Another sirefef victim

Solved
By jjs1584
Jul 9, 2012
  1. Hello,

    I, like many others apparently, I have had my computer infected with the sirefef trojan. I am running Windows 7 (32 bit) on my Equus CS Nobilis laptop. I am almost positive I got the virus from a bogus Adobe Reader update. Below is the result of scanning using the Farbar tool. Thank you in advance for your help!


    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 09-07-2012 01
    Ran by SYSTEM at 09-07-2012 18:11:43
    Running from E:\
    Windows 7 Professional (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe [708608 2008-08-26] (Mirco-Star International CO., LTD.)
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13556256 2008-09-24] (NVIDIA Corporation)
    HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-09-24] (NVIDIA Corporation)
    HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
    HKLM\...\Run: [EKAIO2StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe [2717696 2011-08-26] (Eastman Kodak Company)
    HKLM\...\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [71216 2007-03-14] (Cyberlink Corp.)
    HKLM\...\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [52256 2007-01-08] ()
    HKLM\...\Run: [Corel Photo Downloader] "C:\Program Files\Corel\Corel MediaOne\Corel PhotoDownloader.exe" -startup [x]
    HKLM\...\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe [38400 2007-12-01] ()
    HKLM\...\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" [159456 2011-08-05] (Microsoft Corporation)
    HKLM\...\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1446760 2012-01-06] (Garmin)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Administrator\...\Run: [EPSON Stylus CX4800 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /FU "C:\Windows\TEMP\E_SDF0A.tmp" /EF "HKCU" [177664 2007-01-19] (SEIKO EPSON CORPORATION)
    HKU\Administrator\...\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1446760 2012-01-06] (Garmin)
    HKU\Administrator\...\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup [2491688 2007-07-12] (Cyberlink)
    HKU\Justin Silvi\...\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1446760 2012-01-06] (Garmin)
    HKU\Justin Silvi\...\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
    HKU\Justin Silvi\...\Policies\system: [NoHotStart] 1
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    Startup: C:\Users\Justin Silvi\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
    ================================ Services (Whitelisted) ==================
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 IntuitUpdateService; "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [13672 2010-08-23] (Intuit Inc.)
    2 McciCMService; "C:\Program Files\Common Files\Motive\McciCMService.exe" [319488 2011-02-07] (Alcatel-Lucent)
    2 McciServiceHost; "C:\Program Files\Common Files\Motive\McciServiceHost.exe" [315392 2010-07-27] (Alcatel-Lucent)
    2 Micro Star SCM; C:\Program Files\System Control Manager\MSIService.exe [159744 2008-08-26] ()
    2 ProtexisLicensing; C:\Windows\system32\PSIService.exe [177704 2007-06-05] ()
    2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [272024 2006-12-19] ()
    2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2006-06-14] (Ulead Systems, Inc.)
    2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [x]
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    3 WMZuneComm; "c:\Program Files\Zune\WMZuneComm.exe" [x]
    3 ZuneNetworkSvc; "c:\Program Files\Zune\ZuneNss.exe" [x]
    3 ZuneWlanCfgSvc; "c:\Program Files\Zune\ZuneWlanCfgSvc.exe" [x]
    ========================== Drivers (Whitelisted) =============
    3 Bridge; C:\Windows\System32\DRIVERS\bridge.sys [78336 2009-07-13] (Microsoft Corporation)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2010-07-27] (Printing Communications Assoc., Inc. (PCAUSA))
    3 smserial; C:\Windows\System32\DRIVERS\smserial.sys [1068032 2009-07-13] (Motorola Inc.)
    3 WSDScan; C:\Windows\System32\DRIVERS\WSDScan.sys [20480 2009-07-13] (Microsoft Corporation)
    1 ixgdublj; \??\C:\Windows\system32\drivers\ixgdublj.sys [x]
    3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
    3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-07-09 18:11 - 2012-07-09 18:11 - 00000000 ____D C:\FRST
    2012-07-09 12:25 - 2012-07-09 12:25 - 00008224 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-09 12:25 - 2012-07-09 12:25 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Garmin
    2012-07-09 12:25 - 2012-07-09 12:25 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer
    2012-07-09 11:34 - 2012-07-09 11:34 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-09 11:34 - 2012-07-09 11:34 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-09 11:32 - 2012-07-09 11:32 - 10288512 ____A (Microsoft Corporation) C:\Users\Justin Silvi\Downloads\mseinstall.exe
    2012-07-09 10:29 - 2012-07-09 10:29 - 00000000 ____D C:\Windows\System32\appmgmt
    2012-07-06 17:27 - 2012-07-09 10:06 - 00000000 ____D C:\Users\Justin Silvi\Downloads\Family Guy - The Complete Season 9 [HDTV]
    2012-06-29 05:57 - 2012-06-29 06:34 - 00000000 ____D C:\Users\Justin Silvi\Downloads\Hells Kitchen US S10E08 PDTV x264-LOL[ettv]
    2012-06-29 05:33 - 2012-06-29 06:15 - 355284929 ____A C:\Users\Justin Silvi\Downloads\Hells.Kitchen.US.S10E07.PDTV.x264-LOL.mp4
    2012-06-23 20:22 - 2012-06-23 20:22 - 09815752 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2012-06-21 10:01 - 2012-06-21 10:29 - 00000000 ____D C:\Users\Justin Silvi\Documents\Paychecks
    2012-06-21 05:47 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-21 05:47 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-21 05:47 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-21 05:47 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-21 05:47 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-21 05:47 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-21 05:47 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-21 05:47 - 2012-06-02 11:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-21 05:47 - 2012-06-02 11:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-19 08:06 - 2012-06-19 08:40 - 00000000 ____D C:\Users\Justin Silvi\Downloads\Hells Kitchen US S10.E5 (xCrazy0328x)
    2012-06-18 10:41 - 2012-06-18 10:41 - 00000000 ____D C:\Users\Justin Silvi\Documents\New folder
    2012-06-18 04:31 - 2012-06-18 04:53 - 00000000 ____D C:\Users\Justin Silvi\Downloads\[ www.TorrentDay.com ] - Heat.Seekers.S01E07.Philadelphia.HDTV.XviD-CRiMSON2
    2012-06-17 08:50 - 2012-06-17 08:55 - 00000000 ____D C:\Users\Justin Silvi\Documents\2812 inventory
    2012-06-14 07:19 - 2012-07-06 07:36 - 48522240 ____A C:\Users\Justin Silvi\Documents\Personal Folders(1) backup.pst
