Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple Explorer.exe using high CPU and Mem resources


  • This topic is locked This topic is locked
36 replies to this topic

#1 dancefusion

dancefusion

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 08 September 2014 - 06:11 AM

Hi I have xp pro sp3 and yesterday was infected with a ransomware virus for the first time. I ran malywarebytes in safe mode and also Windows malicious software removal tool. It stated that both programs removed malware, however, now I have multiple explorer.exe and svchost.exe files running whenever online and using immense amounts of cpu and memory (up to 1,800,000 k, YEAH THAT MUCH!) I also deleted internet explorer as it appeared to be running in the background and I never use that browser.  Attached is a DDS log and below are logfiles from HijackThis, OTL, OTL Extra, and GMER in that order.

 



Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 3:39:16 AM, on 9/8/2014
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
CHROME: 27.0.1453.116
FIREFOX: 31.0 (x86 en-US)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>
R3 - URLSearchHook: (no name) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [{c766cd67-6376-60aa-40ff-88ed0a3d6c03}] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\{c766cd67-6376-60aa-40ff-88ed0a3d6c03}\{c766cd67-6376-60aa-40ff-88ed0a3d6c03}.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://D:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Translate this web page with Babylon - res://D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files\Browny02\BrYNSvc.exe
O23 - Service: EPSON V5 Service4(04) (EPSON_EB_RPCV4_04) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
O23 - Service: EPSON V3 Service4(04) (EPSON_PM_RPCV4_04) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - D:\Program Files\Skype\Updater\Updater.exe

--
End of file - 7819 bytes
 

OTL logfile created on: 9/8/2014 5:26:56 AM - Run 2

OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

2.97 Gb Total Physical Memory | 0.47 Gb Available Physical Memory | 15.71% Memory free

4.82 Gb Paging File | 2.51 Gb Available in Paging File | 52.03% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 34.18 Gb Total Space | 11.47 Gb Free Space | 33.56% Space Free | Partition Type: NTFS

Drive D: | 29.29 Gb Total Space | 26.34 Gb Free Space | 89.90% Space Free | Partition Type: NTFS

Drive E: | 28.28 Gb Total Space | 28.19 Gb Free Space | 99.70% Space Free | Partition Type: NTFS

 

Computer Name: FORRESTSLAPTOP | User Name: Administrator | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Processes (SafeList) ==========

 

PRC - [2014/09/08 03:05:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

PRC - [2014/08/25 00:09:52 | 000,182,696 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe

PRC - [2014/07/23 07:05:52 | 000,275,568 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2011/05/04 17:10:32 | 000,025,824 | ---- | M] (Memeo) -- C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe

PRC - [2011/03/18 23:59:40 | 001,422,680 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Microsoft Office\Office14\WINWORD.EXE

PRC - [2009/09/24 15:03:58 | 000,475,220 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe

PRC - [2009/09/23 13:38:18 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

PRC - [2009/09/14 05:00:00 | 000,153,600 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE

PRC - [2009/09/14 05:00:00 | 000,121,856 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE

PRC - [2008/04/13 22:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

 

 

========== Modules (No Company Name) ==========

 

MOD - [2014/09/07 20:44:46 | 003,194,880 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll

MOD - [2014/09/07 20:44:42 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll

MOD - [2014/09/07 20:44:38 | 004,550,656 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

MOD - [2014/09/07 20:44:35 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll

MOD - [2014/09/07 20:44:31 | 002,052,096 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll

MOD - [2014/09/07 20:44:28 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll

MOD - [2014/07/23 07:05:50 | 003,800,688 | ---- | M] () -- D:\Program Files\Mozilla Firefox\mozjs.dll

MOD - [2014/07/09 18:51:43 | 017,029,808 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_145.dll

MOD - [2014/03/28 05:35:02 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll

MOD - [2011/03/17 01:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF

 

 

========== Services (SafeList) ==========

 

SRV - File not found [Auto | Stopped] -- %SYSTEMROOT%\system32\wscsvc.dll -- (wscsvc)

SRV - File not found [Auto | Stopped] -- %SystemRoot%\System32\ersvc.dll -- (ERSvc)

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)

SRV - [2014/08/25 00:09:52 | 000,182,696 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2014/07/23 07:05:50 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2014/07/09 18:51:45 | 000,262,320 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2013/12/19 00:41:02 | 030,814,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)

SRV - [2013/10/23 09:15:08 | 000,172,192 | R--- | M] (Skype Technologies) [Auto | Stopped] -- D:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)

SRV - [2011/08/26 01:16:05 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2011/05/04 17:10:32 | 000,025,824 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe -- (MemeoBackgroundService)

SRV - [2010/01/25 08:22:56 | 000,245,760 | ---- | M] (Brother Industries, Ltd.) [On_Demand | Stopped] -- C:\Program Files\Browny02\BrYNSvc.exe -- (BrYNSvc)

SRV - [2009/09/24 15:03:58 | 000,475,220 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (acs)

SRV - [2009/09/23 13:38:18 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)

SRV - [2009/09/14 05:00:00 | 000,153,600 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE -- (EPSON_EB_RPCV4_04)

SRV - [2009/09/14 05:00:00 | 000,121,856 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE -- (EPSON_PM_RPCV4_04)

 

 

========== Driver Services (SafeList) ==========

 

DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\qrjoauit.sys -- (qrjoauit)

DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)

DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)

DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)

DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)

DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)

DRV - File not found [Kernel | System | Stopped] --  -- (Changer)

DRV - [2014/03/06 23:34:40 | 000,320,120 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)

DRV - [2013/05/31 14:17:45 | 000,013,560 | ---- | M] (GFI Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\gfibto.sys -- (gfibto)

DRV - [2013/04/11 11:06:45 | 000,041,584 | ---- | M] (ThreatTrack Security) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gfiark.sys -- (gfiark)

DRV - [2013/02/11 20:32:23 | 000,012,928 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)

DRV - [2011/05/29 16:21:13 | 000,033,088 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)

DRV - [2010/12/10 15:02:02 | 000,017,408 | ---- | M] (WonderMedia Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wmvad.sys -- (wmvad_simple)

DRV - [2010/09/07 14:09:06 | 000,013,680 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smiif32.sys -- (lenovo.smi)

DRV - [2009/04/03 11:18:06 | 001,347,168 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)

DRV - [2008/02/08 09:46:36 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)

DRV - [2007/07/03 19:10:12 | 000,132,904 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\imagesrv.sys -- (imagesrv)

DRV - [2007/07/03 19:10:10 | 000,011,304 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\imagedrv.sys -- (imagedrv)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKCU\..\URLSearchHook: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - No CLSID value found

IE - HKCU\..\SearchScopes,DefaultScope = {9A879329-D500-431B-84C2-1E05749A1474}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={33427617-E734-4452-9B7C-E906B219F52C}&mid=&lang=&ds=&pr=&d=&v=&sap=dsp&q={searchTerms}

IE - HKCU\..\SearchScopes\{9A879329-D500-431B-84C2-1E05749A1474}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>

 

========== FireFox ==========

 

FF - prefs.js..extensions.enabledAddons: amznUWL2%40amazon.com:1.10

FF - prefs.js..extensions.enabledAddons: %7B20a82645-c095-46ed-80e3-08825760534b%7D:0.0.0

FF - prefs.js..extensions.enabledAddons: ocr%40babylon.com:1.1

FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.24

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:31.0

FF - prefs.js..network.proxy.type: 0

 

 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_145.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Web Player Plug-In,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.67.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.67.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: D:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: D:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.149\npGoogleUpdate3.dll File not found

