Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with JAVA EXPLOIT/Flooder/Blacole


  • Please log in to reply
33 replies to this topic

#1 kathpt

kathpt

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 28 January 2013 - 12:29 AM

First of all I apologize if the title of the topic isn't completely correct but I am not sure what type of threat it is.

Gunto asked me to post here because it seems that the problem is more complicated than it seemed.
Here is the link to the original post where it's explained what happened and also several logs of several scans that did not take care of the problem along with screen shots of the name of the threats http://www.bleepingcomputer.com/forums/topic483054.html


Here is the log created by DDS
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by katheleen at 5:10:14 on 2013-01-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.351.2070.18.3054.1338 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hotkey_Driver\HotkeyDriver.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\SiS VGA Utilities\SiSTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\BisonCam\BisonHK.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\katheleen\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
C:\Windows\system32\conime.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://tvpc.com/Channel.php?ChannelID=8517
uProxyOverride = local
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
uRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\bullguard.exe"
uRun: [SAPO Messenger] "c:\program files\sapo\sapo messenger\sapoim.exe"
uRun: [googletalk] c:\users\katheleen\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [SiSTray] c:\program files\sis vga utilities\SiSTray.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [BisonHK] c:\windows\bisoncam\BisonHK.exe
mRun: [Skytel] Skytel.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [PelSetupRun] D:\setup.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 212.113.191.129 212.113.164.5
TCP: Interfaces\{E9D0E399-71FC-408E-B1A7-6FB31DC0A09C} : DHCPNameServer = 212.113.191.129 212.113.164.5
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\katheleen\appdata\roaming\mozilla\firefox\profiles\2ck4qqpk.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-01-13 05:13; {5384767E-00D9-40E9-B72F-9CC39D655D6F}; c:\users\katheleen\appdata\roaming\mozilla\firefox\profiles\2ck4qqpk.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 FontCache;Serviço de Cache de Tipos de Letra do Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-26 398184]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-1-26 682344]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 99272]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-26 21104]
R3 NisSrv;Inspeção de Rede da Microsoft;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-3-31 350720]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2008-5-8 572416]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-5-8 48128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-01-27 22:12:48 -------- d-----w- c:\windows\ERUNT
2013-01-27 22:12:32 -------- d-----w- C:\JRT
2013-01-27 20:05:05 -------- d-----w- c:\program files\ESET
2013-01-27 19:45:57 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8399d490-4da6-46c6-a14f-1d02b1b90e5d}\mpengine.dll
2013-01-27 19:36:23 -------- d-----w- c:\users\katheleen\appdata\roaming\SUPERAntiSpyware.com
2013-01-27 19:36:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-01-27 19:36:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-26 19:38:47 -------- d-----w- c:\users\katheleen\appdata\roaming\Malwarebytes
2013-01-26 19:38:04 -------- d-----w- c:\programdata\Malwarebytes
2013-01-26 19:38:02 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-26 19:38:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-26 19:34:46 6991832 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-01-09 19:23:37 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 19:22:51 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 19:22:49 1400832 ----a-w- c:\windows\system32\msxml6.dll
.
==================== Find3M ====================
.
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 18:51:16 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 18:51:16 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29:51 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 10:18:17 376320 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 08:26:06 23040 ----a-w- c:\windows\system32\dpnsvr.exe
.
============= FINISH: 5:10:57,65 ===============

Thank you in advance

Attached Files


Edited by nasdaq, 28 January 2013 - 10:58 AM.
Code box removed.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:07 PM

Posted 28 January 2013 - 04:40 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

OTL Custom Scan

We need to run an OTL Custom Scan

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Copy and Paste the following code into the Posted Image textbox.

    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    CreateRestorePoint
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %SYSTEMDRIVE%\*.exe
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    svchost.exe
    tdx.sys
    afd.sys
    netbt.sys
    services.exe
    /md5stop
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



Running aswMBR.exe

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. OTL.txt & Extras.txt log files.
3. aswMBR.txt log file.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Edited by SweetTech, 28 January 2013 - 04:42 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 kathpt

kathpt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 28 January 2013 - 08:28 PM

1. Hello, you can address me as kathpt or kath, either one is fine by me :) I too like chocolate chip cookies so I guess we have that in common.
Also, I have a question. All the programs Gunto asked me to install and run on the other topic, shall I uninstall them?

2. OTL.txt

OTL logfile created on: 29-01-2013 00:09:52 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\katheleen\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

2,98 Gb Total Physical Memory | 1,78 Gb Available Physical Memory | 59,78% Memory free
6,18 Gb Paging File | 4,94 Gb Available in Paging File | 79,83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 293,60 Gb Total Space | 190,99 Gb Free Space | 65,05% Space Free | Partition Type: NTFS

Computer Name: PC | User Name: katheleen | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013-01-29 00:08:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\katheleen\Desktop\OTL.exe
PRC - [2013-01-19 20:56:39 | 000,917,400 | ---- | M] (Mozilla Corporation) -- C:\Programas\Mozilla Firefox\firefox.exe
PRC - [2012-12-18 14:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Programas\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012-12-14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Programas\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012-12-14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Programas\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012-12-14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Programas\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012-12-12 18:51:16 | 001,807,800 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
PRC - [2012-11-01 19:45:21 | 004,763,008 | ---- | M] (SUPERAntiSpyware.com) -- C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2012-09-12 16:25:24 | 000,287,824 | ---- | M] (Microsoft Corporation) -- c:\Programas\Microsoft Security Client\NisSrv.exe
PRC - [2012-09-12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Programas\Microsoft Security Client\MsMpEng.exe
PRC - [2012-09-12 16:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Programas\Microsoft Security Client\msseces.exe
PRC - [2012-07-11 18:54:49 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Programas\SUPERAntiSpyware\SASCore.exe
PRC - [2011-03-28 20:31:16 | 000,193,920 | ---- | M] (Microsoft Corp.) -- C:\Programas\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2011-03-28 20:31:14 | 001,713,536 | ---- | M] (Microsoft Corp.) -- C:\Programas\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009-04-10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008-03-25 14:46:32 | 000,077,824 | ---- | M] (mychat) -- C:\Windows\BisonCam\BisonHK.exe
PRC - [2008-02-27 02:53:14 | 000,552,960 | R--- | M] (Silicon Integrated Systems Corporation) -- C:\Programas\SiS VGA Utilities\SiSTray.exe
PRC - [2008-02-26 08:24:06 | 004,939,776 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007-12-07 10:17:40 | 004,706,304 | ---- | M] () -- C:\Programas\Hotkey_Driver\HotKeyDriver.exe
PRC - [2007-08-17 21:40:30 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Programas\Synaptics\SynTP\SynTPStart.exe
PRC - [2007-01-17 06:34:18 | 000,634,880 | ---- | M] (Motorola Inc.) -- C:\Programas\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2007-01-01 21:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Users\katheleen\AppData\Roaming\Google\Google Talk\googletalk.exe