    2012-06-14 07:17 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-14 07:17 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-14 07:17 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-14 07:17 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-14 07:17 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-14 07:17 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-14 07:17 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-14 07:17 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-14 07:17 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-14 07:17 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-14 07:17 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-14 07:17 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-14 07:17 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-14 07:17 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-12 18:53 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-12 18:53 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-06-12 18:53 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-12 18:53 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-06-12 18:53 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-06-12 18:53 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-06-12 18:53 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-06-12 18:52 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-06-12 18:52 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-06-12 18:52 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-06-11 07:42 - 2012-06-11 07:42 - 00000000 ____D C:\Users\Justin Silvi\AppData\Local\Macromedia
    ============ 3 Months Modified Files ========================
    2012-07-09 13:29 - 2011-03-22 19:21 - 00372688 ____A C:\Users\All Users\nvModes.001
    2012-07-09 13:29 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-09 13:29 - 2009-07-13 20:39 - 00101938 ____A C:\Windows\setupact.log
    2012-07-09 12:25 - 2012-07-09 12:25 - 00008224 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-09 12:21 - 2011-02-23 09:00 - 00082370 ____A C:\Windows\PFRO.log
    2012-07-09 11:37 - 2009-07-13 20:34 - 00014848 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-09 11:37 - 2009-07-13 20:34 - 00014848 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-09 11:36 - 2011-02-23 10:40 - 01413271 ____A C:\Windows\WindowsUpdate.log
    2012-07-09 11:34 - 2012-07-09 11:34 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-09 11:34 - 2011-02-23 07:50 - 00743534 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-09 11:32 - 2012-07-09 11:32 - 10288512 ____A (Microsoft Corporation) C:\Users\Justin Silvi\Downloads\mseinstall.exe
    2012-07-09 10:34 - 2011-03-22 19:21 - 00372688 ____A C:\Users\All Users\nvModes.dat
    2012-07-09 10:22 - 2012-04-12 07:38 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-09 05:31 - 2012-04-12 07:38 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-09 05:31 - 2011-05-14 08:02 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-06 07:36 - 2012-06-14 07:19 - 48522240 ____A C:\Users\Justin Silvi\Documents\Personal Folders(1) backup.pst
    2012-06-29 06:15 - 2012-06-29 05:33 - 355284929 ____A C:\Users\Justin Silvi\Downloads\Hells.Kitchen.US.S10E07.PDTV.x264-LOL.mp4
    2012-06-23 20:22 - 2012-06-23 20:22 - 09815752 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2012-06-22 20:22 - 2009-07-13 20:53 - 00032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-06-14 07:55 - 2009-07-13 20:33 - 00443904 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-14 07:22 - 2011-02-24 05:29 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-02 14:19 - 2012-06-21 05:47 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 05:47 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 05:47 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 05:47 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 05:47 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-21 05:47 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-21 05:47 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 05:47 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:12 - 2012-06-21 05:47 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-17 15:11 - 2012-06-14 07:17 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 14:48 - 2012-06-14 07:17 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 14:45 - 2012-06-14 07:17 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 14:36 - 2012-06-14 07:17 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 14:35 - 2012-06-14 07:17 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-14 07:17 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 14:33 - 2012-06-14 07:17 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 14:31 - 2012-06-14 07:17 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 14:29 - 2012-06-14 07:17 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 14:29 - 2012-06-14 07:17 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-14 07:17 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 14:25 - 2012-06-14 07:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 14:24 - 2012-06-14 07:17 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 14:20 - 2012-06-14 07:17 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-14 17:05 - 2012-06-12 18:53 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-13 18:22 - 2012-05-13 18:22 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-05-13 18:22 - 2012-05-13 18:22 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-05-13 18:22 - 2012-05-13 18:22 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-05-13 18:22 - 2012-05-13 18:22 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-05-13 18:22 - 2011-02-27 09:21 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-04-30 20:44 - 2012-06-12 18:53 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:17 - 2012-06-12 18:53 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-25 20:45 - 2012-06-12 18:53 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 20:45 - 2012-06-12 18:53 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 20:41 - 2012-06-12 18:53 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-24 10:27 - 2011-12-30 16:51 - 00002828 __ASH C:\Windows\System32\KGyGaAvL.sys
    2012-04-24 10:27 - 2011-12-30 16:51 - 00000088 __RSH C:\Windows\System32\8F109DC930.sys
    2012-04-23 20:36 - 2012-06-12 18:52 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 20:36 - 2012-06-12 18:52 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 20:36 - 2012-06-12 18:52 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    ZeroAccess:
    C:\Windows\Installer\{e3548377-8591-a44f-836f-596136f77833}
    C:\Windows\Installer\{e3548377-8591-a44f-836f-596136f77833}\@
    C:\Windows\Installer\{e3548377-8591-a44f-836f-596136f77833}\L
    C:\Windows\Installer\{e3548377-8591-a44f-836f-596136f77833}\U
    C:\Windows\Installer\{e3548377-8591-a44f-836f-596136f77833}\L\00000004.@
    ZeroAccess:
    C:\Users\Justin Silvi\AppData\Local\{e3548377-8591-a44f-836f-596136f77833}
    C:\Users\Justin Silvi\AppData\Local\{e3548377-8591-a44f-836f-596136f77833}\@
    C:\Users\Justin Silvi\AppData\Local\{e3548377-8591-a44f-836f-596136f77833}\L
    C:\Users\Justin Silvi\AppData\Local\{e3548377-8591-a44f-836f-596136f77833}\U
    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 11%
    Total physical RAM: 4095.16 MB
    Available physical RAM: 3622.3 MB
    Total Pagefile: 4093.44 MB
    Available Pagefile: 3626.89 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1968.7 MB
    ======================= Partitions =========================
    1 Drive c: (1137152) (Fixed) (Total:298.09 GB) (Free:122.93 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive e: (USB20FD) (Removable) (Total:3.8 GB) (Free:2.37 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 3894 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 298 GB 24 KB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C 1137152 NTFS Partition 298 GB Healthy
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3894 MB 28 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E USB20FD FAT32 Removable 3894 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-07-07 20:32
    ======================= End Of Log ==========================
  2. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================================