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.149\npGoogleUpdate3.dll File not found

 

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\ocr@babylon.com: D:\Program Files\Babylon\Babylon-Pro\Utils\ocr@babylon.com [2013/07/23 13:16:58 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 31.0\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2014/07/23 07:04:51 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 31.0\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2014/08/23 12:59:54 | 000,000,000 | ---D | M]

 

[2011/04/24 23:16:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2014/09/06 03:19:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\extensions

[2014/09/06 03:19:06 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

[2012/09/20 05:09:37 | 000,243,287 | ---- | M] () (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\extensions\amznUWL2@amazon.com.xpi

[2001/08/23 07:00:00 | 000,004,816 | ---- | M] () (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\extensions\rqhtrjxzba@rqhtrjxzba.org.xpi

[2014/07/23 06:08:01 | 000,967,685 | ---- | M] () (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

[2011/09/12 03:07:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

[2013/07/23 13:16:58 | 000,000,000 | ---D | M] (Babylon Translation Activation) -- D:\PROGRAM FILES\BABYLON\BABYLON-PRO\UTILS\OCR@BABYLON.COM

 

========== Chrome  ==========

 

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter},

CHR - homepage: http://www.google.com/

CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\28.0.1500.71\gcswf32.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll

CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\28.0.1500.71\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\28.0.1500.71\pdf.dll

CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll

CHR - plugin: Java Deployment Toolkit 6.0.310.5 (Enabled) = D:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

CHR - plugin: Java™ Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll

CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit)  (Enabled) = D:\Program Files\Mozilla Firefox\plugins\nppl3260.dll

CHR - plugin: RealPlayer Version Plugin (Enabled) = D:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll

CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = D:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = D:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = D:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = D:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = D:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = D:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

CHR - plugin: ScorchPlugin (Enabled) = D:\Program Files\Mozilla Firefox\plugins\NPSibelius.dll

CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.115\npGoogleUpdate3.dll

CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll

CHR - plugin: DivX Plus Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll

CHR - plugin: 3DVIA player (Enabled) = C:\Program Files\Virtools\3D Life Player\npvirtools.dll

CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll

CHR - plugin: Microsoft Office 2010 (Enabled) = D:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL

CHR - plugin: Microsoft Office 2010 (Enabled) = D:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL

CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll

CHR - Extension: Awesome Screenshot: Capture & Annotate = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce\3.6.12_0\

CHR - Extension: Google Drive = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\

CHR - Extension: Add to Amazon Wish List = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ciagpekplgpbepdgggflgmahnjgiaced\1.0.0.10_0\

CHR - Extension: Facebook for Chrome = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gdalhedleemkkdjddjgfjmcnbpejpapp\6.4.2_0\

CHR - Extension: Klout (beta) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jjaakbhpcbpmojkhpiaacepfcaniglak\1.5_0\

CHR - Extension: Hangouts = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd\2014.410.434.1_0\

CHR - Extension: Lavasoft NewTab = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\oejkcgajlodefenbbjdnaiahmbnnoole\0.8_0\

CHR - Extension: Bitdefender QuickScan = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.141_0\

 

O1 HOSTS File: ([2012/10/18 14:30:56 | 000,000,801 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost

O1 - Hosts: 66.98.148.65 auto.search.msn.com

O1 - Hosts: 66.98.148.65 auto.search.msn.es

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Babylon IE plugin) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)

O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Run = "C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\IEUpdate\fsutil.exe"

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Se&nd to OneNote - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O8 - Extra context menu item: Translate this web page with Babylon - D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)

O8 - Extra context menu item: Translate with Babylon - D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra Button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)

O9 - Extra 'Tools' menuitem : Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.67.2)

O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.67.2)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5868ED0A-968F-4E02-98D4-5A7BF7D803AB}: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - D:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2011/04/24 21:06:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{1097e89a-a330-11e0-bf8f-0022695ac437}\Shell\AutoRun\command - "" = G:\setupSNK.exe

O33 - MountPoints2\{6640e392-018a-11e1-bfc3-0022695ac437}\Shell - "" = AutoRun

O33 - MountPoints2\{6640e392-018a-11e1-bfc3-0022695ac437}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{6640e392-018a-11e1-bfc3-0022695ac437}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a

O33 - MountPoints2\{fbdf7c40-1028-11e2-8023-0022695ac437}\Shell - "" = AutoRun

O33 - MountPoints2\{fbdf7c40-1028-11e2-8023-0022695ac437}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{fbdf7c40-1028-11e2-8023-0022695ac437}\Shell\AutoRun\command - "" = F:\setup.exe -a

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

 

========== Files/Folders - Created Within 30 Days ==========

 

[2014/09/08 05:04:52 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent

[2014/09/08 04:11:09 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2014/09/08 04:02:18 | 000,000,000 | ---D | C] -- C:\Qoobox

[2014/09/08 04:02:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos

[2014/09/08 04:02:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures

[2014/09/08 04:02:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music

[2014/09/08 04:01:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt

[2014/09/08 03:05:33 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2014/09/08 02:46:47 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

[2014/09/08 01:08:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2014/09/08 00:57:48 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2014/09/07 20:35:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\DivX Movies

[2014/09/07 17:39:06 | 000,172,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\scrrun.dll

[2014/09/07 17:38:31 | 000,287,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\gdi32.dll

[2014/09/07 17:22:38 | 000,012,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usb8023x.sys

[2014/09/07 17:22:38 | 000,012,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usb8023.sys

[2014/09/07 17:22:00 | 000,123,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbvideo.sys

[2014/09/07 17:22:00 | 000,060,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbaudio.sys

[2014/09/07 17:22:00 | 000,046,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irbus.sys

[2014/09/07 17:19:45 | 000,144,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbport.sys

[2014/09/07 17:19:45 | 000,032,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys

[2014/09/07 17:19:45 | 000,030,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbehci.sys

[2014/09/07 17:19:45 | 000,005,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbd.sys

[2014/09/07 05:44:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\All Users\Application Data\Atheros

[2014/09/07 02:06:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore

[2014/08/25 00:10:27 | 000,272,808 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe

[2014/08/25 00:10:13 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe

[2014/08/25 00:10:13 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe

[2014/08/25 00:10:13 | 000,096,680 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll

[2014/08/24 01:36:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\13868

[2014/08/22 23:16:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\DivX

[2014/08/21 21:54:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype

[2014/08/14 16:28:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla

[2014/08/13 00:13:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google

[2011/05/05 19:19:18 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Administrator\Application Data\pcouffin.sys

[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2014/09/08 05:32:48 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2014/09/08 05:08:01 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At2.job

[2014/09/08 05:08:00 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At1.job

[2014/09/08 05:06:50 | 000,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2014/09/08 05:06:49 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2014/09/08 05:06:49 | 000,000,586 | ---- | M] () -- C:\WINDOWS\tasks\Amazon Music Helper.job

[2014/09/08 05:06:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2014/09/08 05:06:35 | 3194,163,200 | -HS- | M] () -- C:\hiberfil.sys

[2014/09/08 04:06:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1326574676-1417001333-500UA.job

[2014/09/08 03:09:40 | 000,380,416 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\esbx530n.exe

[2014/09/08 03:05:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2014/09/08 02:51:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2014/09/08 02:47:00 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

[2014/09/08 02:22:39 | 000,001,984 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2014/09/08 00:57:52 | 000,000,663 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk

[2014/09/07 20:45:03 | 000,465,614 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2014/09/07 20:45:03 | 000,079,858 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2014/09/07 20:36:33 | 000,003,817 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\lpm.dat