========== Modules (No Company Name) ==========

MOD - [2013-01-19 20:55:58 | 003,022,232 | ---- | M] () -- C:\Programas\Mozilla Firefox\mozjs.dll
MOD - [2013-01-10 16:52:58 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b757806657fa5db2b1ed1a89b026b463\System.Xml.ni.dll
MOD - [2013-01-10 16:52:20 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\0c3da9004b277959e24a9fd606d3dd05\System.Windows.Forms.ni.dll
MOD - [2013-01-10 16:52:05 | 001,593,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\78157a494dc9a7e52be8840decfcd9cc\System.Drawing.ni.dll
MOD - [2013-01-10 16:50:17 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\cc149d08e75f8c53cd28ac926b38c370\System.ni.dll
MOD - [2013-01-10 16:50:08 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2227d1559f87943255069398608d5c56\mscorlib.ni.dll
MOD - [2012-12-12 18:51:15 | 014,586,296 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_5_502_135.dll
MOD - [2009-03-31 11:05:16 | 000,307,200 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt_b77a5c561934e089\mscorlib.resources.dll
MOD - [2008-03-25 14:44:08 | 000,028,672 | ---- | M] () -- C:\Windows\BisonCam\KBHookDLL.dll
MOD - [2007-12-07 10:17:40 | 004,706,304 | ---- | M] () -- C:\Programas\Hotkey_Driver\HotKeyDriver.exe
MOD - [2007-10-30 10:55:46 | 000,172,032 | ---- | M] () -- C:\Windows\system\BisonC07.dll
MOD - [2006-12-11 16:10:26 | 000,049,152 | ---- | M] () -- C:\Programas\Hotkey_Driver\AudioControlDLL.dll


========== Services (SafeList) ==========

SRV - [2013-01-19 20:56:36 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programas\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012-12-18 14:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programas\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012-12-14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programas\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012-12-14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programas\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012-11-09 11:21:24 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programas\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012-09-12 16:25:24 | 000,287,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Programas\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012-09-12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programas\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012-07-11 18:54:49 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Programas\SUPERAntiSpyware\SASCore.exe -- (!SASCORE)
SRV - [2011-07-20 05:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2011-03-28 20:31:14 | 001,713,536 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programas\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2010-09-22 16:33:04 | 000,051,040 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Programas\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV - [2008-01-21 02:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2008-01-21 02:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programas\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006-10-26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Auto | Stopped] -- System32\Drivers\e4ldr.sys -- (IKANLOADER2)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\e4usbaw.sys -- (e4usbaw)
DRV - [2012-12-14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012-08-30 21:03:50 | 000,099,272 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011-07-22 16:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Programas\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011-07-12 21:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Programas\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010-03-31 06:59:24 | 000,350,720 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8187B.sys -- (RTL8187B)
DRV - [2008-03-31 14:44:46 | 001,069,608 | ---- | M] (Bison Electronics. Inc. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BisonC07.sys -- (Cam5607)
DRV - [2008-03-06 08:08:56 | 000,572,416 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SISGRKMD.sys -- (SiS6350)
DRV - [2007-10-16 07:35:32 | 000,048,128 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SiSGB6.sys -- (SiSGbeLH)
DRV - [2007-04-11 08:40:14 | 000,046,592 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ESD7SK.sys -- (ESDCR)
DRV - [2007-04-11 08:40:06 | 000,067,584 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\EMS7SK.sys -- (EMSCR)
DRV - [2007-01-24 09:08:06 | 000,056,184 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SISAGPX.SYS -- (SISAGP)
DRV - [2007-01-17 06:38:52 | 000,983,936 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2004-02-04 09:27:56 | 000,049,536 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tiehdusb.sys -- (TIEHDUSB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://tvpc.com/Channel.php?ChannelID=8517
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://pt.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = pt
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 44 67 D3 4C DD DD CC 01 [binary data]
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\..\SearchScopes\{32AE6F6D-22C7-421D-ACC5-304F19866F8B}: "URL" = http://www.google.com/search?hl=en&q={searchTerms}
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4041944757-506418881-753924953-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://www.google.com/"
FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0
FF - prefs.js..extensions.enabledAddons: searchimdb%40sogame.cat:1.2.0
FF - prefs.js..extensions.enabledAddons: tkuse%40telekawaru.com:0.46
FF - prefs.js..extensions.enabledAddons: %7BD469DA71-A9C6-48f1-B86E-67313AADB588%7D:3.2.3
FF - prefs.js..extensions.enabledAddons: %7B5384767E-00D9-40E9-B72F-9CC39D655D6F%7D:1.4.2.1
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013-01-19 20:56:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013-01-19 20:56:40 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012-02-05 23:16:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\katheleen\AppData\Roaming\mozilla\Extensions
[2013-01-27 22:17:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\katheleen\AppData\Roaming\mozilla\Firefox\Profiles\2ck4qqpk.default\extensions
[2013-01-13 05:13:04 | 000,000,000 | ---D | M] (EPUBReader) -- C:\Users\katheleen\AppData\Roaming\mozilla\Firefox\Profiles\2ck4qqpk.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
[2013-01-12 03:08:16 | 000,000,000 | ---D | M] (Corretor para Português de Portugal) -- C:\Users\katheleen\AppData\Roaming\mozilla\Firefox\Profiles\2ck4qqpk.default\extensions\pt-PT@dictionaries.addons.mozilla.org
[2012-05-13 20:24:38 | 000,000,000 | ---D | M] (URL Shrink Easy) -- C:\Users\katheleen\AppData\Roaming\mozilla\Firefox\Profiles\2ck4qqpk.default\extensions\tkuse@telekawaru.com
[2012-02-09 02:00:24 | 000,025,781 | ---- | M] () (No name found) -- C:\Users\katheleen\AppData\Roaming\mozilla\firefox\profiles\2ck4qqpk.default\extensions\add-to-searchbox@maltekraus.de.xpi
[2013-01-19 21:23:18 | 000,363,736 | ---- | M] () (No name found) -- C:\Users\katheleen\AppData\Roaming\mozilla\firefox\profiles\2ck4qqpk.default\extensions\client@anonymox.net.xpi
[2012-02-06 20:00:28 | 000,039,326 | ---- | M] () (No name found) -- C:\Users\katheleen\AppData\Roaming\mozilla\firefox\profiles\2ck4qqpk.default\extensions\searchimdb@sogame.cat.xpi
[2012-11-23 23:05:02 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\katheleen\AppData\Roaming\mozilla\firefox\profiles\2ck4qqpk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012-02-19 20:24:58 | 000,136,655 | ---- | M] () (No name found) -- C:\Users\katheleen\AppData\Roaming\mozilla\firefox\profiles\2ck4qqpk.default\extensions\{D469DA71-A9C6-48f1-B86E-67313AADB588}.xpi
[2012-02-21 16:39:28 | 000,001,504 | ---- | M] () -- C:\Users\katheleen\AppData\Roaming\mozilla\firefox\profiles\2ck4qqpk.default\searchplugins\imdb.xml
[2013-01-28 03:15:04 | 000,002,057 | ---- | M] () -- C:\Users\katheleen\AppData\Roaming\mozilla\firefox\profiles\2ck4qqpk.default\searchplugins\youtube-video-search.xml
[2013-01-19 20:55:49 | 000,000,000 | ---D | M] (No name found) -- C:\Programas\Mozilla Firefox\extensions
[2013-01-19 20:56:40 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012-08-30 19:14:39 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012-10-12 23:55:47 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2006-09-18 21:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2 - BHO: (Windows Live Messenger Companion Helper) - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Programas\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [BisonHK] C:\Windows\BisonCam\BisonHK.exe (mychat)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PelSetupRun] D:\setup.exe File not found
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SiSTray] C:\Programas\SiS VGA Utilities\SiSTray.exe (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SMSERIAL] C:\Programas\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Programas\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-4041944757-506418881-753924953-1001..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" File not found
O4 - HKU\S-1-5-21-4041944757-506418881-753924953-1001..\Run: [googletalk] C:\Users\katheleen\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)
O4 - HKU\S-1-5-21-4041944757-506418881-753924953-1001..\Run: [SAPO Messenger] "C:\Program Files\Sapo\SAPO Messenger\sapoim.exe" File not found
O4 - HKU\S-1-5-21-4041944757-506418881-753924953-1001..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O7 - HKU\S-1-5-21-4041944757-506418881-753924953-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xportar para o Microsoft Excel - C:\Programas\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Programas\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programas\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.113.191.129 212.113.164.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E9D0E399-71FC-408E-B1A7-6FB31DC0A09C}: DhcpNameServer = 212.113.191.129 212.113.164.5
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programas\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programas\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programas\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Programas\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programas\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\katheleen\AppData\Roaming\Microsoft\Windows Photo Gallery\Fundo da Galeria de Fotografias do Windows.jpg
O24 - Desktop BackupWallPaper: C:\Users\katheleen\AppData\Roaming\Microsoft\Windows Photo Gallery\Fundo da Galeria de Fotografias do Windows.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Programas\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006-09-18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE
O33 - MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\Shell\configure\command - "" = D:\SETUP.EXE
O33 - MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\Shell\install\command - "" = D:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)