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
  3. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    Farbar Recovery Scan Tool Version: 09-07-2012 01
    Ran by SYSTEM at 2012-07-09 20:32:49
    Running from E:\
    ================== Search: "services.exe" ===================
    C:\Windows.old\Windows\system32\services.exe
    [2011-02-17 12:45] - [2009-02-06 03:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315
    C:\Windows.old\Windows\system32\dllcache\services.exe
    [2011-02-17 12:45] - [2009-02-06 03:11] - 0110592 ___AC (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315
    C:\Windows.old\Windows\$NtUninstallKB956572$\services.exe
    [2011-02-17 11:15] - [2008-04-14 05:00] - 0108544 ___AC (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185
    C:\Windows.old\Windows\$hf_mig$\KB956572\SP3QFE\services.exe
    [2011-02-17 11:15] - [2009-02-06 03:06] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
    === End Of Search ===
  4. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    Attached Files:

  5. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-07-2012 01
    Ran by SYSTEM at 2012-07-09 21:21:42 Run:1
    Running from E:\
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    ixgdublj service deleted successfully.
    C:\Windows\Installer\{e3548377-8591-a44f-836f-596136f77833} moved successfully.
    C:\Users\Justin Silvi\AppData\Local\{e3548377-8591-a44f-836f-596136f77833} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
    ==== End of Fixlog ====
  6. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    Ok, I am able to stay logged on Windows after running FRST with the fixlist. I downloaded Combofix to the desktop as instructed, however when I run it it says McAffee is running (even though I uninstalled McAffee earlier today prior to contacting you). The only trace of it I can find is in the "services" tab of task manager there is McMPFSvc. The status of that says it is stopped. Combofix warns to continue at your own risk, can you advise if it is safe to do so or how I can shut McAffee off. There is no McAffee icon in my Start menu, nor is it listed in the list of programs installed on my computer.
  7. Broni

    Broni Malware Annihilator Posts: 46,321   +252

  8. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    ComboFix 12-07-08.03 - Justin Silvi 07/09/2012 22:11:39.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3071.2242 [GMT -4:00]
    Running from: c:\users\Justin Silvi\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-10 02:19 . 2012-07-10 02:19 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-10 02:19 . 2012-07-10 02:19 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-07-10 02:11 . 2012-07-10 02:11 -------- d-----w- C:\FRST
    2012-07-10 02:07 . 2012-07-10 02:21 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E7D472A-4A27-4184-80BD-69EDE1279EA9}\offreg.dll
    2012-07-09 23:23 . 2012-07-09 23:23 43480 ----a-w- c:\windows\system32\drivers\hacuobzo.sys
    2012-07-09 20:25 . 2012-07-09 20:25 -------- d-----w- c:\users\Administrator\AppData\Roaming\Garmin
    2012-07-09 20:25 . 2012-07-09 20:25 -------- d-----w- c:\users\Administrator\AppData\Roaming\Apple Computer
    2012-07-09 19:36 . 2012-07-09 19:36 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E00A08C4-87A4-49F8-9693-8936DB36D6AF}\gapaengine.dll
    2012-07-09 19:36 . 2012-05-31 00:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E7D472A-4A27-4184-80BD-69EDE1279EA9}\mpengine.dll
    2012-07-09 19:34 . 2012-07-09 19:34 -------- d-----w- c:\program files\Microsoft Security Client
    2012-06-24 04:22 . 2012-06-24 04:22 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    2012-06-21 13:47 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 13:47 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 13:47 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 13:47 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 13:47 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 13:47 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 13:47 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 13:47 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 13:47 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-13 02:53 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-13 02:53 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
    2012-06-13 02:53 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
    2012-06-13 02:53 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-06-13 02:53 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-06-13 02:53 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-06-13 02:53 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
    2012-06-13 02:52 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-13 02:52 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-13 02:52 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-12 01:42 . 2012-06-12 01:42 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
    2012-06-12 01:42 . 2012-06-12 01:42 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
    2012-06-11 15:42 . 2012-06-11 15:42 -------- d-----w- c:\users\Justin Silvi\AppData\Local\Macromedia
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-09 13:31 . 2012-04-12 15:38 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-09 13:31 . 2011-05-14 16:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-05-14 02:22 . 2012-05-14 02:22 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-05-14 02:22 . 2011-02-27 17:21 472864 ----a-w- c:\windows\system32\deployJava1.dll
    2012-06-17 14:23 . 2011-05-13 19:30 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-08-26 708608]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-24 13556256]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-24 92704]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-08-27 2717696]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
    "Corel File Shell Monitor"="c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe" [2007-12-01 38400]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
    "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\users\Justin Silvi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "NoHotStart"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoHotStart"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
    2007-07-12 15:42 2491688 ------w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
    .
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [x]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
    S2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [x]
    S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [x]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 13:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: $talisma_url$
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 192.168.1.254
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
    FF - ProfilePath - c:\users\Justin Silvi\AppData\Roaming\Mozilla\Firefox\Profiles\9fk0mk90.default\
    FF - prefs.js: browser.startup.homepage - hxxp://att.net
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    HKLM-Run-Corel Photo Downloader - c:\program files\Corel\Corel MediaOne\Corel PhotoDownloader.exe
    AddRemove-fd6599f8 - c:\windows\system32\fd6599f8.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\PSIService.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\windows\system32\sppsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-09 22:26:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-10 02:26
    .
    Pre-Run: 131,293,278,208 bytes free
    Post-Run: 145,057,554,432 bytes free
    .
    - - End Of File - - F96866F92527687420CFD873580922B7
  9. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\hacuobzo.sys
    