[2014/09/07 20:35:33 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2014/09/07 19:53:52 | 000,100,021 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\wppl_10.pdf

[2014/09/07 16:06:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1326574676-1417001333-500Core.job

[2014/09/07 00:25:34 | 000,232,988 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\1921 Sept 25 Sunday Oregonian (Portland) pg5 - Peabody One Step.jpg

[2014/09/07 00:20:33 | 000,072,590 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\1915 Philly - Peabody One Step classes.jpg

[2014/09/07 00:15:06 | 000,090,290 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Peabody Contest.jpg

[2014/09/06 23:35:18 | 000,801,098 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\New York NY Times 1915 Feb Grayscale (447).pdf

[2014/09/06 23:17:46 | 000,099,397 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Le Cake-Walk.jpg

[2014/09/06 23:05:41 | 000,029,172 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Peabody.pdf

[2014/09/06 22:17:31 | 000,637,342 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\seq-8.pdf

[2014/09/06 03:48:39 | 031,550,556 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\uiug.30112082607588.pdf

[2014/08/25 00:09:53 | 000,096,680 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll

[2014/08/25 00:09:49 | 000,272,808 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe

[2014/08/25 00:09:49 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe

[2014/08/25 00:09:49 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe

[2014/08/25 00:09:49 | 000,145,408 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl

[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2014/09/08 03:09:29 | 000,380,416 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\esbx530n.exe

[2014/09/08 02:24:52 | 3194,163,200 | -HS- | C] () -- C:\hiberfil.sys

[2014/09/08 00:57:52 | 000,000,663 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk

[2014/09/07 19:53:51 | 000,100,021 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\wppl_10.pdf

[2014/09/07 02:34:37 | 000,003,817 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\lpm.dat

[2014/09/07 00:25:34 | 000,232,988 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\1921 Sept 25 Sunday Oregonian (Portland) pg5 - Peabody One Step.jpg

[2014/09/07 00:20:33 | 000,072,590 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\1915 Philly - Peabody One Step classes.jpg

[2014/09/07 00:15:06 | 000,090,290 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Peabody Contest.jpg

[2014/09/06 23:35:14 | 000,801,098 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\New York NY Times 1915 Feb Grayscale (447).pdf

[2014/09/06 23:17:46 | 000,099,397 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Le Cake-Walk.jpg

[2014/09/06 23:05:40 | 000,029,172 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Peabody.pdf

[2014/09/06 22:17:29 | 000,637,342 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\seq-8.pdf

[2014/09/06 03:45:25 | 031,550,556 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\uiug.30112082607588.pdf

[2014/09/04 21:32:26 | 000,008,172 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML

[2014/09/04 21:32:26 | 000,000,252 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL

[2014/08/07 00:21:44 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\BRADM10A.DAT

[2013/10/22 14:12:42 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\DonationCoder_ScreenshotCaptor_InstallInfo.dat

[2013/10/22 14:12:42 | 000,000,058 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DonationCoder_ScreenshotCaptor_InstallInfo.dat

[2013/09/21 18:37:38 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Administrator\Application Data\Effects

[2013/09/21 18:35:29 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Administrator\Application Data\Electric Clav

[2013/09/21 18:35:28 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Administrator\Application Data\Echo

[2013/09/21 18:34:17 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Administrator\Application Data\Filter

[2013/09/17 00:08:03 | 000,000,092 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\WB.CFG

[2013/01/10 06:18:36 | 000,001,587 | ---- | C] () -- C:\Documents and Settings\Administrator\.recently-used.xbel

[2012/10/21 23:38:26 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

[2012/07/20 13:30:27 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat

[2011/06/24 12:12:57 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/05/05 19:19:18 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\inst.exe

[2011/05/05 19:19:18 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\pcouffin.cat

[2011/05/05 19:19:18 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\pcouffin.inf

 

========== ZeroAccess Check ==========

 

[2011/04/24 21:04:21 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

 

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

 

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

"ThreadingModel" = Both

"" = shell32.dll -- [2012/06/08 10:26:20 | 008,462,848 | ---- | M] (Microsoft Corporation)

 

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shdocvw.dll -- [2011/06/21 14:18:34 | 001,510,400 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

 

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/17 05:21:09 | 000,473,600 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

 

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 22:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

 

< End of report >

OTL Extras logfile created on: 9/8/2014 4:03:51 AM - Run 1

OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

2.97 Gb Total Physical Memory | 2.59 Gb Available Physical Memory | 86.93% Memory free

4.82 Gb Paging File | 4.60 Gb Available in Paging File | 95.56% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 34.18 Gb Total Space | 12.90 Gb Free Space | 37.75% Space Free | Partition Type: NTFS

Drive D: | 29.29 Gb Total Space | 26.34 Gb Free Space | 89.90% Space Free | Partition Type: NTFS

Drive E: | 28.28 Gb Total Space | 28.19 Gb Free Space | 99.70% Space Free | Partition Type: NTFS

 

Computer Name: FORRESTSLAPTOP | User Name: Administrator | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Extra Registry (SafeList) ==========

 

 

========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.html [@ = htmlfile] -- Reg Error: Key error. File not found

.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML.E4QNRX7665XNPF64DBCHU5PJNQ] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

 

========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

htmlfile [edit] -- "D:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- Reg Error: Key error.

htmlfile [opennew] -- Reg Error: Key error.

htmlfile [print] -- "D:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome

https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome

InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /k cd "%L" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- Reg Error: Key error.

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe"

 

========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

 

========== System Restore Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

 

========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

"DisableUnicastResponsesToMulticastBroadcast" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

"DisableUnicastResponsesToMulticastBroadcast" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

 

========== Authorized Applications List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Documents and Settings\Administrator\Application Data\uTorrent\uTorrent.exe" = C:\Documents and Settings\Administrator\Application Data\uTorrent\uTorrent.exe:*:Enabled:µTorrent

 

 

========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.1 (r518)

"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant

"{17795164-3BC1-4D4F-8ADA-65C895EBFC9A}" = Brother MFL-Pro Suite MFC-J6710DW

"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YTD Video Downloader 3.9.6

"{26A24AE4-039D-4CA4-87B4-2F03217067FF}" = Java 7 Update 67

"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31

"{359CFC0A-BEB1-440D-95BA-CF63A86DA34F}" = Nero Recode

"{368BA326-73AD-4351-84ED-3C0A7A52CC53}" = Nero Rescue Agent

"{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4E906533-F57F-45BD-A837-FCF24A2C243E}" = TubeSucker

"{4F2D0C45-FA25-47B2-A013-E2B15D3C6E7E}_is1" = X2X Free Video Flip and Rotate 2.0

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress

"{5CAD3393-EEC0-44CE-9F93-BCAA365B77FB}" = Nikon Movie Editor

"{5FE545A1-D215-4216-9189-E7B39C9D1CC1}" = Quicken 2011

"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM

"{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{7326DA0C-C09B-491C-81FF-6DA12B2256BB}" = OverDrive Media Console

"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart

"{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}" = Skype™ 6.18

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{869200DB-287A-4DC0-B02B-2B6787FBCD4C}" = Nero DiscSpeed

"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8E666407-AC41-46a2-9692-6C7BFCBFDD37}" = Memeo Instant Backup

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 14

"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010

"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010

"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010

"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010

"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010

"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010

"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010

"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010

"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010

"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010

"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010

"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010

"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010

"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010

"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010

"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010

"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003

"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010

"{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{92C5DB3D-9D6F-4324-BB11-57825F4C2635}" = DVD Decoder Pak for Windows XP

"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}" = Brother MFL-Pro Suite

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9E82B934-9A25-445B-B8DF-8012808074AC}" = Nero PhotoSnap