SafeBootMin: !SASCORE - C:\Programas\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: MsMpSvc - c:\Programas\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Programas\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6C298884-91FD-408C-9D90-5A59D2C29FD1} - Microsoft .NET Framework 1.1 Security Update (KB2742597)
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {8A517FED-1DAB-4FA2-BAF3-4C66AAE996EB} - .NET Framework
ActiveX: {8F736E10-8E5C-4399-A532-D0C00A406227} - Microsoft .NET Framework 1.1 Security Update (KB2698023)
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013-01-29 00:08:48 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\katheleen\Desktop\OTL.exe
[2013-01-28 05:08:57 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\katheleen\Desktop\dds.com
[2013-01-27 22:12:48 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013-01-27 22:12:32 | 000,000,000 | ---D | C] -- C:\JRT
[2013-01-27 22:12:19 | 000,536,387 | ---- | C] (Oleg N. Scherbakov) -- C:\Users\katheleen\Desktop\JRT.exe
[2013-01-27 20:05:05 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013-01-27 20:04:31 | 002,322,184 | ---- | C] (ESET) -- C:\Users\katheleen\Desktop\esetsmartinstaller_enu.exe
[2013-01-27 19:36:23 | 000,000,000 | ---D | C] -- C:\Users\katheleen\AppData\Roaming\SUPERAntiSpyware.com
[2013-01-27 19:36:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2013-01-27 19:36:06 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2013-01-27 19:36:06 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2013-01-27 05:54:37 | 023,543,488 | ---- | C] (SUPERAntiSpyware.com) -- C:\Users\katheleen\Desktop\SUPERAntiSpyware.exe
[2013-01-26 21:54:31 | 000,000,000 | ---D | C] -- C:\Users\katheleen\Desktop\RK_Quarantine
[2013-01-26 19:38:47 | 000,000,000 | ---D | C] -- C:\Users\katheleen\AppData\Roaming\Malwarebytes
[2013-01-26 19:38:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013-01-26 19:38:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013-01-26 19:38:02 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013-01-26 19:38:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013-01-26 19:34:55 | 010,156,344 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\katheleen\Desktop\mbam-setup-1.70.0.1100.exe
[2013-01-26 19:32:00 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\katheleen\Desktop\tdsskiller.exe
[2013-01-24 02:41:01 | 000,000,000 | ---D | C] -- C:\Users\katheleen\Documents\Meatless More Than 200 of the Very Best Vegetarian Recipes 2013 [EPUB]
[2013-01-24 02:40:59 | 000,000,000 | ---D | C] -- C:\Users\katheleen\Documents\Jamie's 15 Minute Meals Delicious, Nutritious, Super Fast Food 2012 [PDF]
[2013-01-21 18:26:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Last.fm
[2013-01-19 20:55:48 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013-01-15 02:10:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN

========== Files - Modified Within 30 Days ==========

[2013-01-29 00:08:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\katheleen\Desktop\OTL.exe
[2013-01-29 00:07:13 | 000,669,192 | ---- | M] () -- C:\Windows\System32\prfh0816.dat
[2013-01-29 00:07:13 | 000,604,764 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013-01-29 00:07:13 | 000,135,994 | ---- | M] () -- C:\Windows\System32\prfc0816.dat
[2013-01-29 00:07:13 | 000,108,096 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013-01-29 00:02:00 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013-01-29 00:02:00 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013-01-29 00:01:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013-01-29 00:01:41 | 3203,579,904 | -HS- | M] () -- C:\hiberfil.sys
[2013-01-29 00:00:49 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2013-01-28 05:25:36 | 000,073,300 | ---- | M] () -- C:\Users\katheleen\Desktop\Sem título.jpg
[2013-01-28 05:09:07 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\katheleen\Desktop\dds.com
[2013-01-28 03:36:00 | 000,000,518 | ---- | M] () -- C:\Windows\tasks\SUPERAntiSpyware Scheduled Task 1c7b8b0e-c2c6-41e4-8b19-260e11a5a91f.job
[2013-01-28 02:00:00 | 000,000,518 | ---- | M] () -- C:\Windows\tasks\SUPERAntiSpyware Scheduled Task fbe930cb-b2b6-4e14-a56c-44e5b8c6466b.job
[2013-01-27 22:12:28 | 000,536,387 | ---- | M] (Oleg N. Scherbakov) -- C:\Users\katheleen\Desktop\JRT.exe
[2013-01-27 20:04:36 | 002,322,184 | ---- | M] (ESET) -- C:\Users\katheleen\Desktop\esetsmartinstaller_enu.exe
[2013-01-27 19:36:14 | 000,001,817 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2013-01-27 05:55:06 | 023,543,488 | ---- | M] (SUPERAntiSpyware.com) -- C:\Users\katheleen\Desktop\SUPERAntiSpyware.exe
[2013-01-27 04:09:46 | 000,026,190 | ---- | M] () -- C:\Users\katheleen\Desktop\oopnkn.jpg
[2013-01-26 22:19:03 | 000,132,756 | ---- | M] () -- C:\Users\katheleen\Desktop\2.jpg
[2013-01-26 21:53:05 | 000,749,568 | ---- | M] () -- C:\Users\katheleen\Desktop\RogueKiller.exe
[2013-01-26 21:43:40 | 000,578,255 | ---- | M] () -- C:\Users\katheleen\Desktop\adwcleaner.exe
[2013-01-26 19:38:11 | 000,000,923 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013-01-26 19:35:08 | 010,156,344 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\katheleen\Desktop\mbam-setup-1.70.0.1100.exe
[2013-01-26 19:32:06 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\katheleen\Desktop\tdsskiller.exe
[2013-01-26 06:33:17 | 000,139,264 | ---- | M] () -- C:\Users\katheleen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013-01-26 04:35:38 | 000,080,246 | ---- | M] () -- C:\Users\katheleen\Desktop\1.jpg
[2013-01-21 01:57:33 | 018,304,730 | ---- | M] () -- C:\Users\katheleen\Documents\ur.zip
[2013-01-16 23:57:48 | 000,000,600 | ---- | M] () -- C:\Users\katheleen\PUTTY.RND
[2013-01-13 01:03:21 | 000,284,505 | ---- | M] () -- C:\Users\katheleen\Documents\Kristan Higgins - Too Good to be true.epub
[2013-01-10 16:48:06 | 000,384,832 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013-01-07 23:34:47 | 020,679,115 | ---- | M] () -- C:\Users\katheleen\Documents\ur.pdf
[2013-01-07 22:35:39 | 000,875,604 | ---- | M] () -- C:\Users\katheleen\Documents\Elizabeth_Scott_-_Perfect_You.pdf
[2013-01-05 01:47:44 | 000,352,969 | ---- | M] () -- C:\Users\katheleen\Documents\IMG_05012013_014631.png
[2013-01-04 23:38:12 | 000,427,388 | ---- | M] () -- C:\Users\katheleen\Documents\IMG_04012013_233738.png
[2013-01-03 20:33:46 | 000,614,403 | ---- | M] () -- C:\Windows\BsSnap.pre
[2012-12-31 18:46:12 | 000,220,792 | ---- | M] () -- C:\Users\katheleen\Desktop\tumblr_mfvyp1Y4lc1qzhgtao1_1280.jpg

