2012-08-01 09:40 - 2008-03-13 07:19 - 00099546 ____A C:\Windows\FontData.fdb
2012-07-20 09:43 - 2012-07-20 09:43 - 00525063 ____A C:\Users\User\Desktop\ESLibrary-Search.psd
2012-07-18 07:06 - 2012-07-18 07:06 - 00526652 ____A C:\Users\User\Desktop\ESLibrary-Layout.psd
2012-07-11 23:02 - 2006-11-02 02:23 - 00000240 ____A C:\Windows\win.ini
2012-07-10 05:15 - 2012-07-10 05:15 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-07-09 05:43 - 2012-07-09 05:43 - 00000165 ___AH C:\Users\User\Desktop\~$AllItemsForImport_Dan.xlsx
2012-07-04 06:02 - 2012-08-15 13:02 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-29 08:01 - 2012-08-15 11:55 - 00467968 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-06-28 03:37 - 2012-08-15 11:55 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 03:37 - 2012-08-15 11:55 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 03:37 - 2012-08-15 11:55 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 03:35 - 2012-08-15 11:55 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-06-28 03:33 - 2012-08-15 11:55 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-06-28 03:32 - 2012-08-15 11:55 - 06008320 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 03:32 - 2012-08-15 11:55 - 00629760 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-28 03:32 - 2012-08-15 11:55 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 03:32 - 2012-08-15 11:55 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-06-28 03:32 - 2012-08-15 11:55 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 01469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 03:31 - 2012-08-15 11:55 - 00387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 00055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-06-28 03:31 - 2012-08-15 11:55 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 01:59 - 2012-08-15 11:55 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-06-28 00:19 - 2012-08-15 11:55 - 00174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-06-28 00:19 - 2012-08-15 11:55 - 00133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 00:18 - 2012-08-15 11:55 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-06-28 00:17 - 2012-08-15 11:55 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-21 09:00 - 2012-06-21 09:00 - 00001978 ____A C:\Users\Public\Desktop\QuickBooks Pro 2012.lnk
2012-06-21 09:00 - 2012-06-21 09:00 - 00001978 ____A C:\Users\All Users\Desktop\QuickBooks Pro 2012.lnk
2012-06-21 09:00 - 2012-06-21 08:52 - 00000095 ____A C:\Windows\QBChanUtil_Trigger.ini


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-05 05:57:38
Restore point made on: 2012-09-05 06:26:57
Restore point made on: 2012-09-08 10:20:40
Restore point made on: 2012-09-08 11:06:38
Restore point made on: 2012-09-08 11:07:09
Restore point made on: 2012-09-08 11:07:36
Restore point made on: 2012-09-09 20:00:26
Restore point made on: 2012-09-11 13:12:31
Restore point made on: 2012-09-12 05:03:52
Restore point made on: 2012-09-12 09:30:03
Restore point made on: 2012-09-13 09:06:01
Restore point made on: 2012-09-17 07:15:57

==================== Memory info ===========================

Percentage of memory in use: 25%
Total physical RAM: 1917.94 MB
Available physical RAM: 1427.38 MB
Total Pagefile: 1657.93 MB
Available Pagefile: 1504.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1982.8 MB

==================== Partitions =============================

1 Drive c: (HP) (Fixed) (Total:289.21 GB) (Free:135.82 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:8.88 GB) (Free:0.86 GB) NTFS ==>[System with boot components (obtained from reading drive)]
8 Drive j: () (Removable) (Total:3.74 GB) (Free:2.55 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 3830 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 289 GB 32 KB
Partition 3 Primary 9 GB 289 GB
Partition 2 Primary 3016 KB 298 GB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C HP NTFS Partition 289 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D FACTORY_IMA NTFS Partition 9 GB Healthy

=========================================================

Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3828 MB 19 KB

=========================================================

Disk: 5
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 J FAT32 Removable 3828 MB Healthy

=========================================================

Last Boot: 2012-09-17 05:12

==================== End Of Log ============================

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 18 September 2012 - 06:28 AM

Click the Posted Image button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/
<<<>>>

If still no joy.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
===

If the redirection not solved then it could be that your router is compromised.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html


How To Set Up a Network Router
http://compnetworking.about.com/od/homenetworking/ht/routerconfigure.htm

Keep me posted.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 24 September 2012 - 08:46 AM

Are you still with me?


If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users