"{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}" = ThinkPad 11a/b/g/n Wireless LAN Mini-PCI Express Adapter

"{A209525B-3377-43F4-B886-32F6B6E7356F}" = Nero WaveEditor

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser

"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.11)

"{ACEB2BAF-96DF-48FD-ADD5-43842D4C443D}" = Adobe AIR

"{B014EE44-9197-4513-9613-71E6EB1B514E}" = Nikon Message Center 2

"{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles

"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center

"{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit

"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C5A7CB6C-E76D-408F-BA0E-85605420FE9D}" = SoundTrax

"{C6640705-7479-4EE5-BC86-879F05F65E74}" = Google Drive

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 Service Pack 1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition

"{D025A639-B9C9-417D-8531-208859000AF8}" = NeroBurningROM

"{D4911E92-A059-4901-8AB3-8638B6D96456}_is1" = Groovedown version 0.84

"{DFC23DA9-8C69-4CD0-BDD5-814AF1CA85EE}_is1" = Siglos Karaoke Professional

"{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit

"{E64C137C-D0B7-467A-B47F-460AAB30F0A3}" = ViewNX 2

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 14 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 14 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.6

"AudioRetoucher_is1" = AudioRetoucher 3.8.5.0

"Babylon" = Babylon

"CCleaner" = CCleaner

"Celestia_is1" = Celestia 1.6.1

"Defraggler" = Defraggler

"Digital Editions" = Adobe Digital Editions

"DivX Setup" = DivX Setup

"DVDFab 9_is1" = DVDFab 9.1.3.1 (07/03/2014)

"EPSON WorkForce 520 Series" = EPSON WorkForce 520 Series Printer Uninstall

"FileZilla Client" = FileZilla Client 3.8.0

"Free Soundcloud Downloader_is1" = FreeSoundcloudDownloader

"GPL Ghostscript 9.09" = GPL Ghostscript

"Groovedown" = Groovedown

"HDMI" = Intel® Graphics Media Accelerator Driver

"KLiteCodecPack_is1" = K-Lite Codec Pack 9.3.0 (Standard)

"LENOVO.SMIIF" = Lenovo System Interface Driver

"LenovoAutoScrollUtility" = Lenovo Auto Scroll Utility

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300

"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox 31.0 (x86 en-US)" = Mozilla Firefox 31.0 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010

"PC Gizmos 136528" = SoundCloud Downloader

"Power Management Driver" = ThinkPad Power Management Driver

"PROSet" = Intel® Network Connections Drivers

"QuicktimeAlt_is1" = QuickTime Alternative 3.2.2

"Scan Tailor" = Scan Tailor

"ScreenshotCaptor_is1" = Screenshot Captor 4.7.2

"Stellarium_is1" = Stellarium 0.11.3

"SynTPDeinstKey" = ThinkPad UltraNav Driver

"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier

"VLC media player" = VideoLAN VLC media player 0.8.6f

"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9

"WIC" = Windows Imaging Component

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"WinRAR archiver" = WinRAR 4.00 (32-bit)

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"Xvid Video Codec 1.3.2" = Xvid Video Codec

 

========== HKEY_CURRENT_USER Uninstall List ==========

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Amazon Amazon Cloud Player" = Amazon Cloud Player

"Dropbox" = Dropbox

"Google Chrome" = Google Chrome

"uTorrent" = µTorrent

 

========== Last 20 Event Log Errors ==========

 

[ Application Events ]

Error - 9/7/2014 3:23:40 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 3:23:40 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 4:38:40 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 4:38:40 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 5:14:40 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 5:14:40 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 7:16:53 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 7:16:53 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 7:16:55 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

Error - 9/7/2014 7:16:55 PM | Computer Name = FORRESTSLAPTOP | Source = Userenv | ID = 1041

Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}

 and it will not be loaded. This is most likely caused by a faulty registration.

 

[ System Events ]

Error - 9/8/2014 1:35:38 AM | Computer Name = FORRESTSLAPTOP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}

 

Error - 9/8/2014 1:36:27 AM | Computer Name = FORRESTSLAPTOP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}

 

Error - 9/8/2014 1:45:47 AM | Computer Name = FORRESTSLAPTOP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}

 

Error - 9/8/2014 1:45:56 AM | Computer Name = FORRESTSLAPTOP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}

 

Error - 9/8/2014 2:23:08 AM | Computer Name = FORRESTSLAPTOP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}

 

Error - 9/8/2014 2:25:34 AM | Computer Name = FORRESTSLAPTOP | Source = DCOM | ID = 10005

Description = DCOM got error "%1053" attempting to start the service WSearch with

 arguments ""  in order to run the server:  {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

 

Error - 9/8/2014 3:04:14 AM | Computer Name = FORRESTSLAPTOP | Source = Windows Update Agent | ID = 20

Description = Installation Failure: Windows failed to install the following update

 with error 0x80070644: Update for Microsoft SharePoint Workspace 2010 (KB2760601)

 32-Bit Edition.

 

Error - 9/8/2014 3:08:00 AM | Computer Name = FORRESTSLAPTOP | Source = Schedule | ID = 7901

Description = The At1.job command failed to start due to the following error:   %%2147942403

 

Error - 9/8/2014 3:08:00 AM | Computer Name = FORRESTSLAPTOP | Source = Schedule | ID = 7901

Description = The At2.job command failed to start due to the following error:   %%2147942403

 

Error - 9/8/2014 3:21:26 AM | Computer Name = FORRESTSLAPTOP | Source = DCOM | ID = 10005

Description = DCOM got error "%1053" attempting to start the service WSearch with

 arguments ""  in order to run the server:  {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

 

 

< End of report >

 

GMER 2.1.19357 - http://www.gmer.net

Rootkit scan 2014-09-08 04:38:39

Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0085 91.76GB

Running: esbx530n.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fflyqkoc.sys

 

 

---- System - GMER 2.1 ----

 

INT 0x62        ?                                                                                              8A4ECCB8

INT 0x63        ?                                                                                              8985EF00

INT 0x73        ?                                                                                              8985EF00

INT 0x74        ?                                                                                              8985EF00

INT 0x83        ?                                                                                              8985EF00

INT 0x84        ?                                                                                              8985EF00

INT 0x94        ?                                                                                              8A4EBCB8

INT 0x94        ?                                                                                              8985EF00

INT 0xA4        ?                                                                                              8985EF00

 

---- Kernel code sections - GMER 2.1 ----

 

.sptd1          C:\WINDOWS\system32\drivers\sptd.sys                                                           entry point in ".sptd1" section [0xB9F8B774]

?               C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                                     The system cannot find the file specified. !