========== Files Created - No Company Name ==========

[2013-01-28 05:25:36 | 000,073,300 | ---- | C] () -- C:\Users\katheleen\Desktop\Sem título.jpg
[2013-01-27 19:36:52 | 000,000,518 | ---- | C] () -- C:\Windows\tasks\SUPERAntiSpyware Scheduled Task 1c7b8b0e-c2c6-41e4-8b19-260e11a5a91f.job
[2013-01-27 19:36:50 | 000,000,518 | ---- | C] () -- C:\Windows\tasks\SUPERAntiSpyware Scheduled Task fbe930cb-b2b6-4e14-a56c-44e5b8c6466b.job
[2013-01-27 19:36:14 | 000,001,817 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2013-01-27 04:09:45 | 000,026,190 | ---- | C] () -- C:\Users\katheleen\Desktop\oopnkn.jpg
[2013-01-26 22:19:02 | 000,132,756 | ---- | C] () -- C:\Users\katheleen\Desktop\2.jpg
[2013-01-26 21:52:55 | 000,749,568 | ---- | C] () -- C:\Users\katheleen\Desktop\RogueKiller.exe
[2013-01-26 21:43:31 | 000,578,255 | ---- | C] () -- C:\Users\katheleen\Desktop\adwcleaner.exe
[2013-01-26 19:38:11 | 000,000,923 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013-01-26 04:55:37 | 3203,579,904 | -HS- | C] () -- C:\hiberfil.sys
[2013-01-26 04:35:38 | 000,080,246 | ---- | C] () -- C:\Users\katheleen\Desktop\1.jpg
[2013-01-21 01:57:30 | 018,304,730 | ---- | C] () -- C:\Users\katheleen\Documents\ur.zip
[2013-01-16 23:32:53 | 000,000,600 | ---- | C] () -- C:\Users\katheleen\PUTTY.RND
[2013-01-13 01:03:21 | 000,284,505 | ---- | C] () -- C:\Users\katheleen\Documents\Kristan Higgins - Too Good to be true.epub
[2013-01-07 23:32:00 | 020,679,115 | ---- | C] () -- C:\Users\katheleen\Documents\ur.pdf
[2013-01-07 22:34:52 | 000,875,604 | ---- | C] () -- C:\Users\katheleen\Documents\Elizabeth_Scott_-_Perfect_You.pdf
[2013-01-05 01:47:33 | 000,352,969 | ---- | C] () -- C:\Users\katheleen\Documents\IMG_05012013_014631.png
[2013-01-04 23:37:45 | 000,427,388 | ---- | C] () -- C:\Users\katheleen\Documents\IMG_04012013_233738.png
[2012-12-31 18:46:10 | 000,220,792 | ---- | C] () -- C:\Users\katheleen\Desktop\tumblr_mfvyp1Y4lc1qzhgtao1_1280.jpg
[2012-04-23 04:19:11 | 000,000,097 | ---- | C] () -- C:\Users\katheleen\AppData\Local\fusioncache.dat
[2012-02-05 02:09:13 | 000,000,046 | ---- | C] () -- C:\Windows\adiras.ini
[2012-02-05 01:52:29 | 000,139,264 | ---- | C] () -- C:\Users\katheleen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012-01-28 10:43:19 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2012-01-28 10:42:25 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2012-01-27 23:20:00 | 000,025,773 | ---- | C] () -- C:\Users\katheleen\AppData\Roaming\UserTile.png
[2012-01-27 23:01:14 | 000,001,356 | ---- | C] () -- C:\Users\katheleen\AppData\Local\d3d9caps.dat
[2008-07-24 04:19:21 | 000,000,282 | RHS- | C] () -- C:\ProgramData\ntuser.pol

========== ZeroAccess Check ==========

[2006-11-02 12:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012-06-08 17:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009-04-10 23:28:20 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009-04-10 23:28:26 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2008-05-08 23:29:51 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\BullGuard
[2008-05-09 00:41:15 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\SAPO
[2008-05-10 04:30:56 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\Thinstall
[2008-05-08 23:29:51 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\BullGuard
[2008-05-09 00:41:15 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\SAPO
[2008-05-10 04:30:56 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\Thinstall
[2013-01-08 00:04:49 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\Audacity
[2008-05-08 23:29:51 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\BullGuard
[2012-06-07 21:09:50 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\ILTEC
[2012-06-10 04:00:53 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\naan studio, Inc
[2012-01-27 23:20:00 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\PeerNetworking
[2012-02-08 19:08:17 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\Philipp Winterberg
[2012-12-26 21:04:21 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\Pogo
[2008-05-09 00:41:15 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\SAPO
[2008-05-10 04:30:56 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\Thinstall
[2012-03-17 23:20:52 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2013-01-26 04:14:35 | 000,000,000 | ---D | M] -- C:\Users\katheleen\AppData\Roaming\uTorrent

========== Purity Check ==========



========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." /30 >

< C:\Program Files\Common Files\ComObjects\*.* /s >
[2006-11-02 13:01:49 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2006-11-02 13:01:49 | 000,032,530 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2013-01-27 19:36:50 | 000,000,518 | ---- | C] () -- C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task fbe930cb-b2b6-4e14-a56c-44e5b8c6466b.job
[2013-01-27 19:36:52 | 000,000,518 | ---- | C] () -- C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 1c7b8b0e-c2c6-41e4-8b19-260e11a5a91f.job

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008-01-21 03:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008-01-21 03:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008-01-21 03:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006-11-02 10:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006-11-02 10:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2012-12-14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\system32\drivers\mbam.sys

< %SYSTEMDRIVE%\*.exe >

< %systemdrive%\$Recycle.Bin|@;true;true;true /fp >

< MD5 for: AFD.SYS >
[2011-04-21 13:58:27 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=3911B972B55FEA0478476B2E777B29FA -- C:\Windows\System32\drivers\afd.sys
[2011-04-21 13:58:27 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=3911B972B55FEA0478476B2E777B29FA -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys
[2011-04-21 13:16:42 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=48EB99503533C27AC6135648E5474457 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
[2011-04-21 13:28:53 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=70EE0FC7A0F384DBD929A01384AEEB4B -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
[2008-01-21 02:24:17 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=763E172A55177E478CB419F88FD0BA03 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
[2009-04-10 21:47:04 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=A201207363AA900ABF1A388468688570 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
[2011-04-21 13:12:21 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=C8AF25017CECB75906A571AC70D2D306 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys

< MD5 for: ATAPI.SYS >
[2009-04-10 23:32:28 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009-04-10 23:32:28 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009-04-10 23:32:28 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008-01-21 02:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008-01-21 02:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006-11-02 09:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: EXPLORER.EXE >
[2008-10-29 06:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008-10-29 06:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008-10-30 03:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009-04-10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009-04-10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008-10-28 02:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008-01-21 02:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: NETBT.SYS >
[2008-01-21 02:24:59 | 000,184,320 | ---- | M] (Microsoft Corporation) MD5=7C5FEE5B1C5728507CD96FB4A13E7A02 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
[2009-04-10 21:45:38 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=ECD64230A59CBD93C85F1CD1CAB9F3F6 -- C:\Windows\System32\drivers\netbt.sys
[2009-04-10 21:45:38 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=ECD64230A59CBD93C85F1CD1CAB9F3F6 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

< MD5 for: SERVICES.EXE >
[2008-01-21 02:24:48 | 000,279,040 | ---- | M] (Microsoft Corporation) MD5=2B336AB6286D6C81FA02CBAB914E3C6C -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2009-04-10 23:28:00 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\System32\services.exe
[2009-04-10 23:28:00 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

< MD5 for: SVCHOST.EXE >
[2012-12-14 16:49:28 | 000,216,424 | ---- | M] () MD5=22101A85B3CA2FE2BE05FE9A61A7A83D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2008-01-21 02:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008-01-21 02:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: TDX.SYS >
[2009-04-10 21:45:58 | 000,072,192 | ---- | M] (Microsoft Corporation) MD5=76B06EB8A01FC8624D699E7045303E54 -- C:\Windows\System32\drivers\tdx.sys
[2009-04-10 21:45:58 | 000,072,192 | ---- | M] (Microsoft Corporation) MD5=76B06EB8A01FC8624D699E7045303E54 -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys
[2008-01-21 02:24:53 | 000,071,680 | ---- | M] (Microsoft Corporation) MD5=D09276B1FAB033CE1D40DCBDF303D10F -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys

< MD5 for: VOLSNAP.SYS >
[2006-11-02 09:51:18 | 000,208,488 | ---- | M] (Microsoft Corporation) MD5=11EF6C1CAEF76B685233450A126125D6 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys
[2009-04-10 23:32:56 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys
[2009-04-10 23:32:56 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys
[2012-08-21 11:47:42 | 000,225,664 | ---- | M] (Microsoft Corporation) MD5=559F1DB6586DE2EE8E25E172A0CA9A3C -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.22913_none_181f0c08125e385e\volsnap.sys
[2012-08-21 11:47:42 | 000,224,640 | ---- | M] (Microsoft Corporation) MD5=786DB5771F05EF300390399F626BF30A -- C:\Windows\System32\drivers\volsnap.sys
[2012-08-21 11:47:42 | 000,224,640 | ---- | M] (Microsoft Corporation) MD5=786DB5771F05EF300390399F626BF30A -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_2abeaeba\volsnap.sys
[2012-08-21 11:47:42 | 000,224,640 | ---- | M] (Microsoft Corporation) MD5=786DB5771F05EF300390399F626BF30A -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18679_none_175a8da4f96bddf6\volsnap.sys
[2008-01-21 02:23:21 | 000,227,896 | ---- | M] (Microsoft Corporation) MD5=D8B4A53DD2769F226B3EB374374987C9 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys
[2008-01-21 02:23:21 | 000,227,896 | ---- | M] (Microsoft Corporation) MD5=D8B4A53DD2769F226B3EB374374987C9 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys

< MD5 for: WININIT.EXE >
[2008-01-21 02:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe
[2008-01-21 02:23:42 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

< MD5 for: WINLOGON.EXE >
[2012-12-14 16:49:28 | 000,216,424 | ---- | M] () MD5=22101A85B3CA2FE2BE05FE9A61A7A83D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009-04-10 23:28:14 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009-04-10 23:28:14 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008-01-21 02:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2013-01-19 20:55:55 | 000,864,656 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2013-01-19 20:55:55 | 000,864,656 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2013-01-19 20:55:55 | 000,864,656 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2013-01-19 20:56:39 | 000,917,400 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2013-01-19 20:56:39 | 000,917,400 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2013-01-19 20:56:39 | 000,917,400 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2012-01-28 16:45:30 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2012-01-28 16:45:30 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2012-01-28 16:45:30 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012-11-14 02:56:04 | 000,757,296 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012-11-14 02:56:04 | 000,757,296 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2013-01-19 20:55:55 | 000,864,656 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2013-01-19 20:55:55 | 000,864,656 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2013-01-19 20:55:55 | 000,864,656 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2013-01-19 20:56:39 | 000,917,400 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2013-01-19 20:56:39 | 000,917,400 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2013-01-19 20:56:39 | 000,917,400 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2012-01-28 16:45:30 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2012-01-28 16:45:30 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2012-01-28 16:45:30 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012-11-14 02:56:04 | 000,757,296 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012-11-14 02:56:04 | 000,757,296 | ---- | M] (Microsoft Corporation)

< HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s >
"" = PSFactoryBuffer
[HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemsvc.dll -- [2009-04-10 23:28:26 | 000,049,152 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >



Extras.txt

OTL Extras logfile created on: 29-01-2013 00:09:52 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\katheleen\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

2,98 Gb Total Physical Memory | 1,78 Gb Available Physical Memory | 59,78% Memory free
6,18 Gb Paging File | 4,94 Gb Available in Paging File | 79,83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 293,60 Gb Total Space | 190,99 Gb Free Space | 65,05% Space Free | Partition Type: NTFS