    Folder::
    C:\FRST
    
    DDS::
    Trusted Zone: $talisma_url$
    Trusted Zone: intuit.com\ttlc
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  10. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    ComboFix 12-07-08.03 - Justin Silvi 07/09/2012 23:32:25.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3071.2165 [GMT -4:00]
    Running from: c:\users\Justin Silvi\Desktop\ComboFix.exe
    Command switches used :: c:\users\Justin Silvi\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    FILE ::
    "c:\windows\system32\drivers\hacuobzo.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\FRST
    c:\frst\debug
    c:\frst\Hives\DEFAULT
    c:\frst\Hives\SAM
    c:\frst\Hives\SECURITY
    c:\frst\Hives\SOFTWARE
    c:\frst\Hives\SYSTEM
    c:\frst\Logs\ct
    c:\frst\Logs\Fixlog_09-07-2012_21-21-43.txt
    c:\frst\Logs\FRST_09-07-2012_18-13-18.txt
    c:\frst\Logs\FRST_09-07-2012_20-31-24.txt
    c:\windows\system32\drivers\hacuobzo.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-10 03:40 . 2012-07-10 03:40 -------- d-----w- c:\users\Justin Silvi\AppData\Local\temp
    2012-07-10 03:40 . 2012-07-10 03:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-10 03:40 . 2012-07-10 03:40 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-07-10 03:26 . 2012-07-10 03:26 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E7D472A-4A27-4184-80BD-69EDE1279EA9}\offreg.dll
    2012-07-09 20:25 . 2012-07-09 20:25 -------- d-----w- c:\users\Administrator\AppData\Roaming\Garmin
    2012-07-09 20:25 . 2012-07-09 20:25 -------- d-----w- c:\users\Administrator\AppData\Roaming\Apple Computer
    2012-07-09 19:36 . 2012-07-09 19:36 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E00A08C4-87A4-49F8-9693-8936DB36D6AF}\gapaengine.dll
    2012-07-09 19:36 . 2012-05-31 00:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E7D472A-4A27-4184-80BD-69EDE1279EA9}\mpengine.dll
    2012-07-09 19:34 . 2012-07-09 19:34 -------- d-----w- c:\program files\Microsoft Security Client
    2012-06-24 04:22 . 2012-06-24 04:22 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    2012-06-21 13:47 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 13:47 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 13:47 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 13:47 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 13:47 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 13:47 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 13:47 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 13:47 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 13:47 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-13 02:53 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-13 02:53 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
    2012-06-13 02:53 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
    2012-06-13 02:53 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-06-13 02:53 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-06-13 02:53 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-06-13 02:53 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
    2012-06-13 02:52 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-13 02:52 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-13 02:52 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-12 01:42 . 2012-06-12 01:42 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
    2012-06-12 01:42 . 2012-06-12 01:42 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
    2012-06-11 15:42 . 2012-06-11 15:42 -------- d-----w- c:\users\Justin Silvi\AppData\Local\Macromedia
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-09 13:31 . 2012-04-12 15:38 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-09 13:31 . 2011-05-14 16:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-05-14 02:22 . 2012-05-14 02:22 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-05-14 02:22 . 2011-02-27 17:21 472864 ----a-w- c:\windows\system32\deployJava1.dll
    2012-06-17 14:23 . 2011-05-13 19:30 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-08-26 708608]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-24 13556256]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-24 92704]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-08-27 2717696]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
    "Corel File Shell Monitor"="c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe" [2007-12-01 38400]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
    "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\users\Justin Silvi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "NoHotStart"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoHotStart"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
    2007-07-12 15:42 2491688 ------w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
    .
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
    R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [x]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
    S2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [x]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 13:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
    FF - ProfilePath - c:\users\Justin Silvi\AppData\Roaming\Mozilla\Firefox\Profiles\9fk0mk90.default\
    FF - prefs.js: browser.startup.homepage - hxxp://att.net
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-07-09 23:41:43
    ComboFix-quarantined-files.txt 2012-07-10 03:41
    ComboFix2.txt 2012-07-10 02:26
    .
    Pre-Run: 144,586,768,384 bytes free
    Post-Run: 144,532,201,472 bytes free
    .
    - - End Of File - - 03AF380405A018A466C3C7248F42F628
  11. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Looks good :)

    Any current issues?

    ===================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  12. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.07.09.08
    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Justin Silvi :: JUSTINSILVI-PC [administrator]
    7/10/2012 00:01:48
    mbam-log-2012-07-10 (00-01-48).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 223625
    Time elapsed: 4 minute(s), 12 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
  13. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    No issues before or after the scan, all seems to be running well. What a relief! I'm about to download OTL and run that.
  14. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    OTL logfile created on: 7/10/2012 00:10:48 - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Justin Silvi\Desktop
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 2.02 Gb Available Physical Memory | 67.40% Memory free
    6.00 Gb Paging File | 4.98 Gb Available in Paging File | 83.01% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 298.09 Gb Total Space | 134.68 Gb Free Space | 45.18% Space Free | Partition Type: NTFS

