Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Files from Autoruns


  • Please log in to reply
24 replies to this topic

#1 digiman

digiman

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 27 March 2013 - 10:57 PM

Hello,

 

I am trying to remove a nasty Trojan that McAfee recently found, and reputedly deleted. System is a Win7/XP 32bit dual boot using Easy BCD 1.7.2, infection is on the Win7 partition running McAfee & MB. My confidence remains tepid at best that this is gone, as these things usually require more than one scanner to validate true removal/repair. I however, do not run CF at drop of a hat, like to save that as a last resort tool, among others..
 

Symptom began with the Mcafee notice, and that it cleaned the infection. Residual was an APPcrash notice at logoff/shutdown for rundll32.exe_wshck.dll. This is did not pass the "smell test", felt odd. So I began digging deeper.

 

Ran the usual latest  "common tools" - Stinger, MRT, Malwarebytes - which found a Trojan.RedirRdll2.gen. Found something else on another scan, Trojan.Dropper.Win32, cannot recall tool, maybe Kasp Rescue Disk.


Found Reg entry at " HKCU\Software\Microsoft\Windows\CurrentVersion\Run|onsvmg " . After checking for hidden files,I found these poor orphans in the C:\Users\*profile*\AppData\Roaming - onsvmg.dll, rundll32.exe, and bcmau.dll. renamed them to _OLD. Re-ran FULL McAfee Scan which found and deleted these... Hmmm...

 

Ran McAfee RootKit Remover, neg,  ran Kasp TDSSkiller - neg, ran Symantec FixZeroAccess - neg. Ran CCleaner & Glary to dump Flash/Java,  & other temp/cache as hiding places of malware. 

 

So, visited an old haunt at Bleeping Computer and made a run to update my malware tool kit & burned a CD.

 

Ran Autoruns to gather more data, and found the following with no association or signature, MFE_RR.sys, synth3dvsc.sys, tsusbhub.sys, rdvgkmd.sys. These set me off to dig further and found the MFE_RR file most concerning, as it is associated with a Rootkit ZeroAcess bug that infects/corrupt TCP/IP stack. How charming!

 

While posting this I installed and ran Spybot SD which found a 'Coupon Toolbar' add-in that may be the culprit, or vector for the infection. This is being removed with a reboot, as one reg entry persisted.

 

Instead of wasting more time, thought I would get advice on where to go from here, as I remain suspicious of this malware.  Please advise next cleaner/tool to run?



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:33 PM

Posted 27 March 2013 - 10:59 PM

Do not run any other tools when you are being assisted here.Please follow the instructions alone.

 

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png

  • Click Start Scan and allow the scan process to run
  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    tds6.jpg
  • Click Reboot computer
  • Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply
  • Due to forum upgrade you may face issues posting the TDSSkiller log.Just last few lines of log is sufficient

===================================================

RKILL
  • Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another.) and save it to your desktop:
  • Link 1
  • Link 2

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.

===================================================

ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    esetsmartinstaller_enu.png

    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button

===================================================

Junkware Removal Tool by thisisu
  • Please download Junkware Removal Tool
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply.

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • TDSSKiller log
  • RKILL log
  • ESET log
  • Junkware removal tool log

 



#3 digiman

digiman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 28 March 2013 - 09:23 PM

narenxp,

 

Thank you for handling my case. Apologies for the delay, as the Spybot scan and others above took quite some time to complete.

 

I have included the log files requested below, as instructed.

 

TDSSKiller Log - (edited for brevity, as requested)

 

01:42:33.0529 2492  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
01:42:34.0029 2492  ============================================================
01:42:34.0029 2492  Current date / time: 2013/03/28 01:42:34.0029
01:42:34.0029 2492  SystemInfo:
01:42:34.0029 2492 
01:42:34.0029 2492  OS Version: 6.1.7601 ServicePack: 1.0
01:42:34.0029 2492  Product type: Workstation
:

01:42:34.0029 2492  Boot type: Normal boot
01:42:34.0029 2492  ============================================================
01:42:35.0308 2492  BG loaded
01:42:36.0025 2492  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
01:42:36.0166 2492  ============================================================
01:42:36.0166 2492  \Device\Harddisk0\DR0:
01:42:36.0166 2492  MBR partitions:
01:42:36.0166 2492  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4E1EDEC
01:42:36.0166 2492  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x4E1F000, BlocksNum 0x183A6000
01:42:36.0166 2492  ============================================================
01:42:36.0197 2492  C: <-> \Device\Harddisk0\DR0\Partition2
01:42:36.0259 2492  D: <-> \Device\Harddisk0\DR0\Partition1
01:42:36.0259 2492  ============================================================
01:42:36.0259 2492  Initialize success

:

01:44:37.0790 3564  ============================================================
01:44:37.0790 3564  Scan finished
01:44:37.0790 3564  ============================================================
01:44:37.0806 3480  Detected object count: 0
01:44:37.0806 3480  Actual detected object count: 0
01:47:38.0095 2488  Deinitialize success

 

RKILL Log -

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/28/2013 07:50:28 PM in x86 mode.
Windows Version: Windows 7 Enterprise Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * WinDefend [Missing ImagePath]
 * wscsvc [Missing ImagePath]

 * FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost

Program finished at: 03/28/2013 07:50:36 PM
Execution time: 0 hours(s), 0 minute(s), and 7 seconds(s)

 

ESET Log - ( Nice Tool, took a long while, but scanned Both Win7 & WinXP partitions)

C:\Users\Oaktree\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\40beea46-5cd54f4d a variant of Java/Exploit.CVE-2012-1723.FD trojan cleaned by deleting - quarantined
 

JRT Log -

Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows 7 Enterprise x86
Ran by Granite on Thu 03/28/2013 at 21:37:28.62
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\imside1egate.application.1

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Granite\appdata\locallow\couponalert_2p"
Successfully deleted: [Folder] "C:\Program Files\couponalert_2pei"
Successfully deleted: [Folder] "C:\Program Files\coupons"