Computer Name: PC | User Name: katheleen | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4041944757-506418881-753924953-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4041944757-506418881-753924953-1000]
"EnableNotifications" = 1
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4041944757-506418881-753924953-500]
"EnableNotifications" = 1
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{9C6E5D27-8AF0-4C33-83F4-42FD3EB1E035}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{E873009F-3318-473B-B652-F3C58B2D0340}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{07B31144-B50B-4864-B20A-A461769380C2}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{385A4CD1-2D64-4753-840E-83B69F531B77}" = dir=in | app=c:\program files\windows live\mesh\moe.exe |
"{5B370012-E72E-4394-B9B2-D050F6C87D36}" = protocol=6 | dir=in | app=c:\program files\hp\hp deskjet 1050 j410 series\bin\usbsetup.exe |
"{8A568DF7-A1B6-47FE-97B2-D4F32FC37335}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{A1FD9639-7541-421A-97A3-E767444D263C}" = protocol=17 | dir=in | app=c:\program files\hp\hp deskjet 1050 j410 series\bin\usbsetup.exe |
"{F84CB387-D146-4A15-AACA-BFC8CF22C102}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"TCP Query User{2D78BD68-D68E-4A46-A119-CAFF865ECC8C}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{5B3DE862-1ECA-4EA3-AC9A-507A3C586E2D}C:\users\katheleen\vodafone\vodafone web phone\pccommunicator.exe" = protocol=6 | dir=in | app=c:\users\katheleen\vodafone\vodafone web phone\pccommunicator.exe |
"TCP Query User{CBA89E9C-9FD5-4451-ADE3-1173D3C201BF}C:\program files\sapo\sapo messenger\sapoim.exe" = protocol=6 | dir=in | app=c:\program files\sapo\sapo messenger\sapoim.exe |
"TCP Query User{D677C3EA-189E-4E69-8E6E-89BE57190797}C:\program files\videolan\vlc\vlc.exe" = protocol=6 | dir=in | app=c:\program files\videolan\vlc\vlc.exe |
"UDP Query User{1818197A-EFC0-4A0C-84E1-243281B78A88}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{1A18579C-0B42-4215-9B9C-3522AB7FA907}C:\program files\sapo\sapo messenger\sapoim.exe" = protocol=17 | dir=in | app=c:\program files\sapo\sapo messenger\sapoim.exe |
"UDP Query User{72950292-8AD5-4570-B8D7-5827A8A0FDA7}C:\program files\videolan\vlc\vlc.exe" = protocol=17 | dir=in | app=c:\program files\videolan\vlc\vlc.exe |
"UDP Query User{C7206503-8281-412D-8C6B-7CBA8612A482}C:\users\katheleen\vodafone\vodafone web phone\pccommunicator.exe" = protocol=17 | dir=in | app=c:\users\katheleen\vodafone\vodafone web phone\pccommunicator.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{062E4D94-8306-46D5-81B6-45E6AD09C799}" = Windows Live Messenger
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0EC0B576-90F9-43C3-8FAD-A4902DF4B8F4}" = Galeria de Fotografias do Windows Live
"{14DC0059-00F1-4F62-BD1A-AB23CD51A95E}" = Adobe AIR
"{198EA334-8A3F-4CB2-9D61-6C10B8168A6F}" = Windows Live Writer
"{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
"{1CB1225D-BA67-4BBC-B32E-CC6AA30BC15E}" = Software básico do dispositivo HP Deskjet 1050 J410 series
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
"{25A381E1-0AB9-4E7A-ACCE-BA49D519CF4E}" = Windows Live Mail
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{370F888E-42A7-4911-9E34-7D74632E17EB}" = Windows Live Photo Common
"{3A09ED0F-8DDF-47BB-B53D-841AB9D1D3A7}" = Complemento Messenger
"{3BC3B1A5-30E3-4DDB-BE08-E7262B838B5F}" = Windows Live Remote Client Resources
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = SAGEM F@st 800-840
"{4BB1DCED-84D3-47F9-B718-5947E904593E}" = BisonCam
"{506FC723-8E6C-4417-9CFF-351F99130425}" = Windows Live UX Platform Language Pack
"{50779A29-834E-4E36-BBEB-B7CABC67A825}" = Microsoft Security Client PT-PT Language Pack
"{50cf5d03-0f40-46e6-a1b6-8b9cce7af888}.sdb" = Huawei
"{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}" = Adobe Flash Player 9 ActiveX
"{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}" = HP Deskjet 1050 J410 series Ajuda
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{7B1DBCBE-DF17-3B58-844C-F572F70EF5C4}" = Microsoft .NET Framework 3.5 Language Pack SP1 - ptg
"{82EE333F-45A9-4585-A5D9-31FE16B7FB25}" = Windows Live Remote Service Resources
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{895722FE-25FE-4854-95AC-B0C42F9DBEDA}" = REALTEK RTL8187B Wireless LAN Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8AF5E619-22FB-450A-A85A-F20C147618B6}" = Microsoft Antimalware Service PT-PT Language Pack
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0015-0816-0000-0000000FF1CE}" = Microsoft Office Access MUI (Portuguese (Portugal)) 2007
"{90120000-0015-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0816-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
"{90120000-0016-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0816-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
"{90120000-0018-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0816-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007
"{90120000-0019-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0816-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007
"{90120000-001A-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0816-0000-0000000FF1CE}" = Microsoft Office Word MUI (Portuguese (Portugal)) 2007
"{90120000-001B-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0816-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Portugal)) 2007
"{90120000-001F-0816-0000-0000000FF1CE}_ENTERPRISE_{C8246FCF-12F8-4212-BC89-6ED049BA2FB8}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0816-0000-0000000FF1CE}" = Microsoft Office Proofing (Portuguese (Portugal)) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0816-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007
"{90120000-0044-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0816-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
"{90120000-006E-0816-0000-0000000FF1CE}_ENTERPRISE_{5E03E01D-304F-474D-B85F-06B2C9AE0583}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0816-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
"{90120000-00A1-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0816-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Portuguese (Portugal)) 2007
"{90120000-00BA-0816-0000-0000000FF1CE}_ENTERPRISE_{F812A9CD-23C6-4BBC-B168-ED2C68B0F003}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A7765932-77D6-E0B2-1B27-E2973B5E1BD5}" = TweetDeck
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AC76BA86-7AD7-1046-7B44-AA1000000001}" = Adobe Reader X (10.1.5) - Português
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B618C3BF-5142-4630-81DD-F96864F97C7E}" = Windows Live Essentials
"{B729B3C1-55A9-45FB-B7AD-D6A42DA8C883}" = Hotkey_Driver
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DAEF48AD-89C8-4A93-B1DD-45B7E4FB6071}" = Windows Live Movie Maker
"{DE8F99FD-2FC7-4C98-AA67-2729FDE1F040}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E54EEB5D-41ED-40FE-B4A8-8565DB81469B}" = Controlo ActiveX do Windows Live Mesh para Ligações Remotas
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{EA17F4FC-FDBF-4CF8-A529-2D983132D053}" = Skype™ 6.0
"{F07AE5AB-516C-4CEB-A0AA-AD083B9182C6}" = TI NoteFolio Creator
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F855451C-21E2-3034-B042-E1E66923548A}" = Microsoft .NET Framework 4 Client Profile PTG Language Pack
"{FCDE76CB-989D-4E32-9739-6A272D2B0ED7}" = Windows Live Mesh
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Audacity_is1" = Audacity 2.0
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"Free RAR Extract Frog" = Free RAR Extract Frog
"HP Photo Creations" = HP Photo Creations
"LAME_is1" = LAME v3.99.3 (for Windows)
"LastFM_is1" = Last.fm Scrobbler 2.1.30
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - ptg" = Microsoft .NET Framework 3.5 Language Pack SP1 - PTG
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile PTG Language Pack" = Microsoft .NET Framework 4 Client Profile PTG Language Pack
"Microsoft Security Client" = Microsoft Security Essentials
"Monopoly City1.0" = Monopoly City
"Mozilla Firefox 18.0.1 (x86 en-US)" = Mozilla Firefox 18.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"SiS VGA Utilities" = SiS VGA Utilities
"SMSERIAL" = Motorola SM56 Data Fax Modem
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1" = TweetDeck
"VLC media player" = VLC media player 2.0.5
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4041944757-506418881-753924953-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 27-01-2013 20:16:01 | Computer Name = pc | Source = WinMgmt | ID = 10
Description =

Error - 28-01-2013 12:39:43 | Computer Name = pc | Source = WinMgmt | ID = 10
Description =

Error - 28-01-2013 18:21:12 | Computer Name = pc | Source = WinMgmt | ID = 10
Description =

Error - 28-01-2013 20:02:14 | Computer Name = pc | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 27-01-2013 20:16:02 | Computer Name = pc | Source = Service Control Manager | ID = 7000
Description =

Error - 27-01-2013 20:16:02 | Computer Name = pc | Source = Service Control Manager | ID = 7000
Description =

Error - 28-01-2013 12:39:11 | Computer Name = pc | Source = ACPI | ID = 327693
Description = : O controlador incorporado (EC) não respondeu no período de tempo
limite especificado. Isto pode indicar que existe um erro no hardware ou firmware
do EC ou que o BIOS está a aceder ao EC incorrectamente. Deverá verificar junto
do fabricante do computador se existe um BIOS actualizado. Em algumas situações,
este poderá fazer com que o computador funcione incorrectamente.