    Computer Name: JUSTINSILVI-PC | User Name: Justin Silvi | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/10 00:08:19 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Justin Silvi\Desktop\OTL.exe
    PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
    PRC - [2012/01/06 17:30:00 | 001,446,760 | ---- | M] (Garmin) -- C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
    PRC - [2011/08/26 21:44:34 | 002,717,696 | ---- | M] (Eastman Kodak Company) -- C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe
    PRC - [2011/08/05 13:29:56 | 000,159,456 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
    PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    PRC - [2010/07/27 05:47:14 | 000,315,392 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciServiceHost.exe
    PRC - [2007/12/01 18:38:16 | 000,038,400 | R--- | M] () -- C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
    PRC - [2007/06/05 14:20:32 | 000,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe
    PRC - [2006/06/14 12:58:00 | 000,061,440 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/06/14 11:26:29 | 013,198,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\3971e166cf827b6726e142f344061dc9\System.Windows.Forms.ni.dll
    MOD - [2012/06/14 11:22:01 | 018,000,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\199683f6e79076b634ee6cc0a82c0654\PresentationFramework.ni.dll
    MOD - [2012/06/14 11:21:41 | 011,451,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\e7dc084827f8df2dbdc819db5c633a0d\PresentationCore.ni.dll
    MOD - [2012/06/14 11:21:27 | 003,858,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\21f37f9f5162af7efb52169012bd111e\WindowsBase.ni.dll
    MOD - [2012/06/14 11:21:15 | 001,666,048 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\8c40f40ef36622109793788049fbe9ab\System.Drawing.ni.dll
    MOD - [2012/05/10 17:15:28 | 000,393,216 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\4837a5c6204d53e7aa4f7dd94b98207c\System.Xml.Linq.ni.dll
    MOD - [2012/05/10 17:15:26 | 001,782,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\d234eceae699d070b5a5712ce776c01f\System.Xaml.ni.dll
    MOD - [2012/05/10 14:04:07 | 000,595,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\a5fa2a1cfc6e9fdc39d9a8f2baa57bc9\PresentationFramework.Aero.ni.dll
    MOD - [2012/05/10 14:00:16 | 000,736,768 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\5a3beae8b211b91bfc620c029cf4c2d4\System.Security.ni.dll
    MOD - [2012/05/10 13:59:55 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d1f299160424bad90fe9f658661389e2\System.Xml.ni.dll
    MOD - [2012/05/10 13:59:46 | 007,069,184 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\ed91b57205429a23bb91f4499059a459\System.Core.ni.dll
    MOD - [2012/05/10 13:59:36 | 009,091,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\6f9f0467e8b2dd3f69b015c8e30ac945\System.ni.dll
    MOD - [2012/05/10 13:59:28 | 014,412,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\3953b1d8b9b57e4957bff8f58145384e\mscorlib.ni.dll
    MOD - [2007/12/01 18:38:16 | 000,038,400 | R--- | M] () -- C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe /McCoreSvc -- (McMPFSvc)
    SRV - [2012/07/09 09:31:58 | 000,257,224 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/06/17 10:23:02 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV - [2011/08/05 13:30:02 | 000,444,640 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
    SRV - [2011/08/05 13:30:02 | 000,268,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
    SRV - [2011/08/05 13:29:56 | 006,363,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
    SRV - [2011/02/24 09:20:30 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
    SRV - [2010/07/27 05:47:14 | 000,315,392 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciServiceHost.exe -- (McciServiceHost)
    SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
    SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2008/08/26 16:52:14 | 000,159,744 | ---- | M] () [Auto | Stopped] -- C:\Program Files\System Control Manager\MSIService.exe -- (Micro Star SCM)
    SRV - [2007/06/05 14:20:32 | 000,177,704 | ---- | M] () [Auto | Start_Pending] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)
    SRV - [2006/06/14 12:58:00 | 000,061,440 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\ComboFix\mbr.sys -- (mbr)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\Users\JUSTIN~1\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
    DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
    DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
    DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
    DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
    DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
    DRV - [2010/07/27 05:47:30 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
    DRV - [2010/07/27 05:47:10 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
    DRV - [2009/07/13 20:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
    DRV - [2009/07/13 20:14:49 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
    DRV - [2009/07/13 18:13:45 | 001,068,032 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
    DRV - [2009/07/13 18:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel(R)
    DRV - [2008/09/24 12:26:00 | 007,585,920 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2008/09/05 13:20:20 | 000,045,600 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
    DRV - [2008/05/30 05:17:54 | 000,093,968 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    IE - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 38 C0 7C FC 4D 5E CD 01 [binary data]
    IE - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\..\SearchScopes,DefaultScope = {91D4C8B7-5B26-4815-B95A-63BB99C9CEBD}
    IE - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\..\SearchScopes\{91D4C8B7-5B26-4815-B95A-63BB99C9CEBD}: "URL" = http://www.google.com/search?q={sea...ource}&ie={inputEncoding?}&oe={outputEncoding?}
    IE - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://att.net"
    FF - prefs.js..extensions.enabledItems: caaphishtoolbar@ca.com:2.0.0.112
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..extensions.enabledItems: toolbar@shopathome.com:5.2.0.0
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/17 10:23:04 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/09 14:28:57 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/17 10:23:04 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/09 14:28:57 | 000,000,000 | ---D | M]