 

---- User code sections - GMER 2.1 ----

 

.text           C:\WINDOWS\system32\SearchIndexer.exe[532] kernel32.dll!WriteFile                              7C810E27 7 Bytes  JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL

 

---- User IAT/EAT - GMER 2.1 ----

 

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegSetValueW]             [77E36116] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegEnumKeyExW]            [77DD7BD9] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!GetUserNameW]             [77DE496D] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegNotifyChangeKeyValue]  [77DDD8FE] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegEnumValueW]            [77DD7EED] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegQueryValueExA]         [77DD7ABB] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegOpenKeyExA]            [77DD7852] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegEnumKeyW]              [77DDD5E4] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegCloseKey]              [77DD6C27] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegCreateKeyW]            [77DFBA55] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegQueryInfoKeyW]         [77DE49CE] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegOpenKeyExW]            [77DD6AAF] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegQueryValueExW]         [77DD6FFF] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegCreateKeyExW]          [77DD776C] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegSetValueExW]           [77DDD767] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegDeleteValueW]          [77DDEDF1] C:\WINDOWS\system32\ADVAPI32.dll

IAT             C:\WINDOWS\Explorer.EXE[356] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegQueryValueW]           [77DDD87A] C:\WINDOWS\system32\ADVAPI32.dll

 

---- Devices - GMER 2.1 ----

 

Device          \FileSystem\Ntfs \Ntfs                                                                         8A4E81F8

 

AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                        wdf01000.sys

AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                                                        wdf01000.sys

 

Device          \Driver\usbehci \Device\USBPDO-0                                                               8994E1F8

Device          \Driver\ACPI \Device\00000051                                                                  ntkrnlpa.exe

Device          \Driver\usbuhci \Device\USBPDO-1                                                               8995D1F8

Device          \Driver\ACPI \Device\00000052                                                                  ntkrnlpa.exe

Device          \Driver\usbuhci \Device\USBPDO-2                                                               8995D1F8

Device          \Driver\usbuhci \Device\USBPDO-3                                                               8995D1F8

Device          \Driver\ACPI \Device\00000060                                                                  ntkrnlpa.exe

Device          \Driver\NetBT \Device\NetBT_Tcpip_{5868ED0A-968F-4E02-98D4-5A7BF7D803AB}                       88F031F8

Device          \Driver\usbuhci \Device\USBPDO-4                                                               8995D1F8

Device          \Driver\ACPI \Device\00000061                                                                  ntkrnlpa.exe

Device          \Driver\usbehci \Device\USBPDO-5                                                               8994E1F8

Device          \Driver\ACPI \Device\00000062                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000049                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000070                                                                  ntkrnlpa.exe

Device          \Driver\usbuhci \Device\USBPDO-6                                                               8995D1F8

Device          \Driver\ACPI \Device\00000063                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000064                                                                  ntkrnlpa.exe

Device          \Driver\Cdrom \Device\CdRom0                                                                   898F71F8

Device          \Driver\ACPI \Device\00000072                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000065                                                                  ntkrnlpa.exe

Device          \Driver\iaStor \Device\Ide\iaStor0                                                             [B9D92770] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device          \Driver\atapi \Device\Ide\IdePort0                                                             [B9E2BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                    [B9E2BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device          \Driver\atapi \Device\Ide\IdePort1                                                             [B9E2BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device          \Driver\iaStor \Device\Ide\IAAStorageDevice-0                                                  [B9D92770] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device          \Driver\Cdrom \Device\CdRom1                                                                   898F71F8

Device          \Driver\ACPI \Device\00000074                                                                  ntkrnlpa.exe

Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                        88F031F8

Device          \Driver\ACPI \Device\00000090                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\0000004a                                                                  ntkrnlpa.exe

Device          \Driver\NetBT \Device\NetbiosSmb                                                               88F031F8

Device          \Driver\ACPI \Device\00000085                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000092                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000086                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\0000004d                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000094                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000087                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\0000005b                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\0000004e                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000088                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\0000004f                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\00000089                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\0000005d                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\0000005e                                                                  ntkrnlpa.exe

Device          \Driver\ACPI \Device\0000005f                                                                  ntkrnlpa.exe

Device          \Driver\usbuhci \Device\USBFDO-0                                                               8995D1F8

Device          \Driver\usbuhci \Device\USBFDO-1                                                               8995D1F8

Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                              88EF51F8

Device          \Driver\usbehci \Device\USBFDO-2                                                               8994E1F8

Device          \Driver\ACPI \Device\0000006e                                                                  ntkrnlpa.exe

Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                    88EF51F8

Device          \Driver\ACPI \Device\0000006f                                                                  ntkrnlpa.exe

Device          \Driver\usbuhci \Device\USBFDO-3                                                               8995D1F8

Device          \Driver\usbuhci \Device\USBFDO-4                                                               8995D1F8

Device          \Driver\usbuhci \Device\USBFDO-5                                                               8995D1F8

Device          \Driver\usbehci \Device\USBFDO-6                                                               8994E1F8

Device          \Driver\ACPI \Device\0000008c                                                                  ntkrnlpa.exe

Device          \Driver\imagedrv \Device\Scsi\imagedrv1                                                        8A4EA1F8

Device          \Driver\imagedrv \Device\Scsi\imagedrv1Port3Path0Target0Lun0                                   8A4EA1F8

Device          \FileSystem\Cdfs \Cdfs                                                                         89786440

 

---- Registry - GMER 2.1 ----

 

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04              

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0            0

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew         0x0B 0x47 0xA7 0xA6 ...

 

---- EOF - GMER 2.1 ----



BC AdBot (Login to Remove)

 


m

#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 08 September 2014 - 07:15 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Disable CD Emulation with DeFogger

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK


IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

 

 

 

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 dancefusion

dancefusion
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 08 September 2014 - 04:44 PM