 

~~~ Event Viewer Logs were cleared

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 03/28/2013 at 21:41:14.12
End of JRT log


Again my thanks for handling case,

digiman :-)



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:33 PM

Posted 28 March 2013 - 09:49 PM

Malwarebytes

Please download Malwarebytes Anti-Malware and save it to your desktop. If you already have it installed launch the program and update the database.

  • Make sure you are connected to the Internet and double-click on the it to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

===================================================

Farbar's MiniToolBox
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the MiniToolBox.jpg icon to launch the program
  • Make sure the following options are checked:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Devices
    • List Users, Partitions and Memory size.

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply

===================================================

Farbar's Service Scanner

Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================

AdwCleaner by Xplode - Search for Adware
  • Please download AdwCleaner by Xplode onto your desktop.
  • Security softwares may flag it as malicious.This is a false positive and can be ignored.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on DELETE
  • Click YES if you receive a warning for reboot
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well

===================================================

Autoruns
 
  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder
  • Double click autoruns.exe (not autorunsc.exe), select Run, then Run again and allow the information to populate
  • Select File, Save, Desktop (in the left hand pane), then Save filename as Autoruns.txt and change Save as type to  Text(*.txt).
  • Double click on the text file,copy and paste the contents in your reply



  • Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • Malwarebytes log
  • MiniToolBox log
  • Farbar's Service Scanner log
  • AdwCleaner log
  • Autoruns log



#5 digiman

digiman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 28 March 2013 - 10:55 PM

narenxp,

 

Below are Logs you requested.

 

MB -

   
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.28.13

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Granite :: OAKSTONE [administrator]

3/28/2013 11:01:05 PM
mbam-log-2013-03-28 (23-01-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247210
Time elapsed: 11 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

MiniTool Box -

 

MiniToolBox by Farbar  Version:05-03-2013
Ran by Granite (administrator) on 28-03-2013 at 23:27:05
Running from "C:\Users\Granite\Desktop"
Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

::1             localhost

127.0.0.1       localhost

========================= IP Configuration: ================================

Intel® PRO/100 VE Network Connection = Local Area Connection (Connected)
Cisco Systems VPN Adapter = Local Area Connection 2 (Hardware not present)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled taskoffload=disabled
set interface interface="Local Area Connection" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Local Area Connection 2" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled


popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Oakstone
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Stonewall

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : Stonewall
   Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection
   Physical Address. . . . . . . . . : 00-19-D1-54-89-A3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b407:a66b:9aa7:627%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.14(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, March 28, 2013 10:33:09 PM
   Lease Expires . . . . . . . . . . : Monday, May 27, 2013 10:33:08 PM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 234887633
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-41-C0-38-00-19-D1-54-89-A3
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.Stonewall:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Stonewall
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:2867:12e5:9dbc:6234(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2867:12e5:9dbc:6234%12(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  UnKnown
Address:  192.168.2.1

Name:    google.com
Addresses:  2607:f8b0:4002:801::1008
   173.194.37.37
   173.194.37.38
   173.194.37.39
   173.194.37.40
   173.194.37.41
   173.194.37.46
   173.194.37.32
   173.194.37.33
   173.194.37.34
   173.194.37.35
   173.194.37.36


Pinging google.com [173.194.37.37] with 32 bytes of data:
Reply from 173.194.37.37: bytes=32 time=40ms TTL=48
Reply from 173.194.37.37: bytes=32 time=47ms TTL=48

Ping statistics for 173.194.37.37:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 40ms, Maximum = 47ms, Average = 43ms
Server:  UnKnown
Address:  192.168.2.1

Name:    yahoo.com
Addresses:  98.139.183.24
   206.190.36.45
   98.138.253.109


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=236ms TTL=41
Reply from 98.139.183.24: bytes=32 time=315ms TTL=41

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 236ms, Maximum = 315ms, Average = 275ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 10...00 19 d1 54 89 a3 ......Intel® PRO/100 VE Network Connection
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.14     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link      192.168.2.14    276
     192.168.2.14  255.255.255.255         On-link      192.168.2.14    276
    192.168.2.255  255.255.255.255         On-link      192.168.2.14    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.2.14    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.2.14    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 12     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 12     58 2001::/32                On-link
 12    306 2001:0:9d38:953c:2867:12e5:9dbc:6234/128
                                    On-link
 10    276 fe80::/64                On-link
 12    306 fe80::/64                On-link
 12    306 fe80::2867:12e5:9dbc:6234/128
                                    On-link
 10    276 fe80::b407:a66b:9aa7:627/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    306 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog5 06 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 07 C:\Windows\System32\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe Acrobat 9 Pro - English, Français, Deutsch (Version: 9.5.4)