    [2011/02/23 12:44:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Justin Silvi\AppData\Roaming\Mozilla\Extensions
    [2012/07/09 09:04:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Justin Silvi\AppData\Roaming\Mozilla\Firefox\Profiles\9fk0mk90.default\extensions
    [2012/06/11 21:42:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/02/21 12:01:24 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{f7e284a6-b5f1-7de8-1a57-6e8e1d95cc64}
    [2012/07/09 09:04:28 | 000,013,611 | ---- | M] () (No name found) -- C:\USERS\JUSTIN SILVI\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\9FK0MK90.DEFAULT\EXTENSIONS\{CA96EAAA-E97D-4E54-B403-B7B5A8557FAD}.XPI
    [2012/06/17 10:23:04 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/03/15 12:46:48 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol400.dll
    [2011/03/15 12:46:48 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol500.dll
    [2011/07/13 18:52:56 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
    [2011/07/13 18:52:58 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
    [2012/02/22 13:41:03 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/02/22 13:41:03 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/07/09 23:40:04 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O3 - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe ()
    O4 - HKLM..\Run: [EKAIO2StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe (Eastman Kodak Company)
    O4 - HKLM..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe (Garmin)
    O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
    O4 - HKLM..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe (Mirco-Star International CO., LTD.)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-1522111446-641931979-3450727178-1000..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe (Garmin)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoHotStart = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoHotStart = 1
    O15 - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
    O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{045084B7-191B-4EE9-96A3-7A2A12C6A9C3}: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4AD7E193-0485-4FBF-AD80-775444C15308}: DhcpNameServer = 192.168.1.254
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/10 00:08:19 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Justin Silvi\Desktop\OTL.exe
    [2012/07/09 23:41:47 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/07/09 23:41:45 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/07/09 23:41:44 | 000,000,000 | ---D | C] -- C:\Users\Justin Silvi\AppData\Local\temp
    [2012/07/09 21:45:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/07/09 21:45:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/07/09 21:45:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/07/09 21:42:35 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/09 21:42:22 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/07/09 21:34:29 | 004,574,676 | R--- | C] (Swearware) -- C:\Users\Justin Silvi\Desktop\ComboFix.exe
    [2012/07/09 15:34:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/07/09 14:29:22 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
    [2012/06/21 14:01:36 | 000,000,000 | ---D | C] -- C:\Users\Justin Silvi\Documents\Paychecks
    [2012/06/18 14:41:48 | 000,000,000 | ---D | C] -- C:\Users\Justin Silvi\Documents\New folder
    [2012/06/17 12:50:38 | 000,000,000 | ---D | C] -- C:\Users\Justin Silvi\Documents\2812 inventory
    [2012/06/11 11:42:22 | 000,000,000 | ---D | C] -- C:\Users\Justin Silvi\AppData\Local\Macromedia
    [2 C:\*.tmp files -> C:\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/07/10 00:08:19 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Justin Silvi\Desktop\OTL.exe
    [2012/07/09 23:40:04 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/07/09 23:33:31 | 000,014,848 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/09 23:33:31 | 000,014,848 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/09 23:29:52 | 000,372,688 | ---- | M] () -- C:\ProgramData\nvModes.001
    [2012/07/09 23:26:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/09 23:25:58 | 2415,255,552 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/09 22:22:06 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/07/09 21:34:29 | 004,574,676 | R--- | M] (Swearware) -- C:\Users\Justin Silvi\Desktop\ComboFix.exe
    [2012/07/09 15:34:24 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/07/09 15:34:13 | 000,626,278 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/07/09 15:34:13 | 000,107,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/07/09 14:34:28 | 000,372,688 | ---- | M] () -- C:\ProgramData\nvModes.dat
    [2012/07/06 11:36:55 | 048,522,240 | ---- | M] () -- C:\Users\Justin Silvi\Documents\Personal Folders(1) backup.pst
    [2012/06/18 10:48:58 | 000,433,316 | ---- | M] () -- C:\Users\Justin Silvi\Desktop\img004.pdf
    [2012/06/17 13:45:54 | 000,000,964 | ---- | M] () -- C:\Users\Justin Silvi\Application Data\Microsoft\Internet Explorer\Quick Launch\BitTorrent.lnk
    [2012/06/15 20:45:30 | 000,070,924 | ---- | M] () -- C:\Users\Justin Silvi\Documents\PED escape pack.pdf
    [2012/06/14 11:55:00 | 000,443,904 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2 C:\*.tmp files -> C:\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/09 21:45:46 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/07/09 21:45:46 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/07/09 21:45:46 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/07/09 21:45:46 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/07/09 21:45:46 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/07/09 15:34:24 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
    [2012/07/09 15:34:17 | 000,001,922 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/06/18 10:48:58 | 000,433,316 | ---- | C] () -- C:\Users\Justin Silvi\Desktop\img004.pdf
    [2012/06/17 13:50:40 | 000,010,950 | ---- | C] () -- C:\Users\Justin Silvi\Documents\MIevolution.jpg
    [2012/06/17 13:45:54 | 000,000,964 | ---- | C] () -- C:\Users\Justin Silvi\Application Data\Microsoft\Internet Explorer\Quick Launch\BitTorrent.lnk
    [2012/06/15 20:45:30 | 000,070,924 | ---- | C] () -- C:\Users\Justin Silvi\Documents\PED escape pack.pdf
    [2012/06/14 11:19:05 | 048,522,240 | ---- | C] () -- C:\Users\Justin Silvi\Documents\Personal Folders(1) backup.pst
    [2011/12/30 20:55:51 | 000,000,108 | ---- | C] () -- C:\ProgramData\CameraRecorder.ini
    [2011/12/30 20:51:46 | 000,002,828 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
    [2011/12/30 20:51:46 | 000,000,088 | RHS- | C] () -- C:\Windows\System32\8F109DC930.sys
    [2011/12/29 17:21:03 | 000,000,031 | ---- | C] () -- C:\Windows\QUICKEN.INI
    [2011/12/24 23:31:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
    [2011/12/24 23:31:36 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
    [2011/12/24 23:31:36 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
    [2011/12/24 23:31:36 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
    [2011/12/24 23:31:36 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
    [2011/12/24 23:31:36 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
    [2011/07/18 11:10:50 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2011/03/22 23:21:24 | 000,372,688 | ---- | C] () -- C:\ProgramData\nvModes.001
    [2011/03/22 23:21:20 | 000,372,688 | ---- | C] () -- C:\ProgramData\nvModes.dat
    [2011/02/23 12:53:53 | 000,000,007 | ---- | C] () -- C:\Windows\System32\mkghj.dll