ComboFix 14-09-09.01 - Administrator 09/08/2014  17:30:50.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3046.2360 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-08 to 2014-09-08  )))))))))))))))))))))))))))))))
.
.
2014-09-08 12:36 . 2014-09-08 12:43    --------    d-----w-    c:\windows\system32\MRT
2014-09-08 05:08 . 2014-09-08 05:08    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-09-08 04:57 . 2013-04-04 18:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-09-07 21:39 . 2014-03-12 10:48    993280    ------w-    c:\windows\system32\dllcache\kernel32.dll
2014-09-07 21:39 . 2013-11-07 05:38    591360    ------w-    c:\windows\system32\dllcache\rpcrt4.dll
2014-09-07 21:39 . 2014-02-05 08:55    562688    ------w-    c:\windows\system32\dllcache\qedit.dll
2014-09-07 21:39 . 2013-10-23 23:45    172032    ------w-    c:\windows\system32\dllcache\scrrun.dll
2014-09-07 21:38 . 2013-08-09 01:56    386560    ------w-    c:\windows\system32\dllcache\themeui.dll
2014-09-07 21:38 . 2013-10-12 15:56    278528    ------w-    c:\windows\system32\dllcache\oakley.dll
2014-09-07 21:38 . 2012-11-02 02:02    375296    ------w-    c:\windows\system32\dllcache\dpnet.dll
2014-09-07 21:38 . 2013-10-09 13:12    287744    ------w-    c:\windows\system32\dllcache\gdi32.dll
2014-09-07 21:32 . 2013-07-03 02:12    25088    ------w-    c:\windows\system32\dllcache\hidparse.sys
2014-09-07 21:32 . 2013-07-03 01:59    14976    ------w-    c:\windows\system32\dllcache\usbscan.sys
2014-09-07 21:22 . 2013-02-12 00:32    12928    ------w-    c:\windows\system32\dllcache\usb8023x.sys
2014-09-07 21:22 . 2013-02-12 00:32    12928    ------w-    c:\windows\system32\dllcache\usb8023.sys
2014-09-07 21:22 . 2013-07-17 00:58    123008    ------w-    c:\windows\system32\dllcache\usbvideo.sys
2014-09-07 21:22 . 2013-07-17 00:58    46848    ------w-    c:\windows\system32\dllcache\irbus.sys
2014-09-07 21:22 . 2013-07-17 00:58    60160    ------w-    c:\windows\system32\dllcache\usbaudio.sys
2014-09-07 21:19 . 2013-08-09 00:55    144128    ------w-    c:\windows\system32\dllcache\usbport.sys
2014-09-07 21:19 . 2013-08-09 00:55    32384    ------w-    c:\windows\system32\dllcache\usbccgp.sys
2014-09-07 21:19 . 2013-08-09 00:55    5376    ------w-    c:\windows\system32\dllcache\usbd.sys
2014-09-07 21:19 . 2009-03-18 11:02    30336    ------w-    c:\windows\system32\dllcache\usbehci.sys
2014-09-07 09:44 . 2014-09-07 09:44    --------    d--h--r-    c:\documents and settings\All Users\Application Data\Atheros
2014-09-07 06:06 . 2014-09-08 12:43    --------    d-----w-    c:\windows\system32\MpEngineStore
2014-08-25 04:10 . 2014-08-25 04:09    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-08-24 05:36 . 2014-08-24 05:36    --------    d-----w-    c:\documents and settings\Administrator\Application Data\13868
2014-08-22 01:54 . 2014-08-22 01:54    --------    d-----w-    c:\program files\Common Files\Skype
2014-08-13 04:13 . 2014-08-13 04:13    --------    d-sh--w-    c:\documents and settings\NetworkService\PrivacIE
2014-08-13 04:13 . 2014-08-13 04:13    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-27 23:34 . 2013-09-21 22:39    57344    ----a-r-    c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2014-08-25 04:09 . 2012-04-03 16:23    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2014-07-09 22:51 . 2012-04-09 17:10    699056    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-07-09 22:51 . 2011-05-26 03:31    71344    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 22:51 . 2014-07-09 22:51    11204096    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="d:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Del992175140"="del" [X]
"Del203080578"="del" [X]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"Run"= "c:\documents and settings\Administrator\Application Data\Microsoft\Windows\IEUpdate\fsutil.exe"
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Microsoft SharePoint Workspace.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Microsoft SharePoint Workspace.lnk
backup=c:\windows\pss\Microsoft SharePoint Workspace.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Seagate 100662970 Product Registration.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Seagate 100662970 Product Registration.lnk
backup=c:\windows\pss\Seagate 100662970 Product Registration.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3DVIA]
c:\documents and settings\Administrator\Local Settings\Application Data\Adobe\3DVIA\elivu.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57    959904    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
c:\documents and settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Amazon Cloud Player]
2013-07-22 01:08    3109376    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\Amazon Cloud Player\Amazon Music Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2013-06-20 10:26    3590224    ----a-w-    d:\program files\Babylon\Babylon-Pro\Babylon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2012-11-05 19:27    89184    ----a-w-    d:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-03-28 19:48    622592    ------r-    c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsMon00]
2011-10-07 18:29    2629632    ------w-    c:\program files\Browny02\Brother\BrStMonW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-04-10 18:58    61440    ------w-    c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter4]
2011-04-20 21:53    139264    ------w-    c:\program files\ControlCenter4\BrCcBoot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 02:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2014-05-28 04:46    455512    ----a-w-    c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2014-01-10 05:26    1861968    ----a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-08-22 18:31    116648    ----atw-    c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleDriveSync]
2014-08-08 14:34    22734160    ----a-w-    c:\program files\Google\Drive\googledrivesync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-02-05 20:13    173592    -c--a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-02-05 20:13    141336    -c--a-w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KMCONFIG]
d:\program files\iHome Keyboard & Mouse Driver\StartAutorun.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoAutoScrollUtility]
2010-04-01 18:50    43960    ----a-w-    c:\program files\Lenovo\VIRTSCRL\virtscrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2013-04-04 18:50    532040    ----a-w-    d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Instant Backup]
2011-05-04 21:10    136416    ----a-w-    c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
c:\program files\Microsoft Security Client\msseces.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57    153136    ----a-w-    c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2]
2011-10-30 19:44    571392    ----a-w-    c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2013-04-22 14:05    720064    ----a-w-    d:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OjcobUdifo]
c:\documents and settings\All Users\Application Data\OjcobUdifo\OjcobUdifo.dat [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-02-05 20:13    142360    -c--a-w-    c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-26 22:02    49152    ----a-w-    c:\program files\Brother\Brmfl06a\BrStDvPt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2007-08-08 13:13    831488    ----a-w-    c:\program files\Analog Devices\SoundMAX\SMax4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-04-24 21:53    1036288    ----a-w-    c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
c:\documents and settings\Administrator\Application Data\Spotify\Data\SpotifyWebHelper.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2014-07-25 16:29    256896    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2011-03-31 23:30    2221352    ----a-w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xvid]
2011-01-17 19:41    8192    ----a-w-    d:\program files\Xvid\CheckUpdate.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [5/31/2013 2:17 PM 13560]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/29/2011 4:17 PM 13680]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [6/21/2012 4:57 PM 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [6/21/2012 4:57 PM 121856]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [5/4/2011 5:10 PM 25824]
S1 qrjoauit;qrjoauit;\??\c:\windows\system32\drivers\qrjoauit.sys --> c:\windows\system32\drivers\qrjoauit.sys [?]
S2 SkypeUpdate;Skype Updater;d:\program files\Skype\Updater\Updater.exe [10/23/2013 9:15 AM 172192]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [4/11/2012 8:02 PM 245760]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [5/31/2013 9:29 PM 41584]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/5/2011 7:19 PM 47360]
S3 wmvad_simple;WonderMedia SmartStream Audio;c:\windows\system32\drivers\wmvad.sys [12/10/2010 3:02 PM 17408]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 22:51]
.
2014-09-08 c:\windows\Tasks\Amazon Music Helper.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Amazon Cloud Player\Amazon Music Helper.exe [2013-09-09 01:08]
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-25 16:40]
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-25 16:40]
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1326574676-1417001333-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-22 18:31]
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1326574676-1417001333-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-22 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - d:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Translate this web page with Babylon - d:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - d:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-09-08 17:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,66,98,07,96,c8,1b,48,88,23,38,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,66,98,07,96,c8,1b,48,88,23,38,\
.
[HKEY_USERS\S-1-5-21-1957994488-1326574676-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,fe,ff,43,10,da,db,4a,be,b5,05,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,85,52,7e,08,2a,60,01,42,9c,33,a9,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2700)
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2014-09-08  17:39:40
ComboFix-quarantined-files.txt  2014-09-08 21:39
ComboFix2.txt  2014-09-08 14:41
.
Pre-Run: 11,023,667,200 bytes free
Post-Run: 11,299,008,512 bytes free
.
- - End Of File - - 342E3E72C0E1E625DB32BD294BA6F137
8F558EB6672622401DA993E1E865C861
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 09 September 2014 - 03:00 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is saved to.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 dancefusion

dancefusion
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 09 September 2014 - 07:39 PM