Error - 28-01-2013 12:39:44 | Computer Name = pc | Source = Service Control Manager | ID = 7000
Description =

Error - 28-01-2013 12:39:44 | Computer Name = pc | Source = Service Control Manager | ID = 7000
Description =

Error - 28-01-2013 18:21:13 | Computer Name = pc | Source = Service Control Manager | ID = 7000
Description =

Error - 28-01-2013 18:21:13 | Computer Name = pc | Source = Service Control Manager | ID = 7000
Description =

Error - 28-01-2013 20:02:15 | Computer Name = pc | Source = Service Control Manager | ID = 7000
Description =

Error - 28-01-2013 20:02:15 | Computer Name = pc | Source = Service Control Manager | ID = 7000
Description =


< End of report >



3. aswMBR.txt

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-29 00:36:25
-----------------------------
00:36:25.262 OS Version: Windows 6.0.6002 Service Pack 2
00:36:25.262 Number of processors: 2 586 0xF0D
00:36:25.265 ComputerName: PC UserName:
00:36:27.772 Initialize success
00:41:32.894 AVAST engine defs: 13012800
00:41:59.658 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
00:41:59.662 Disk 0 Vendor: TOSHIBA_MK3252GSX LV010A Size: 305245MB BusType: 3
00:41:59.680 Disk 0 MBR read successfully
00:41:59.684 Disk 0 MBR scan
00:41:59.741 Disk 0 Windows VISTA default MBR code
00:41:59.762 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 4600 MB offset 2048
00:41:59.837 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 300643 MB offset 9422848
00:41:59.869 Disk 0 scanning sectors +625139712
00:41:59.976 Disk 0 scanning C:\Windows\system32\drivers
00:43:00.588 Service scanning
00:43:46.409 Service MpKsl45028dd4 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{76A91898-CADF-4179-8F64-4C8130EE4631}\MpKsl45028dd4.sys **LOCKED** 32
00:44:48.904 Modules scanning
00:45:06.545 Disk 0 trace - called modules:
00:45:07.114 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys USBPORT.SYS usbehci.sys dxgkrnl.sys SISGRKMD.sys Wdf01000.sys RTL8187B.sys usbhub.sys partmgr.sys volmgr.sys ecache.sys volsnap.sys Ntfs.sys
00:45:07.148 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d55ac8]
00:45:07.158 3 CLASSPNP.SYS[8a5c08b3] -> nt!IofCallDriver -> [0x854ee870]
00:45:07.171 5 acpi.sys[8069d6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x854eb368]
00:45:07.182 7 Wdf01000.sys[8061fdc2] -> nt!IofCallDriver -> \Device\USBPDO-3[0x86a25030]
00:45:07.198 9 usbhub.sys[8e809ce0] -> nt!IofCallDriver -> \Device\USBPDO-2[0x854d9028]
00:45:11.446 AVAST engine scan C:\Windows
00:45:26.925 AVAST engine scan C:\Windows\system32
00:51:59.541 AVAST engine scan C:\Windows\system32\drivers
00:52:36.637 AVAST engine scan C:\Users\katheleen
01:21:07.524 AVAST engine scan C:\ProgramData
01:24:49.527 Scan finished successfully
01:25:20.939 Disk 0 MBR has been saved successfully to "C:\Users\katheleen\Desktop\MBR.dat"
01:25:20.960 The log file has been saved successfully to "C:\Users\katheleen\Desktop\aswMBR.txt"


4. There's really no difference on how the computer is running, but MSE still detects the four threats.

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:07 PM

Posted 28 January 2013 - 09:11 PM

Hi Kath!

Hello, you can address me as kathpt or kath, either one is fine by me I too like chocolate chip cookies so I guess we have that in common.
Also, I have a question. All the programs Gunto asked me to install and run on the other topic, shall I uninstall them?

We can leave the tools that Gunto had you install for right now. It shouldn't do any harm keeping them there for right now.

Do you recognize this file?

[2013-01-21 01:57:33 | 018,304,730 | ---- | M] () -- C:\Users\katheleen\Documents\ur.zip

OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [PelSetupRun] D:\setup.exe File not found
    O4 - HKU\S-1-5-21-4041944757-506418881-753924953-1001..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" File not found
    O4 - HKU\S-1-5-21-4041944757-506418881-753924953-1001..\Run: [SAPO Messenger] "C:\Program Files\Sapo\SAPO Messenger\sapoim.exe" File not found
    O33 - MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE
    O33 - MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\Shell\configure\command - "" = D:\SETUP.EXE
    O33 - MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\Shell\install\command - "" = D:\SETUP.EXE
    
    :Reg
    
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    [EMPTYJAVA]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

NEXT:


Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. OTL Fix log file.
3. ComboFix.txt log file.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 kathpt

kathpt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 28 January 2013 - 10:08 PM

1. The file ur.zip is just a book I zipped.
I see that combofix used the main language on my System -Portuguese- so if you'd like me to translate it just say the word.

2. OTL
All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\PelSetupRun deleted successfully.
Registry value HKEY_USERS\S-1-5-21-4041944757-506418881-753924953-1001\Software\Microsoft\Windows\CurrentVersion\Run\\BullGuard deleted successfully.
Registry value HKEY_USERS\S-1-5-21-4041944757-506418881-753924953-1001\Software\Microsoft\Windows\CurrentVersion\Run\\SAPO Messenger deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\ not found.
File D:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\ not found.
File D:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e7aea4c-1cab-11dd-a378-806e6f6e6963}\ not found.
File D:\SETUP.EXE not found.
========== REGISTRY ==========
========== FILES ==========
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
C:\Users\katheleen\Desktop\cmd.bat deleted successfully.
C:\Users\katheleen\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Configura‡Æo IP do Windows
Cache de resolu‡Æo DNS limpa com ˆxito.
C:\Users\katheleen\Desktop\cmd.bat deleted successfully.
C:\Users\katheleen\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: katheleen
->Temp folder emptied: 116444519 bytes
->Temporary Internet Files folder emptied: 397374199 bytes
->Java cache emptied: 9310007 bytes
->FireFox cache emptied: 460233742 bytes
->Flash cache emptied: 260864747 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 151271614 bytes
RecycleBin emptied: 702 bytes

Total Files Cleaned = 1.331,00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: katheleen
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: katheleen
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 01292013_021500

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...