Adobe Acrobat 9.5.4 - CPSID_83708
Adobe Flash Player 11 ActiveX (Version: 11.6.602.171)
Amazon MP3 Downloader 1.0.14 (Version: 1.0.14)
Apple Application Support (Version: 1.5.1)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.2.120)
Auslogics Disk Defrag (Version: 3.6)
Bonjour (Version: 2.0.5.0)
Brother MFL-Pro Suite MFC-J825DW (Version: 1.1.6.0)
CCleaner (Version: 3.27)
Cisco Systems VPN Client 5.0.07.0290 (Version: 5.0.6)
EasyBCD 1.7.2 (Version: 1.7.2)
ESET Online Scanner v3
Glary Utilities 2.52.0.1698 (Version: 2.52.0.1698)
iTunes (Version: 10.2.2.12)
LSI PCI-SV92PP Soft Modem (Version: 2.2.98)
Malwarebytes Anti-Malware version 1.70.0.1100 (Version: 1.70.0.1100)
McAfee Agent (Version: 4.0.0.1180)
McAfee VirusScan Enterprise (Version: 8.7.0)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSXML 4.0 SP3 Parser (KB2758694) (Version: 4.30.2117.0)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
Nuance PaperPort 12 (Version: 12.1.0000)
Nuance PDF Viewer Plus (Version: 5.30.3290)
NVIDIA 3D Vision Driver 306.97 (Version: 306.97)
NVIDIA Control Panel 306.97 (Version: 306.97)
NVIDIA Display Control Panel (Version: 6.14.11.9621)
NVIDIA Graphics Driver 306.97 (Version: 306.97)
NVIDIA Install Application (Version: 2.1002.85.551)
NVIDIA Stereoscopic 3D Driver (Version: 7.17.13.0697)
NVIDIA Update 1.10.8 (Version: 1.10.8)
NVIDIA Update Components (Version: 1.10.8)
PaperPort Image Printer (Version: 1.00.0001)
PVSonyDll (Version: 1.00.0001)
QuickTime (Version: 7.69.80.9)
Roxio Activation Module (Version: 1.0)
Roxio Creator Audio (Version: 3.5.0)
Roxio Creator Copy (Version: 3.5.0)
Roxio Creator Data (Version: 3.5.0)
Roxio Creator DE (Version: 3.5.0)
Roxio Creator Tools (Version: 3.5.0)
Scansoft PDF Professional
Sonic CinePlayer Decoder Pack (Version: 4.2.0)
Spybot - Search & Destroy (Version: 1.6.2)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)

========================= Devices: ================================

Name: Cisco Systems VPN Adapter
Description: Cisco Systems VPN Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: CVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 69%
Total physical RAM: 1021.96 MB
Available physical RAM: 312.04 MB
Total Pagefile: 2045.96 MB
Available Pagefile: 1014.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1927.05 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:193.82 GB) (Free:162.24 GB) NTFS
2 Drive d: () (Fixed) (Total:39.06 GB) (Free:30.54 GB) NTFS
3 Drive e: (Malware CleanUp) (CDROM) (Total:0.23 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\OAKSTONE

Granite                  Guest                    Oaktree                 
UpdatusUser             


**** End of log ****

 

FSS -

 

Farbar Service Scanner Version: 03-03-2013
Ran by Granite (administrator) on 28-03-2013 at 23:31:41
Running from "C:\Users\Granite\Desktop"
Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of wscsvc. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of wscsvc. The value does not exist.
Unable to retrieve ServiceDll of wscsvc. The value does not exist.

 

AdwCleaner -

# AdwCleaner v2.115 - Logfile created 03/28/2013 at 23:35:50
# Updated 17/03/2013 by Xplode
# Operating system : Windows 7 Enterprise Service Pack 1 (32 bits)
# User : Granite - OAKSTONE
# Boot Mode : Normal
# Running from : C:\Users\Granite\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Oaktree\AppData\LocalLow\CouponAlert_2p

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\CouponAlert_2p
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A786F51D-B3C7-4F52-91EF-E1A892C2A2AE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAB77009-B974-48DF-8229-E70CFAA11C69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EBAA6283-B61F-4DDD-9659-56635433A307}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFB4F034-3EB5-48D5-84DD-89BBCF9A182F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AF08E71-3657-462F-898C-F7E791948F94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965DCF-718F-4148-BECF-5A2B466F4556}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225F6C9-CF64-4D6D-AE8A-169779FD7B4D}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1933 octets] - [27/03/2013 22:21:11]
AdwCleaner[R2].txt - [1869 octets] - [28/03/2013 23:34:08]
AdwCleaner[R3].txt - [1929 octets] - [28/03/2013 23:35:24]
AdwCleaner[S1].txt - [1884 octets] - [28/03/2013 23:35:50]

########## EOF - C:\AdwCleaner[S1].txt - [1944 octets] ##########

 

Autoruns -

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup" "" "" ""
"HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown" "" "" ""
"HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "Acrobat Assistant 8.0" "AcroTray" "(Verified) Adobe Systems" "c:\program files\adobe\acrobat 9.0\acrobat\acrotray.exe"
+ "Adobe Acrobat Speed Launcher" "Adobe Acrobat SpeedLauncher" "(Verified) Adobe Systems" "c:\program files\adobe\acrobat 9.0\acrobat\acrobat_sl.exe"
+ "Adobe ARM" "Adobe Reader and Acrobat Manager" "(Verified) Adobe Systems" "c:\program files\common files\adobe\arm\1.0\adobearm.exe"
+ "BrStsMon00" "Status Monitor Application" "(Not verified) Brother Industries, Ltd." "c:\program files\browny02\brother\brstmonw.exe"
+ "ControlCenter4" "ControlCenter Launcher" "(Not verified) Brother Industries, Ltd." "c:\program files\controlcenter4\brccboot.exe"
+ "IndexSearch" "PaperPort IndexSearch" "(Verified) Nuance Communications" "c:\program files\nuance\paperport\indexsearch.exe"
+ "iTunesHelper" "iTunesHelper" "(Verified) Apple Inc." "c:\program files\itunes\ituneshelper.exe"
+ "McAfeeUpdaterUI" "Common User Interface" "(Verified) McAfee" "c:\program files\mcafee\common framework\udaterui.exe"
+ "PaperPort PTD" "PaperPort Print to Desktop for NT" "(Verified) Nuance Communications" "c:\program files\nuance\paperport\pptd40nt.exe"
+ "PDF5 Registry Controller" "PDF Converter Registry Controller" "(Verified) Nuance Communications" "c:\program files\nuance\pdf viewer plus\registrycontroller.exe"
+ "PDFHook" "PdfCreateHook Application" "(Verified) Nuance Communications" "c:\program files\nuance\pdf viewer plus\pdfpro5hook.exe"
+ "PPort12reminder" "Ereg" "(Verified) Nuance Communications" "c:\program files\nuance\paperport\ereg\ereg.exe"
+ "QuickTime Task" "QuickTime Task" "(Not verified) Apple Inc." "c:\program files\quicktime\qttask.exe"