ComboFix 14-09-09.01 - Administrator 09/09/2014  10:23:44.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3046.457 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_qrjoauit
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-09 to 2014-09-09  )))))))))))))))))))))))))))))))
.
.
2014-09-08 12:36 . 2014-09-08 12:43    --------    d-----w-    c:\windows\system32\MRT
2014-09-08 05:08 . 2014-09-08 05:08    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-09-08 04:57 . 2013-04-04 18:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-09-07 21:39 . 2014-03-12 10:48    993280    ------w-    c:\windows\system32\dllcache\kernel32.dll
2014-09-07 21:39 . 2013-11-07 05:38    591360    ------w-    c:\windows\system32\dllcache\rpcrt4.dll
2014-09-07 21:39 . 2014-02-05 08:55    562688    ------w-    c:\windows\system32\dllcache\qedit.dll
2014-09-07 21:39 . 2013-10-23 23:45    172032    ------w-    c:\windows\system32\dllcache\scrrun.dll
2014-09-07 21:38 . 2013-08-09 01:56    386560    ------w-    c:\windows\system32\dllcache\themeui.dll
2014-09-07 21:38 . 2013-10-12 15:56    278528    ------w-    c:\windows\system32\dllcache\oakley.dll
2014-09-07 21:38 . 2012-11-02 02:02    375296    ------w-    c:\windows\system32\dllcache\dpnet.dll
2014-09-07 21:38 . 2013-10-09 13:12    287744    ------w-    c:\windows\system32\dllcache\gdi32.dll
2014-09-07 21:32 . 2013-07-03 02:12    25088    ------w-    c:\windows\system32\dllcache\hidparse.sys
2014-09-07 21:32 . 2013-07-03 01:59    14976    ------w-    c:\windows\system32\dllcache\usbscan.sys
2014-09-07 21:22 . 2013-02-12 00:32    12928    ------w-    c:\windows\system32\dllcache\usb8023x.sys
2014-09-07 21:22 . 2013-02-12 00:32    12928    ------w-    c:\windows\system32\dllcache\usb8023.sys
2014-09-07 21:22 . 2013-07-17 00:58    123008    ------w-    c:\windows\system32\dllcache\usbvideo.sys
2014-09-07 21:22 . 2013-07-17 00:58    46848    ------w-    c:\windows\system32\dllcache\irbus.sys
2014-09-07 21:22 . 2013-07-17 00:58    60160    ------w-    c:\windows\system32\dllcache\usbaudio.sys
2014-09-07 21:19 . 2013-08-09 00:55    144128    ------w-    c:\windows\system32\dllcache\usbport.sys
2014-09-07 21:19 . 2013-08-09 00:55    32384    ------w-    c:\windows\system32\dllcache\usbccgp.sys
2014-09-07 21:19 . 2013-08-09 00:55    5376    ------w-    c:\windows\system32\dllcache\usbd.sys
2014-09-07 21:19 . 2009-03-18 11:02    30336    ------w-    c:\windows\system32\dllcache\usbehci.sys
2014-09-07 09:44 . 2014-09-07 09:44    --------    d--h--r-    c:\documents and settings\All Users\Application Data\Atheros
2014-09-07 06:06 . 2014-09-08 12:43    --------    d-----w-    c:\windows\system32\MpEngineStore
2014-08-25 04:10 . 2014-08-25 04:09    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-08-24 05:36 . 2014-08-24 05:36    --------    d-----w-    c:\documents and settings\Administrator\Application Data\13868
2014-08-22 01:54 . 2014-08-22 01:54    --------    d-----w-    c:\program files\Common Files\Skype
2014-08-13 04:13 . 2014-08-13 04:13    --------    d-sh--w-    c:\documents and settings\NetworkService\PrivacIE
2014-08-13 04:13 . 2014-08-13 04:13    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-27 23:34 . 2013-09-21 22:39    57344    ----a-r-    c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2014-08-25 04:09 . 2012-04-03 16:23    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2014-07-09 22:51 . 2012-04-09 17:10    699056    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-07-09 22:51 . 2011-05-26 03:31    71344    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 22:51 . 2014-07-09 22:51    11204096    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-08-08 14:34    579400    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="d:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Del992175140"="del" [X]
"Del203080578"="del" [X]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"Run"= "c:\documents and settings\Administrator\Application Data\Microsoft\Windows\IEUpdate\fsutil.exe"
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Microsoft SharePoint Workspace.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Microsoft SharePoint Workspace.lnk
backup=c:\windows\pss\Microsoft SharePoint Workspace.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Seagate 100662970 Product Registration.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Seagate 100662970 Product Registration.lnk
backup=c:\windows\pss\Seagate 100662970 Product Registration.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3DVIA]
c:\documents and settings\Administrator\Local Settings\Application Data\Adobe\3DVIA\elivu.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57    959904    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
c:\documents and settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Amazon Cloud Player]
2013-07-22 01:08    3109376    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\Amazon Cloud Player\Amazon Music Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2013-06-20 10:26    3590224    ----a-w-    d:\program files\Babylon\Babylon-Pro\Babylon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2012-11-05 19:27    89184    ----a-w-    d:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-03-28 19:48    622592    ------r-    c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsMon00]
2011-10-07 18:29    2629632    ------w-    c:\program files\Browny02\Brother\BrStMonW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-04-10 18:58    61440    ------w-    c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter4]
2011-04-20 21:53    139264    ------w-    c:\program files\ControlCenter4\BrCcBoot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 02:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2014-05-28 04:46    455512    ----a-w-    c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2014-01-10 05:26    1861968    ----a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-08-22 18:31    116648    ----atw-    c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleDriveSync]
2014-08-08 14:34    22734160    ----a-w-    c:\program files\Google\Drive\googledrivesync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-02-05 20:13    173592    -c--a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-02-05 20:13    141336    -c--a-w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KMCONFIG]
d:\program files\iHome Keyboard & Mouse Driver\StartAutorun.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoAutoScrollUtility]
2010-04-01 18:50    43960    ----a-w-    c:\program files\Lenovo\VIRTSCRL\virtscrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2013-04-04 18:50    532040    ----a-w-    d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Instant Backup]
2011-05-04 21:10    136416    ----a-w-    c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
c:\program files\Microsoft Security Client\msseces.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57    153136    ----a-w-    c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2]
2011-10-30 19:44    571392    ----a-w-    c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2013-04-22 14:05    720064    ----a-w-    d:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OjcobUdifo]
c:\documents and settings\All Users\Application Data\OjcobUdifo\OjcobUdifo.dat [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-02-05 20:13    142360    -c--a-w-    c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-26 22:02    49152    ----a-w-    c:\program files\Brother\Brmfl06a\BrStDvPt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2007-08-08 13:13    831488    ----a-w-    c:\program files\Analog Devices\SoundMAX\SMax4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-04-24 21:53    1036288    ----a-w-    c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
c:\documents and settings\Administrator\Application Data\Spotify\Data\SpotifyWebHelper.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2014-07-25 16:29    256896    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2011-03-31 23:30    2221352    ----a-w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xvid]
2011-01-17 19:41    8192    ----a-w-    d:\program files\Xvid\CheckUpdate.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [5/31/2013 2:17 PM 13560]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/29/2011 4:17 PM 13680]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [6/21/2012 4:57 PM 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [6/21/2012 4:57 PM 121856]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [5/4/2011 5:10 PM 25824]
S2 SkypeUpdate;Skype Updater;d:\program files\Skype\Updater\Updater.exe [10/23/2013 9:15 AM 172192]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [4/11/2012 8:02 PM 245760]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [5/31/2013 9:29 PM 41584]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/5/2011 7:19 PM 47360]
S3 wmvad_simple;WonderMedia SmartStream Audio;c:\windows\system32\drivers\wmvad.sys [12/10/2010 3:02 PM 17408]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 22:51]
.
2014-09-09 c:\windows\Tasks\Amazon Music Helper.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Amazon Cloud Player\Amazon Music Helper.exe [2013-09-09 01:08]
.
2014-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-25 16:40]
.
2014-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-25 16:40]
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1326574676-1417001333-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-22 18:31]
.
2014-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1326574676-1417001333-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-22 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - d:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Translate this web page with Babylon - d:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - d:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-09-09 10:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3216)
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.24.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\acs.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2014-09-09  10:43:26 - machine was rebooted
ComboFix-quarantined-files.txt  2014-09-09 14:43
ComboFix2.txt  2014-09-08 21:39
ComboFix3.txt  2014-09-08 14:41
.
Pre-Run: 11,088,023,552 bytes free
Post-Run: 11,149,910,016 bytes free
.
- - End Of File - - E84544C33070B03635093D5C64D29139
8F558EB6672622401DA993E1E865C861
 