    ========== LOP Check ==========

    [2012/07/09 16:25:44 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Garmin
    [2012/05/07 17:54:56 | 000,000,000 | ---D | M] -- C:\Users\Justin Silvi\AppData\Roaming\Audacity
    [2012/07/08 08:53:38 | 000,000,000 | ---D | M] -- C:\Users\Justin Silvi\AppData\Roaming\BitTorrent
    [2011/03/15 12:46:48 | 000,000,000 | ---D | M] -- C:\Users\Justin Silvi\AppData\Roaming\Catalina Marketing Corp
    [2011/07/29 10:32:23 | 000,000,000 | ---D | M] -- C:\Users\Justin Silvi\AppData\Roaming\GARMIN
    [2011/04/09 22:54:44 | 000,000,000 | ---D | M] -- C:\Users\Justin Silvi\AppData\Roaming\StreamTorrent
    [2011/12/24 23:37:07 | 000,000,000 | ---D | M] -- C:\Users\Justin Silvi\AppData\Roaming\Ulead Systems
    [2012/06/23 00:22:18 | 000,032,656 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
  15. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    OTL Extras logfile created on: 7/10/2012 00:10:48 - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\Justin Silvi\Desktop
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 2.02 Gb Available Physical Memory | 67.40% Memory free
    6.00 Gb Paging File | 4.98 Gb Available in Paging File | 83.01% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 298.09 Gb Total Space | 134.68 Gb Free Space | 45.18% Space Free | Partition Type: NTFS

    Computer Name: JUSTINSILVI-PC | User Name: Justin Silvi | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-1522111446-641931979-3450727178-1000\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8485E718-31F2-413D-A813-1671D4F9DBE1}" = protocol=17 | dir=in | app=c:\program files\common files\motive\mcciservicehost.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{99FA58C6-0026-4E6A-899B-271C1BE8BA77}" = protocol=6 | dir=in | app=c:\program files\common files\motive\mcciservicehost.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
    "{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
    "{0E13CAA3-B5FC-48C0-AA4A-26F5CD0C371C}" = Garmin Lifetime Updater
    "{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
    "{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}" = iSEEK AnswerWorks English Runtime
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
    "{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller
    "{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java(TM) 6 Update 32
    "{2A9DFFD8-4E09-4B91-B957-454805B0D7C4}" = Zune Language Pack (CHS)
    "{3589A659-F732-4E65-A89A-5438C332E59D}" = Zune Language Pack (ELL)
    "{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
    "{3BDDA587-7CDE-430C-90A4-E2C4E48D3AE9}" = Camera Recorder
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
    "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
    "{51C839E1-2BE4-4E77-A1BA-CCEA5DAFA741}" = Zune Language Pack (KOR)
    "{57C51D56-B287-4C11-9192-EC3C46EF76A4}" = Zune Language Pack (RUS)
    "{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
    "{5DEFD397-4012-46C3-B6DA-E8013E660772}" = Zune Language Pack (NOR)
    "{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
    "{6EB931CD-A7DA-4A44-B74A-89C8EB50086F}" = Zune Language Pack (SVE)
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{76BA306B-2AA0-47C0-AB6B-F313AB56C136}" = Zune Language Pack (MSL)
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{7F1B3341-A94E-4F5C-B587-CA0EB964221E}" = Microsoft Money Shared Libraries
    "{8960A0A1-BB5A-479E-92CF-65AB9D684B43}" = Zune Language Pack (PLK)
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8B112338-2B08-4851-AF84-E7CAD74CEB32}" = Zune Language Pack (DAN)
    "{8D3EDC18-A829-4860-A6FB-805A19E9EDE1}" = Garmin Lifetime Updater
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
    "{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{92ECE3F9-591E-4C12-8A62-B9FCE38BF646}" = Zune Language Pack (IND)
    "{9B75648B-6C30-4A0D-9DE6-0D09D20AF5A5}" = Zune
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne
    "{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
    "{A5A53EA8-A11E-49F0-BDF5-AE536426A31A}" = Zune Language Pack (CHT)
    "{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
    "{A8F2E50B-86E2-4D96-9BD2-9758BCC6F9B3}" = Zune Language Pack (CSY)
    "{ADD5DB49-72CF-11D8-9D75-000129760D75}" = PowerBackup
    "{B4870774-5F3A-46D9-9DFE-06FB5599E26B}" = Zune Language Pack (FIN)
    "{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
    "{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
    "{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
    "{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
    "{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}" = Microsoft Outlook Personal Folders Backup
    "{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
    "{C6BE19C6-B102-4038-B2A6-1C313872DBB4}" = Zune Language Pack (HUN)
    "{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow! 1.0
    "{D5A9B7C0-8751-11D8-9D75-000129760D75}" = MediaShow
    "{D8A781C9-3892-4E2E-9320-480CF896CFBB}" = Zune Language Pack (JPN)
    "{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
    "{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = PowerDVD Copy
    "{ED9C5D25-55DF-48D8-9328-2AC0D75DE5D8}" = System Control Manager
    "{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
    "{F2CB8C3C-9C9E-4FAB-9067-655601C5F748}" = Windows Mobile Device Updater Component
    "{FF164702-AF8B-4F2F-8038-74A4C536866B}" = Ulead DVD MovieFactory 5
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
    "BitTorrent" = BitTorrent
    "Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
    "EPSON Printer and Utilities" = EPSON Printer Software
    "EPSON Scanner" = EPSON Scan
    "LAME for Audacity_is1" = LAME v3.98.3 for Audacity
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "Money2008b" = Microsoft Money Essentials
    "Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "NVIDIA Drivers" = NVIDIA Drivers
    "TurboTax 2010" = TurboTax 2010
    "ULTIMATER" = Microsoft Office Ultimate 2007
    "Windows Media Encoder 9" = Windows Media Encoder 9 Series
    "Zune" = Zune

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 3/11/2012 19:00:01 | Computer Name = JustinSilvi-PC | Source = Windows Backup | ID = 4103
    Description =

    Error - 3/20/2012 08:36:45 | Computer Name = JustinSilvi-PC | Source = Windows Backup | ID = 4103
    Description =

    Error - 3/22/2012 11:45:46 | Computer Name = JustinSilvi-PC | Source = Software Protection Platform Service | ID = 1001
    Description = The Software Protection service failed to start. 0xD0000043 6.1.7601.17514

    Error - 3/25/2012 19:00:01 | Computer Name = JustinSilvi-PC | Source = Windows Backup | ID = 4103
    Description =