+ "ShStatEXE" "VirusScan tray icon" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\shstat.exe"
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce" "" "" ""
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" "" "" ""
+ "VPN Client.lnk" "" "" "c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\icon3e5562ed7.ico"
"C:\Users\Granite\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" "" "" ""
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load" "" "" ""
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect" "" "" ""
"HKCU\SOFTWARE\Classes\Protocols\Filter" "" "" ""
"HKLM\SOFTWARE\Classes\Protocols\Filter" "" "" ""
"HKCU\SOFTWARE\Classes\Protocols\Handler" "" "" ""
"HKLM\SOFTWARE\Classes\Protocols\Handler" "" "" ""
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" "" "" ""
"HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
+ "Adobe.Acrobat.ContextMenu" "Adobe Acrobat Context Menu" "(Verified) Adobe Systems" "c:\program files\adobe\acrobat 9.0\acrobat elements\contextmenu.dll"
+ "Glary Utilities" "Context Menu Handler" "(Verified) Glarysoft Ltd" "c:\program files\glary utilities\contexthandler.dll"
+ "VirusScan" "Shell Extension" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\shext.dll"
"HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\*\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers" "" "" ""
"HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "(Verified) Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers" "" "" ""
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers" "" "" ""
"HKCU\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers" "" "" ""
"HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
+ "VirusScan" "Shell Extension" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\shext.dll"
"HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
+ "NvCplDesktopContext" "" "(Verified) NVIDIA Corporation" "c:\windows\system32\nvshext.dll"
"HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
+ "PDF Shell Extension" "PDF Shell Extension" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
"HKLM\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
"HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
+ "Adobe.Acrobat.ContextMenu" "Adobe Acrobat Context Menu" "(Verified) Adobe Systems" "c:\program files\adobe\acrobat 9.0\acrobat elements\contextmenu.dll"
+ "Glary Utilities" "Context Menu Handler" "(Verified) Glarysoft Ltd" "c:\program files\glary utilities\contexthandler.dll"
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "(Verified) Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
+ "VirusScan" "Shell Extension" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\shext.dll"
"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\Folder\ShellEx\DragDropHandlers" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers" "" "" ""
"HKCU\Software\Classes\Folder\ShellEx\ExtShellFolderViews" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\ExtShellFolderViews" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews" "" "" ""
"HKCU\Software\Classes\Folder\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
"HKCU\Software\Microsoft\Ctf\LangBarAddin" "" "" ""
"HKLM\Software\Microsoft\Ctf\LangBarAddin" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
+ "Adobe PDF Conversion Toolbar Helper" "Adobe PDF Toolbar for Internet Explorer" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
+ "Adobe PDF Link Helper" "Adobe PDF Helper for Internet Explorer" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll"
+ "Java™ Plug-In 2 SSV Helper" "" "" "File not found: C:\Program Files\Java\jre6\bin\jp2ssv.dll"
+ "PlusIEEventHelper Class" "PlusIEContextMenu.dll" "(Not verified) Zeon Corporation" "c:\program files\nuance\pdf viewer plus\bin\plusiecontextmenu.dll"
+ "scriptproxy" "VSCore Script Scanner" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\scriptsn.dll"
+ "SmartSelect Class" "Adobe PDF Toolbar for Internet Explorer" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
+ "Spybot-S&D IE Protection" "SBSD IE Protection" "(Verified) Safer Networking Ltd." "c:\program files\spybot - search & destroy\sdhelper.dll"
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
"HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Toolbar" "" "" ""
+ "Adobe PDF" "Adobe PDF Toolbar for Internet Explorer" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
"HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar" "" "" ""
"HKCU\Software\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKCU\Software\Microsoft\Internet Explorer\Extensions" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" ""
+ "Spybot - Search & Destroy Configuration" "SBSD IE Protection" "(Verified) Safer Networking Ltd." "c:\program files\spybot - search & destroy\sdhelper.dll"
"HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions" "" "" ""
"Task Scheduler" "" "" ""
+ "\CCleanerSkipUAC" "CCleaner" "(Verified) Piriform Ltd" "c:\program files\ccleaner\ccleaner.exe"
+ "\GlaryInitialize" "Glary Utilities Initialize" "(Verified) Glarysoft Ltd" "c:\program files\glary utilities\initialize.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "Apple Mobile Device" "Provides the interface to Apple mobile devices." "(Verified) Apple Inc." "c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe"
+ "Bonjour Service" "Enables hardware devices and software services to automatically configure themselves on the network and advertise their presence." "(Verified) Apple Inc." "c:\program files\bonjour\mdnsresponder.exe"
+ "BrYNSvc" "BrYNCSvc" "(Not verified) Brother Industries, Ltd." "c:\program files\browny02\brynsvc.exe"
+ "CVPND" "Cisco Systems VPN Client" "(Verified) Cisco Systems" "c:\program files\cisco systems\vpn client\cvpnd.exe"
+ "FLEXnet Licensing Service" "This service performs licensing functions on behalf of FLEXnet enabled products." "(Not verified) Macrovision Europe Ltd." "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe"
+ "HGYBN" "Rootkit detection utility" "(Not verified) Sysinternals - www.sysinternals.com" "c:\users\granite\appdata\local\temp\hgybn.exe"
+ "iPod Service" "iPod hardware management services" "(Verified) Apple Inc." "c:\program files\ipod\bin\ipodservice.exe"
+ "McAfeeEngineService" "McAfee Engine Service" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\engineserver.exe"
+ "McAfeeFramework" "Shared component framework for McAfee products" "(Verified) McAfee" "c:\program files\mcafee\common framework\frameworkservice.exe"