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.09.09.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Administrator :: FORRESTSLAPTOP [administrator]

9/9/2014 12:19:37 PM
mbam-log-2014-09-09 (12-19-37).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 318876
Time elapsed: 1 hour(s), 2 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 10 September 2014 - 07:25 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 dancefusion

dancefusion
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 10 September 2014 - 06:53 PM

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\extensions\rqhtrjxzba@rqhtrjxzba.org.xpi    JS/Redirector.NCI trojan    deleted - quarantined
C:\Documents and Settings\Administrator\Desktop\D FILES\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll    a variant of Win32/Toolbar.Babylon.P potentially unwanted application    deleted - quarantined
C:\Documents and Settings\Administrator\Desktop\D FILES\Program Files\Babylon\Babylon-Pro\Utils\BabylonOfficePI.dll    a variant of Win32/Toolbar.Babylon.P potentially unwanted application    deleted - quarantined
C:\Documents and Settings\Administrator\Desktop\D FILES\Program Files\SiglosPro Karaoke\Power_Karaoke.exe    a variant of Win32/Toolbar.Conduit.B potentially unwanted application    deleted - quarantined
C:\Documents and Settings\Administrator\Desktop\D FILES\Program Files\SiglosPro Karaoke\Power_Karaoke.xpi    Win32/Toolbar.Conduit.A potentially unwanted application    deleted - quarantined
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\aaddgcdadidgdadagcdfdcdgdeddgcdb\background.html    Win32/BHO.OEI trojan    cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\DECRYPT_INSTRUCTION.URL    Win32/Filecoder.CR.Gen trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\DECRYPT_INSTRUCTION.URL    Win32/Filecoder.CR.Gen trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\DECRYPT_INSTRUCTION.URL    Win32/Filecoder.CR.Gen trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\DECRYPT_INSTRUCTION.URL    Win32/Filecoder.CR.Gen trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\DECRYPT_INSTRUCTION.URL    Win32/Filecoder.CR.Gen trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\11.0\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\11.0\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan    deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media\11.0\DECRYPT_INSTRUCTION.URL    Win32/Filecoder.CR.Gen trojan    deleted - quarantined
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 11 September 2014 - 07:32 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 dancefusion

dancefusion
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 11 September 2014 - 03:02 PM

I used AdwCleaner and SecurityCheck, however, JRT opened a run command prompt then ran a backup and closed, but did not reopen and scan.

Below are the AdwCleaner and SecurityCheck logs

 

# AdwCleaner v3.309 - Report created 11/09/2014 at 15:26:24
# Updated 02/09/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Administrator - FORRESTSLAPTOP
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner_3.309.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\Babylon
Folder Deleted : C:\Program Files\adawaretb
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\adawaretb
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\digitalsite
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\GrabPro
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\adawaretb
[!] Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\oejkcgajlodefenbbjdnaiahmbnnoole
File Deleted : C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Babylon.lnk
File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\user.js
File Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_lyrics.wikia.com_0.localstorage
File Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_www.zabasearch.com_0.localstorage

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [ocr@babylon.com]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\oejkcgajlodefenbbjdnaiahmbnnoole
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping [{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478}]
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Translate this web page with Babylon
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Translate with Babylon
Key Deleted : HKCU\Software\Microsoft\Office\Powerpoint\Addins\babylonofficeaddin.officeaddin
Key Deleted : HKCU\Software\Microsoft\Office\Word\Addins\babylonofficeaddin.officeaddin
Key Deleted : HKLM\SOFTWARE\Classes\.bdc
Key Deleted : HKLM\SOFTWARE\Classes\.bgl
Key Deleted : HKLM\SOFTWARE\Classes\.bof
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BabylonIEPI.DLL
Key Deleted : HKLM\SOFTWARE\Classes\BabyDict
Key Deleted : HKLM\SOFTWARE\Classes\BabyGloss
Key Deleted : HKLM\SOFTWARE\Classes\BabylonIEPI.BabylonIEBho
Key Deleted : HKLM\SOFTWARE\Classes\BabylonIEPI.BabylonIEBho.1
Key Deleted : HKLM\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin
Key Deleted : HKLM\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin.1
Key Deleted : HKLM\SOFTWARE\Classes\BabyOptFile
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Babylon Client
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Babylon.exe
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B16632F1-24E0-4D99-A68D-70BFB6447C48}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6AC0BB10-C922-45E2-857D-2A368FE749E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{947217BD-E967-400A-B14A-BA851A8EDCBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5F339F0B-716F-408F-A627-DEEB5DEB4020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{928FE5E7-D557-46B7-8AF6-17ACCE1FB4ED}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{F310F027-15CB-4A7F-B10D-3A4AFB5013A5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000123B4-9B42-4900-B3F7-F4B073EFC214}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7854F00C-DC77-477E-A10E-603F48442D3B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{000123B4-9B42-4900-B3F7-F4B073EFC214}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4250488A-CB24-0893-C066-B1AEA57BCFF2}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{C55BBCD6-41AD-48AD-9953-3609C48EACC7}]
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Babylon
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\StartSearch
Key Deleted : HKLM\SOFTWARE\adawaretb
Key Deleted : HKLM\SOFTWARE\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Freeze.com
Key Deleted : HKLM\SOFTWARE\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Babylon
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Babylon
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Orbit_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WebConnect

***** [ Browsers ] *****

-\\ Internet Explorer v0.0.0.0


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\do22yta4.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Extension] : dhdepfaagokllfmhfbcfmocaeigmoebo
Deleted [Extension] : fbmimoidopbghbcmdmpkjaffffmcbmbg
Deleted [Extension] : hphibigbodkkohoglgfkddblldpfohjl
Deleted [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbej
Deleted [Extension] : kincjchfokkeneeofpeefomkikfkiedl
Deleted [Extension] : kkkeikdkpjenmoiicggnnodbkebafgpc
Deleted [Extension] : oejkcgajlodefenbbjdnaiahmbnnoole
Deleted [Extension] : pgmfkblbflahhponhjmkcnpjinenhlnc

*************************

AdwCleaner[R0].txt - [7629 octets] - [11/09/2014 15:23:23]
AdwCleaner[S0].txt - [7644 octets] - [11/09/2014 15:26:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7704 octets] ##########
 

 

 

 

 

 

d Results of screen317's Security Check version 0.99.87  
   x86   
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Java 7 Update 67  
 Java™ 6 Update 31  
 Java version out of Date!
 Adobe Flash Player     14.0.0.145  
 Mozilla Firefox (31.0)
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 32% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 12 September 2014 - 05:19 AM

Any problems left or may I post the last reply?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 dancefusion

dancefusion
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 13 September 2014 - 12:25 AM

Still issues explorer.exe is still eating up my cpu and memory



#12 dancefusion

dancefusion
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 13 September 2014 - 12:27 AM

seemed good for the last day then I restored some files and reformated two partitions of my HDD and now it's all crap again.



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 14 September 2014 - 05:23 AM

What files did you restore and what does "all crap again" mean? :wacko:


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 dancefusion

dancefusion
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 14 September 2014 - 10:47 PM

I scanned my entire computer and had reformatted two partitions only saving my program files which were also scan (which I had temporarily saved to my desktop c drive and returned back to the D drive once reformatted). I'm not certain if I actually ever got rid of the virus or not. The explorer.exe opens multiple times whenever I am online and uses all system resources after a few minutes, this ONLY happens when I'm online. It seemed to stop for a half day and then I noticed it again bogging down my laptop.



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:43 PM

Posted 15 September 2014 - 10:03 AM

 

I scanned my entire computer

With WHAT?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users