3. Combo Fix log

ComboFix 13-01-28.02 - katheleen 29-01-2013 2:51.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.351.2070.18.3054.2012 [GMT 0:00]
Executando de: c:\users\katheleen\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\pt
c:\windows\system32\pt\AuthFWSnapIn.Resources.dll
c:\windows\system32\pt\AuthFWWizFwk.Resources.dll
c:\windows\system32\pt\Narrator.resources.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-12-28 to 2013-01-29 ))))))))))))))))))))))))))))
.
.
2013-01-29 02:58 . 2013-01-29 02:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-29 02:15 . 2013-01-29 02:15 -------- d-----w- C:\_OTL
2013-01-28 22:33 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{76A91898-CADF-4179-8F64-4C8130EE4631}\mpengine.dll
2013-01-27 22:12 . 2013-01-27 22:12 -------- d-----w- c:\windows\ERUNT
2013-01-27 22:12 . 2013-01-27 22:12 -------- d-----w- C:\JRT
2013-01-27 20:05 . 2013-01-27 20:05 -------- d-----w- c:\program files\ESET
2013-01-27 19:45 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-27 19:36 . 2013-01-27 19:36 -------- d-----w- c:\users\katheleen\AppData\Roaming\SUPERAntiSpyware.com
2013-01-27 19:36 . 2013-01-27 19:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-27 19:36 . 2013-01-27 19:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-01-26 19:38 . 2013-01-26 19:38 -------- d-----w- c:\users\katheleen\AppData\Roaming\Malwarebytes
2013-01-26 19:38 . 2013-01-26 19:38 -------- d-----w- c:\programdata\Malwarebytes
2013-01-26 19:38 . 2012-12-14 16:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-26 19:38 . 2013-01-26 19:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-09 19:23 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 19:22 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 19:22 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 13:12 . 2012-12-22 03:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50 . 2012-12-22 03:00 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 18:51 . 2012-04-02 15:09 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 18:51 . 2012-02-06 00:49 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-28 17:15 . 2012-11-28 17:16 740840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F5198801-3910-41D6-A00D-29342247B061}\gapaengine.dll
2012-11-14 02:09 . 2012-12-12 03:08 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58 . 2012-12-12 03:08 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57 . 2012-12-12 03:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49 . 2012-12-12 03:08 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48 . 2012-12-12 03:08 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44 . 2012-12-12 03:08 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 01:29 . 2012-12-11 22:04 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 10:18 . 2012-12-11 22:05 376320 ----a-w- c:\windows\system32\dpnet.dll
2012-11-02 08:26 . 2012-12-11 22:05 23040 ----a-w- c:\windows\system32\dpnsvr.exe
2013-01-19 20:56 . 2013-01-19 20:55 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\katheleen\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSTray"="c:\program files\SiS VGA Utilities\SiSTray.exe" [2008-02-27 552960]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-26 4939776]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-17 102400]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4041944757-506418881-753924953-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4041944757-506418881-753924953-500]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2013-01-28 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 1c7b8b0e-c2c6-41e4-8b19-260e11a5a91f.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2013-01-29 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task fbe930cb-b2b6-4e14-a56c-44e5b8c6466b.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://tvpc.com/Channel.php?ChannelID=8517
uInternet Settings,ProxyOverride = local
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.113.191.129 212.113.164.5
FF - ProfilePath - c:\users\katheleen\AppData\Roaming\Mozilla\Firefox\Profiles\2ck4qqpk.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - ExtSQL: 2013-01-13 05:13; {5384767E-00D9-40E9-B72F-9CC39D655D6F}; c:\users\katheleen\AppData\Roaming\Mozilla\Firefox\Profiles\2ck4qqpk.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-29 02:58
Windows 6.0.6002 Service Pack 2 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-4041944757-506418881-753924953-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-4041944757-506418881-753924953-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Tempo para conclusão: 2013-01-29 03:01:03
ComboFix-quarantined-files.txt 2013-01-29 03:01
.
Pré-execução: 205.663.133.696 bytes livres
Pós execução: 205.535.141.888 bytes livres
.
- - End Of File - - 08A2D6E41DB5E07BD8171EB307935409

4. no change on MSE

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:07 PM

Posted 28 January 2013 - 10:12 PM

Hi!

Thanks for the clarification on that file.

No need to translate the ComboFix file. Thank you for offering. :)

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.

Let me know how the above goes.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 kathpt

kathpt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 28 January 2013 - 10:37 PM

The link you provided isn't working.

Server not found
Firefox can't find the server at prm753.bchea.org.



#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:07 PM

Posted 29 January 2013 - 09:36 AM

My apologies. I didn't check the link before I posted it to you.

Please use this link instead: http://download.thewebatom.net/50f69935741f0/JavaRa-2.1.zip

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 kathpt

kathpt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 29 January 2013 - 01:08 PM

When I open the program this is what it shows

Posted Image

So I clicked on 'Run Java Runtime' because it's what was the closest to your instructions, and it said 'no installed found'

Posted Image

So I clicked 'next' (it did say the first time 1 item had been deleted, in the printscreen it says 0 because that was second try)

Posted Image

And then I clicked next again and wasn't sure if the update you asked was Java Runtime or JavaRA (there's to options as shown on the first print screen) so I exited.

Posted Image

They also have a button for 'additional tasks'....

EDIT: with all these programs I've been running is it normal for old bookmarks pop up on MF? Either that happened or my memory is really bad!

Edited by kathpt, 29 January 2013 - 01:41 PM.


#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:07 PM

Posted 29 January 2013 - 01:40 PM

My sincerest apologizes, the instructions I had for JavaRa are severely outdated, and I'm just realizing this now. It's a tool I have my users use once in a while when I want to remove traces of Java with it.

If you click on Additional Tasks what do you see underneath that?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 kathpt

kathpt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 29 January 2013 - 02:03 PM

It's okay, I figured that's why the instructions didn't match.
This is what pops up when I click on additional tasks:

Posted Image

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:07 PM

Posted 29 January 2013 - 02:26 PM

Thanks for understanding as well as attaching the screenshot image for me. :)

Please go ahead and place a checkmark next to the following:

Remove startup entry
Remove Outdated JRE Firefox Extensions
Clean JRE Temp Files

Then click on Run

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 kathpt

kathpt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 29 January 2013 - 04:17 PM

I did that and only this little message popped up as soon as I hit 'run'. I did mention I uninstalled JAVA (after I googled to see if it was safe) last sunday (or monday? can't reacall) thinking the threats would go away but they didn't. That was when I decided to ask for help.

Posted Image

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:07 PM

Posted 29 January 2013 - 04:44 PM

Hi!

Good! Glad to hear it was able to run through successfully.

Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. MalwareBytes' Anti-Malware log file.
3. ESET Online Virus Scan log file.
4. SecurityCheck log file.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 kathpt

kathpt
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:07 PM

Posted 29 January 2013 - 06:37 PM

2.
Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.29.10

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
katheleen :: PC [administrator]

Protection: Disabled

29-01-2013 21:46:46
mbam-log-2013-01-29 (21-46-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201639
Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


3. ESET OnlineScan didn't find any threats but on my previous scan with that same program (on the other topic) it quarantined two things.

4.
Results of screen317's Security Check version 0.99.57
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.70.0.1100
Adobe Flash Player 9 Flash Player out of Date!
Adobe Flash Player 11.5.502.135
Adobe Reader 10.1.5 Adobe Reader out of Date!
Mozilla Firefox (18.0.1)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````

5.
On MSE when I click on the threats, there is an option that says 'learn more about this item online', they all redirect me to microsoft website:
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Exploit%3aJava%2fCVE-2012-0507.D!ldr&threatid=2147655409

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Exploit%3aJS%2fBlacole.GB&threatid=2147657386

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Flooder%3aJava%2fLoic&threatid=2147645920

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Exploit%3aJava%2fBlacole.EL&threatid=2147654826

Thought that would be relevant.

Edited by kathpt, 29 January 2013 - 07:07 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users