+ "McShield" "Provides McAfee On-Access scanning protection of your computer system." "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\mcshield.exe"
+ "McTaskManager" "Allows scheduling of McAfee scanning and updating activities." "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\vstskmgr.exe"
+ "mfevtp" "Provides validation trust protection services" "(Verified) McAfee" "c:\windows\system32\mfevtps.exe"
+ "nvsvc" "Provides system and desktop level support to the NVIDIA display driver" "(Verified) NVIDIA Corporation" "c:\windows\system32\nvvsvc.exe"
+ "nvUpdatusService" "NVIDIA Settings Update Manager service, used to check new updates from NVIDIA server." "(Verified) NVIDIA Corporation" "c:\program files\nvidia corporation\nvidia update core\daemonu.exe"
+ "PDFProFiltSrvPP" "PDFPro IFilter Service" "(Verified) Nuance Communications" "c:\program files\nuance\paperport\pdfprofiltsrvpp.exe"
+ "Stereo Service" "Provides system support for NVIDIA Stereoscopic 3D driver" "(Verified) NVIDIA Corporation" "c:\program files\nvidia corporation\3d vision\nvscpapisvr.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "CVPNDRVA" "Cisco Systems VPN Client IPSec Driver" "(Not verified) Cisco Systems, Inc." "c:\windows\system32\drivers\cvpndrva.sys"
+ "MFE_RR" "McAfee Labs Rootkit Remover Driver" "(Verified) McAfee" "c:\users\granite\appdata\local\temp\mfe_rr.sys"
+ "mfeapfk" "Access Protection Filter Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfeapfk.sys"
+ "mfeavfk" "Anti-Virus File System Filter Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfeavfk.sys"
+ "mfebopk" "Buffer Overflow Protection Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfebopk.sys"
+ "mfehidk" "McAfee Link Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfehidk.sys"
+ "mferkdet" "McAfee Code Analysis Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mferkdet.sys"
+ "mfetdik" "Anti-Virus Mini-Firewall Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfetdik.sys"
+ "PxHelp20" "Px Engine Device Driver for Windows 2000/XP" "(Verified) Sonic Solutions" "c:\windows\system32\drivers\pxhelp20.sys"
+ "Synth3dVsc" "" "" "File not found: System32\drivers\synth3dvsc.sys"
+ "tsusbhub" "@%SystemRoot%\system32\drivers\tsusbhub.sys,-2" "" "File not found: system32\drivers\tsusbhub.sys"
+ "VGPU" "" "" "File not found: System32\drivers\rdvgkmd.sys"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKCU\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKCU\Software\Classes\Filter" "" "" ""
"HKLM\Software\Classes\Filter" "" "" ""
"HKCU\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
"HKCU\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
"HKCU\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKCU\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKCU\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKCU\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKCU\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKCU\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
+ "Sonic Cinemaster® Audio Decoder 4.2" "SonicHDAudio" "(Verified) Sonic Solutions" "c:\program files\common files\sonic shared\cinemasteraudio.dll"
+ "Sonic Cinemaster® VideoDecoder 4.1" "CinemasterVideo" "(Verified) Sonic Solutions" "c:\program files\common files\sonic shared\cinemastervideo.dll"
+ "Sonic HD Demuxer" "Sonic HD Demuxer" "(Verified) Sonic Solutions" "c:\program files\common files\sonic shared\sonichddemuxer.dll"
+ "Sonic HD Nav" "SonicHDNav" "(Verified) Sonic Solutions" "c:\program files\common files\sonic shared\sonichdnav.dll"
"HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKLM\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKLM\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\Execute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand" "" "" ""
"HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension" "" "" ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
"HKLM\Software\Microsoft\Command Processor\Autorun" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Command Processor\Autorun" "" "" ""
"HKCU\Software\Microsoft\Command Processor\Autorun" "" "" ""
"HKCU\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)" "" "" ""
"HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)" "" "" ""
"HKLM\Software\Classes\.exe" "" "" ""
"HKCU\Software\Classes\.exe" "" "" ""
"HKLM\Software\Classes\.cmd" "" "" ""
"HKCU\Software\Classes\.cmd" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls" "" "" ""
"HKLM\SYSTEM\Setup\CmdLine" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart" "" "" ""
"HKCU\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe" "" "" ""
"HKCU\Control Panel\Desktop\Scrnsave.exe" "" "" ""
"HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath" "" "" ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries" "" "" ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries" "" "" ""
+ "mdnsNSP" "Bonjour Namespace Provider" "(Verified) Apple Inc." "c:\program files\bonjour\mdnsnsp.dll"
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64" "" "" ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" ""
+ "Adobe PDF Port Monitor" "Adobe PDF Port  Monitor DLL" "(Verified) Adobe Systems" "c:\windows\system32\adobepdf.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "" "" ""
"C:\Users\Granite\AppData\Local\Microsoft\Windows Sidebar\Settings.ini" "" "" ""

 

>> Have Uninstalled old Java, source of some woes here, downloaded latest from CNET.

>> The AdwCleaner instructions for my version were vague, but winged it.

     I had a " Search - Delete - Uninstall " buttons on my version, minor difference.

 

Regards,

digiman
 



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:33 PM

Posted 29 March 2013 - 05:53 AM

Post farbar service scanner log,Adware cleaner log

 

Autoruns log is incomplete.Allow it for sometime to populate the entries and then save it to text file.



#7 digiman

digiman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 29 March 2013 - 07:16 AM

narenxp,

 

Thanks. Thought I had the FSS Logs and AdwCleaner logs in post. Must have not copied. Will get those this afternoon/evening, and re-run to completion the Autoruns piece to gather Log data.

 

regards,

digiman



#8 digiman

digiman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 29 March 2013 - 07:22 AM

narenxp,

 

For some reason FSS & AdwCleaner Logs dropped off the thread. Found them in editorial mode, they are included below. Will re-post autoruns Log this evening.

 