    Error - 4/2/2012 00:04:05 | Computer Name = JustinSilvi-PC | Source = Windows Backup | ID = 4103
    Description =

    Error - 4/4/2012 11:27:21 | Computer Name = JustinSilvi-PC | Source = VSS | ID = 8194
    Description =

    Error - 4/4/2012 11:36:57 | Computer Name = JustinSilvi-PC | Source = VSS | ID = 8194
    Description =

    Error - 4/9/2012 13:02:13 | Computer Name = JustinSilvi-PC | Source = Windows Backup | ID = 4103
    Description =

    Error - 4/15/2012 21:56:37 | Computer Name = JustinSilvi-PC | Source = Windows Backup | ID = 4103
    Description =

    Error - 4/22/2012 19:00:01 | Computer Name = JustinSilvi-PC | Source = Windows Backup | ID = 4103
    Description =

    [ Media Center Events ]
    Error - 3/4/2012 09:48:31 | Computer Name = JustinSilvi-PC | Source = MCUpdate | ID = 0
    Description = 8:48:29 AM - Error connecting to the internet. 8:48:29 AM - Unable
    to contact server..

    [ OSession Events ]
    Error - 3/24/2011 17:56:30 | Computer Name = JustinSilvi-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 8
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 9/9/2011 19:22:36 | Computer Name = JustinSilvi-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 52
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 1/2/2012 13:50:32 | Computer Name = JustinSilvi-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 1985
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 2/13/2012 12:03:41 | Computer Name = JustinSilvi-PC | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
    12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 9
    seconds with 0 seconds of active time. This session ended with a crash.

    [ System Events ]
    Error - 7/9/2012 22:21:02 | Computer Name = JustinSilvi-PC | Source = Service Control Manager | ID = 7003
    Description = The McAfee Personal Firewall Service service depends the following
    service: MfeFire. This service might not be installed.

    Error - 7/9/2012 22:22:05 | Computer Name = JustinSilvi-PC | Source = DCOM | ID = 10016
    Description =

    Error - 7/9/2012 22:28:59 | Computer Name = JustinSilvi-PC | Source = Service Control Manager | ID = 7003
    Description = The McAfee Personal Firewall Service service depends the following
    service: MfeFire. This service might not be installed.

    Error - 7/9/2012 22:30:01 | Computer Name = JustinSilvi-PC | Source = DCOM | ID = 10016
    Description =

    Error - 7/9/2012 23:26:11 | Computer Name = JustinSilvi-PC | Source = Service Control Manager | ID = 7003
    Description = The McAfee Personal Firewall Service service depends the following
    service: MfeFire. This service might not be installed.

    Error - 7/9/2012 23:27:12 | Computer Name = JustinSilvi-PC | Source = DCOM | ID = 10016
    Description =

    Error - 7/9/2012 23:32:00 | Computer Name = JustinSilvi-PC | Source = Service Control Manager | ID = 7034
    Description = The Micro Star SCM service terminated unexpectedly. It has done this
    1 time(s).

    Error - 7/9/2012 23:32:02 | Computer Name = JustinSilvi-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 7/9/2012 23:37:47 | Computer Name = JustinSilvi-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 7/9/2012 23:40:06 | Computer Name = JustinSilvi-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.


    < End of report >
  16. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe /McCoreSvc -- (McMPFSvc)
      O3 - HKU\S-1-5-21-1522111446-641931979-3450727178-1000\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ====================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  17. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    Ok. Signing off for the night, will take care of that tomorrow and post the results. Thanks so much for your help today!
  18. Broni

    Broni Malware Annihilator Posts: 46,321   +252

  19. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    All processes killed
    ========== OTL ==========
    Error: No service named McMPFSvc was found to stop!
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McMPFSvc deleted successfully.
    File C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe /McCoreSvc not found.
    Registry value HKEY_USERS\S-1-5-21-1522111446-641931979-3450727178-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Starting removal of ActiveX control Garmin Communicator Plug-In
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 300751 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 56958 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56502 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Justin Silvi
    ->Temp folder emptied: 7440 bytes
    ->Temporary Internet Files folder emptied: 387467080 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 49294782 bytes
    ->Flash cache emptied: 722 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 782 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 417.00 mb


    [EMPTYJAVA]

    User: Administrator
    ->Java cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User

    User: Justin Silvi
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Justin Silvi
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.53.1 log created on 07112012_091319
    Files\Folders moved on Reboot...
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
  20. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    Results of screen317's Security Check version 0.99.24
    Windows 7 Service Pack 1 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Microsoft Security Essentials
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 32
    Adobe Flash Player 11.3.300.262
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    ``````````End of Log````````````
  21. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    Farbar Service Scanner Version: 08-07-2012
    Ran by Justin Silvi (administrator) on 11-07-2012 at 09:31:05
    Running from "C:\Users\Justin Silvi\Desktop"
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit

    **** End of log ****
  22. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    ESET scan log:

    C:\Qoobox\Quarantine\C\FRST\Quarantine\services.exe.vir Win32/Sirefef.FC trojan
  23. Broni

    Broni Malware Annihilator Posts: 46,321   +252

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
  24. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Justin Silvi
    ->Temp folder emptied: 93430 bytes
    ->Temporary Internet Files folder emptied: 31763853 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 11476486 bytes
    ->Flash cache emptied: 888 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1412922 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 893936 bytes

    Total Files Cleaned = 44.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Justin Silvi
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator
    ->Java cache emptied: 0 bytes

    User: All Users

    User: Default

    User: Default User

    User: Justin Silvi
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.53.1 log created on 07122012_113323
    Files\Folders moved on Reboot...
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
  25. jjs1584

    jjs1584 Newcomer, in training Topic Starter Posts: 17

    Computer is running great, thank you so much for your help!

    Regarding Web of Trust; I will be reinstalling ATT's version of McAffee that includes Site Adviser, does that do the same thing and if so will the programs interfere with each other?

    Also, should I keep JavaRa and run it after each time Java updates itself?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.