FSS -

 

Farbar Service Scanner Version: 03-03-2013
Ran by Granite (administrator) on 28-03-2013 at 23:31:41
Running from "C:\Users\Granite\Desktop"
Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of wscsvc. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of wscsvc. The value does not exist.
Unable to retrieve ServiceDll of wscsvc. The value does not exist.

 

AdwCleaner -

# AdwCleaner v2.115 - Logfile created 03/28/2013 at 23:35:50
# Updated 17/03/2013 by Xplode
# Operating system : Windows 7 Enterprise Service Pack 1 (32 bits)
# User : Granite - OAKSTONE
# Boot Mode : Normal
# Running from : C:\Users\Granite\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Oaktree\AppData\LocalLow\CouponAlert_2p

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\CouponAlert_2p
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A786F51D-B3C7-4F52-91EF-E1A892C2A2AE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAB77009-B974-48DF-8229-E70CFAA11C69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EBAA6283-B61F-4DDD-9659-56635433A307}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFB4F034-3EB5-48D5-84DD-89BBCF9A182F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AF08E71-3657-462F-898C-F7E791948F94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965DCF-718F-4148-BECF-5A2B466F4556}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225F6C9-CF64-4D6D-AE8A-169779FD7B4D}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1933 octets] - [27/03/2013 22:21:11]
AdwCleaner[R2].txt - [1869 octets] - [28/03/2013 23:34:08]
AdwCleaner[R3].txt - [1929 octets] - [28/03/2013 23:35:24]
AdwCleaner[S1].txt - [1884 octets] - [28/03/2013 23:35:50]

########## EOF - C:\AdwCleaner[S1].txt - [1944 octets] ##########

 

regards,

Digiman



#9 digiman

digiman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 29 March 2013 - 08:33 PM

narenxp,

 

FSS & AdwCleaner Logs posted this AM.

 

For some reason the Autoruns halts at this last line, same as before and goes to ready state.

 

"HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "" "" ""
"C:\Users\Granite\AppData\Local\Microsoft\Windows Sidebar\Settings.ini" "" "" ""

 

Will boot into safe mode and run from that environ as I did before. Seems to have completed then.

 

regards,

digiman



#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:33 PM

Posted 29 March 2013 - 08:36 PM

Ok,make sure to run this too

 

Download Services repair tool from here

ServicesRepair

  • Double-click ServicesRepair.exe
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool is finished you will be prompted to restart your computer. Click Yes to restart.

Run Farbar service scanner again and post the new log
 



#11 digiman

digiman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 29 March 2013 - 09:07 PM

narenxp,

 

Ran ServicesRepair and unit rebooted.

 

FFS Log below -

 

Farbar Service Scanner Version: 03-03-2013
Ran by Granite (administrator) on 29-03-2013 at 22:02:50
Running from "C:\Users\Granite\Desktop"
Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-15 11:47] - [2013-01-03 01:05] - 1293672 ____A (Microsoft Corporation) 7C0507D2391AF5933600CBCED799F277

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

thanks,

digiman



#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:33 PM

Posted 30 March 2013 - 03:56 AM

Autoruns log?



#13 digiman

digiman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 30 March 2013 - 11:32 AM

narenxp,

 

Autoruns Log 3 - (Everything Tab)

"HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup" "" "" ""
"HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown" "" "" ""
"HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff" "" "" ""
"HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "Acrobat Assistant 8.0" "AcroTray" "(Verified) Adobe Systems" "c:\program files\adobe\acrobat 9.0\acrobat\acrotray.exe"
+ "Adobe Acrobat Speed Launcher" "Adobe Acrobat SpeedLauncher" "(Verified) Adobe Systems" "c:\program files\adobe\acrobat 9.0\acrobat\acrobat_sl.exe"
+ "Adobe ARM" "Adobe Reader and Acrobat Manager" "(Verified) Adobe Systems" "c:\program files\common files\adobe\arm\1.0\adobearm.exe"
+ "BrStsMon00" "Status Monitor Application" "(Not verified) Brother Industries, Ltd." "c:\program files\browny02\brother\brstmonw.exe"
+ "ControlCenter4" "ControlCenter Launcher" "(Not verified) Brother Industries, Ltd." "c:\program files\controlcenter4\brccboot.exe"
+ "IndexSearch" "PaperPort IndexSearch" "(Verified) Nuance Communications" "c:\program files\nuance\paperport\indexsearch.exe"
+ "iTunesHelper" "iTunesHelper" "(Verified) Apple Inc." "c:\program files\itunes\ituneshelper.exe"
+ "McAfeeUpdaterUI" "Common User Interface" "(Verified) McAfee" "c:\program files\mcafee\common framework\udaterui.exe"
+ "PaperPort PTD" "PaperPort Print to Desktop for NT" "(Verified) Nuance Communications" "c:\program files\nuance\paperport\pptd40nt.exe"
+ "PDF5 Registry Controller" "PDF Converter Registry Controller" "(Verified) Nuance Communications" "c:\program files\nuance\pdf viewer plus\registrycontroller.exe"
+ "PDFHook" "PdfCreateHook Application" "(Verified) Nuance Communications" "c:\program files\nuance\pdf viewer plus\pdfpro5hook.exe"
+ "PPort12reminder" "Ereg" "(Verified) Nuance Communications" "c:\program files\nuance\paperport\ereg\ereg.exe"
+ "QuickTime Task" "QuickTime Task" "(Not verified) Apple Inc." "c:\program files\quicktime\qttask.exe"
+ "ShStatEXE" "VirusScan tray icon" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\shstat.exe"
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce" "" "" ""
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" "" "" ""
+ "VPN Client.lnk" "" "" "c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\icon3e5562ed7.ico"
"C:\Users\Granite\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" "" "" ""
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load" "" "" ""
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect" "" "" ""
"HKCU\SOFTWARE\Classes\Protocols\Filter" "" "" ""
"HKLM\SOFTWARE\Classes\Protocols\Filter" "" "" ""
"HKCU\SOFTWARE\Classes\Protocols\Handler" "" "" ""
"HKLM\SOFTWARE\Classes\Protocols\Handler" "" "" ""
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "" "" ""
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" "" "" ""
"HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
+ "Adobe.Acrobat.ContextMenu" "Adobe Acrobat Context Menu" "(Verified) Adobe Systems" "c:\program files\adobe\acrobat 9.0\acrobat elements\contextmenu.dll"
+ "Glary Utilities" "Context Menu Handler" "(Verified) Glarysoft Ltd" "c:\program files\glary utilities\contexthandler.dll"
+ "VirusScan" "Shell Extension" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\shext.dll"
"HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\*\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers" "" "" ""
"HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "(Verified) Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers" "" "" ""
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers" "" "" ""
"HKCU\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers" "" "" ""
"HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
+ "VirusScan" "Shell Extension" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\shext.dll"
"HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
"HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
+ "NvCplDesktopContext" "" "(Verified) NVIDIA Corporation" "c:\windows\system32\nvshext.dll"
"HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
+ "PDF Shell Extension" "PDF Shell Extension" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
"HKLM\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
"HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
+ "Adobe.Acrobat.ContextMenu" "Adobe Acrobat Context Menu" "(Verified) Adobe Systems" "c:\program files\adobe\acrobat 9.0\acrobat elements\contextmenu.dll"
+ "Glary Utilities" "Context Menu Handler" "(Verified) Glarysoft Ltd" "c:\program files\glary utilities\contexthandler.dll"
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "(Verified) Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
+ "VirusScan" "Shell Extension" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\shext.dll"
"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
"HKCU\Software\Classes\Folder\ShellEx\DragDropHandlers" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers" "" "" ""
"HKCU\Software\Classes\Folder\ShellEx\ExtShellFolderViews" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\ExtShellFolderViews" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews" "" "" ""
"HKCU\Software\Classes\Folder\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Classes\Folder\ShellEx\PropertySheetHandlers" "" "" ""
"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers" "" "" ""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers" "" "" ""
"HKCU\Software\Microsoft\Ctf\LangBarAddin" "" "" ""
"HKLM\Software\Microsoft\Ctf\LangBarAddin" "" "" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
+ "Adobe PDF Conversion Toolbar Helper" "Adobe PDF Toolbar for Internet Explorer" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
+ "Adobe PDF Link Helper" "Adobe PDF Helper for Internet Explorer" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll"
+ "Java™ Plug-In 2 SSV Helper" "" "" "File not found: C:\Program Files\Java\jre6\bin\jp2ssv.dll"
+ "PlusIEEventHelper Class" "PlusIEContextMenu.dll" "(Not verified) Zeon Corporation" "c:\program files\nuance\pdf viewer plus\bin\plusiecontextmenu.dll"
+ "scriptproxy" "VSCore Script Scanner" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\scriptsn.dll"
+ "SmartSelect Class" "Adobe PDF Toolbar for Internet Explorer" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
+ "Spybot-S&D IE Protection" "SBSD IE Protection" "(Verified) Safer Networking Ltd." "c:\program files\spybot - search & destroy\sdhelper.dll"
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
"HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Toolbar" "" "" ""
+ "Adobe PDF" "Adobe PDF Toolbar for Internet Explorer" "(Verified) Adobe Systems" "c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll"
"HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar" "" "" ""
"HKCU\Software\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars" "" "" ""
"HKCU\Software\Microsoft\Internet Explorer\Extensions" "" "" ""
"HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" ""
+ "Spybot - Search & Destroy Configuration" "SBSD IE Protection" "(Verified) Safer Networking Ltd." "c:\program files\spybot - search & destroy\sdhelper.dll"
"HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions" "" "" ""
"Task Scheduler" "" "" ""
+ "\CCleanerSkipUAC" "CCleaner" "(Verified) Piriform Ltd" "c:\program files\ccleaner\ccleaner.exe"
+ "\GlaryInitialize" "Glary Utilities Initialize" "(Verified) Glarysoft Ltd" "c:\program files\glary utilities\initialize.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "Apple Mobile Device" "Provides the interface to Apple mobile devices." "(Verified) Apple Inc." "c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe"
+ "Bonjour Service" "Enables hardware devices and software services to automatically configure themselves on the network and advertise their presence." "(Verified) Apple Inc." "c:\program files\bonjour\mdnsresponder.exe"
+ "BrYNSvc" "BrYNCSvc" "(Not verified) Brother Industries, Ltd." "c:\program files\browny02\brynsvc.exe"
+ "CVPND" "Cisco Systems VPN Client" "(Verified) Cisco Systems" "c:\program files\cisco systems\vpn client\cvpnd.exe"
+ "FLEXnet Licensing Service" "This service performs licensing functions on behalf of FLEXnet enabled products." "(Not verified) Macrovision Europe Ltd." "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe"
+ "HGYBN" "Rootkit detection utility" "(Not verified) Sysinternals - www.sysinternals.com" "c:\users\granite\appdata\local\temp\hgybn.exe"
+ "iPod Service" "iPod hardware management services" "(Verified) Apple Inc." "c:\program files\ipod\bin\ipodservice.exe"
+ "McAfeeEngineService" "McAfee Engine Service" "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\engineserver.exe"
+ "McAfeeFramework" "Shared component framework for McAfee products" "(Verified) McAfee" "c:\program files\mcafee\common framework\frameworkservice.exe"
+ "McShield" "Provides McAfee On-Access scanning protection of your computer system." "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\mcshield.exe"
+ "McTaskManager" "Allows scheduling of McAfee scanning and updating activities." "(Verified) McAfee" "c:\program files\mcafee\virusscan enterprise\vstskmgr.exe"
+ "mfevtp" "Provides validation trust protection services" "(Verified) McAfee" "c:\windows\system32\mfevtps.exe"
+ "nvsvc" "Provides system and desktop level support to the NVIDIA display driver" "(Verified) NVIDIA Corporation" "c:\windows\system32\nvvsvc.exe"
+ "nvUpdatusService" "NVIDIA Settings Update Manager service, used to check new updates from NVIDIA server." "(Verified) NVIDIA Corporation" "c:\program files\nvidia corporation\nvidia update core\daemonu.exe"
+ "PDFProFiltSrvPP" "PDFPro IFilter Service" "(Verified) Nuance Communications" "c:\program files\nuance\paperport\pdfprofiltsrvpp.exe"
+ "Stereo Service" "Provides system support for NVIDIA Stereoscopic 3D driver" "(Verified) NVIDIA Corporation" "c:\program files\nvidia corporation\3d vision\nvscpapisvr.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "CVPNDRVA" "Cisco Systems VPN Client IPSec Driver" "(Not verified) Cisco Systems, Inc." "c:\windows\system32\drivers\cvpndrva.sys"
+ "MBAMSwissArmy" "Malwarebytes' Anti-Malware" "(Verified) Malwarebytes Corporation" "c:\windows\system32\drivers\mbamswissarmy.sys"
+ "MFE_RR" "McAfee Labs Rootkit Remover Driver" "(Verified) McAfee" "c:\users\granite\appdata\local\temp\mfe_rr.sys"
+ "mfeapfk" "Access Protection Filter Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfeapfk.sys"
+ "mfeavfk" "Anti-Virus File System Filter Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfeavfk.sys"
+ "mfebopk" "Buffer Overflow Protection Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfebopk.sys"
+ "mfehidk" "McAfee Link Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfehidk.sys"
+ "mferkdet" "McAfee Code Analysis Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mferkdet.sys"
+ "mfetdik" "Anti-Virus Mini-Firewall Driver" "(Verified) McAfee" "c:\windows\system32\drivers\mfetdik.sys"
+ "PxHelp20" "Px Engine Device Driver for Windows 2000/XP" "(Verified) Sonic Solutions" "c:\windows\system32\drivers\pxhelp20.sys"
+ "Synth3dVsc" "" "" "File not found: System32\drivers\synth3dvsc.sys"
+ "tsusbhub" "@%SystemRoot%\system32\drivers\tsusbhub.sys,-2" "" "File not found: system32\drivers\tsusbhub.sys"
+ "VGPU" "" "" "File not found: System32\drivers\rdvgkmd.sys"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKCU\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
"HKCU\Software\Classes\Filter" "" "" ""
"HKLM\Software\Classes\Filter" "" "" ""
"HKCU\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
"HKCU\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
"HKCU\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKCU\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKCU\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKCU\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKCU\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKCU\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
+ "Sonic Cinemaster® Audio Decoder 4.2" "SonicHDAudio" "(Verified) Sonic Solutions" "c:\program files\common files\sonic shared\cinemasteraudio.dll"
+ "Sonic Cinemaster® VideoDecoder 4.1" "CinemasterVideo" "(Verified) Sonic Solutions" "c:\program files\common files\sonic shared\cinemastervideo.dll"
+ "Sonic HD Demuxer" "Sonic HD Demuxer" "(Verified) Sonic Solutions" "c:\program files\common files\sonic shared\sonichddemuxer.dll"
+ "Sonic HD Nav" "SonicHDNav" "(Verified) Sonic Solutions" "c:\program files\common files\sonic shared\sonichdnav.dll"
"HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKLM\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance" "" "" ""
"HKLM\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKLM\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\Execute" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand" "" "" ""
"HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension" "" "" ""
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""
"HKLM\Software\Microsoft\Command Processor\Autorun" "" "" ""
"HKLM\Software\Wow6432Node\Microsoft\Command Processor\Autorun" "" "" ""
"HKCU\Software\Microsoft\Command Processor\Autorun" "" "" ""
"HKCU\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)" "" "" ""
"HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)" "" "" ""
"HKLM\Software\Classes\.exe" "" "" ""
"HKCU\Software\Classes\.exe" "" "" ""
"HKLM\Software\Classes\.cmd" "" "" ""
"HKCU\Software\Classes\.cmd" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls" "" "" ""
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls" "" "" ""
"HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls" "" "" ""
"HKLM\SYSTEM\Setup\CmdLine" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "" "" ""
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart" "" "" ""
"HKCU\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe" "" "" ""
"HKCU\Control Panel\Desktop\Scrnsave.exe" "" "" ""
"HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath" "" "" ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries" "" "" ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries" "" "" ""
+ "mdnsNSP" "Bonjour Namespace Provider" "(Verified) Apple Inc." "c:\program files\bonjour\mdnsnsp.dll"
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64" "" "" ""
"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" ""
+ "Adobe PDF Port Monitor" "Adobe PDF Port  Monitor DLL" "(Verified) Adobe Systems" "c:\windows\system32\adobepdf.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages" "" "" ""
"HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "" "" ""
"C:\Users\Granite\AppData\Local\Microsoft\Windows Sidebar\Settings.ini" "" "" ""
 

digiman



#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:33 PM

Posted 30 March 2013 - 01:15 PM

Click on startmenu and type

 

cmd

 

Right click on it and select run as administrator and run these commands


reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "Run" > %userprofile%\desktop\log.txt
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "Run" >> %userprofile%\desktop\log.txt

 

Post the contents of the log.txt on desktop here.



#15 digiman

digiman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 30 March 2013 - 08:12 PM

narenxp,

 

Opened command prompt as Admin. Copied & paste exact command into shell, with results below:
 

C:\Users\Granite>reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "
Run" > %userprofile%\desktop\log.txt
ERROR: The system was unable to find the specified registry key or value.

C:\Users\Granite>reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "
Run" >> %userprofile%\desktop\log.txt
ERROR: The system was unable to find the specified registry key or value.

 

Did not generate a log file.

 

digiman






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users