Solved Live Security Platinum + sirefef.y + sirefef.x

Status
Not open for further replies.
S

SignoreJoe

Posts: 21   +0
Hello all,

I have a similar problem from the looks of it on this forum, from a hard try at a removal of Live Security Platinum. Long story short, I changed the name of the files that it had planted on the computer using the advice of others and deleted such files and for the most part, it worked. But it was a crude and dirty removal. I uninstalled-reinstalled my copy of MSE to find the following trojans: Sirefef.y/Sirefef.x. After detecting the trojan, I get a notification that my computer has encountered a critical error and is shutting down in 60 seconds. Using the CMD to preform "shutdown -a" does absolutely nothing. This happens in all modes and is not nearly enough time for me to do anything about this problem properly, or to install software such as MalwareBites, other than trying to mess around with my MSconfig in safe mode which hasn't given me any avail.

I am new to these forums and I am in dire need of a solution to this issue. I see many coders giving out fixlist, but I am completely new here so I'm not sure how I should go about this.

I have a working USB disk drive, so this is a start.

Specs: HP Laptop Pavillion dx4
Windows Vista Home Edition x64

Where should I start? I can follow instructions thoroughly and hope I can fix these problems.
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.


Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
 
Hello! Thank you for your patience with me, clear instruction, courtesy, and last but not least, the quick reply :)

Posted will be the log that the FRST64.exe has recovered:
Scan result of Farbar Recovery Scan Tool Version: 04-08-2012
Ran by SYSTEM at 03-08-2012 20:21:24
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [442368 2009-06-03] (IDT, Inc.)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [914224 2008-11-18] (Hewlett-Packard)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [246784 2008-03-31] (Alps Electric Co., Ltd.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2008-11-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" [218408 2008-11-14] (CyberLink Corp.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [202024 2009-05-11] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
HKLM-x32\...\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2008-11-28] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Joe Rapp\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1242448 2011-09-24] (Valve Corporation)
HKU\Joe Rapp\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Joe Rapp\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Joe Rapp\...\Run: [Google Update] "C:\Users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-01-12] (Google Inc.)
HKU\Joe Rapp\...\Run: [Akamai NetSession Interface] "C:\Users\Joe Rapp\AppData\Local\Akamai\netsession_win.exe" [4327744 2012-05-26] (Akamai Technologies, Inc)
Tcpip\Parameters: [DhcpNameServer] 208.59.247.45 208.59.247.46

==================== Services (Whitelisted) ======

2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-10] (Akamai Technologies, Inc)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
4 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-02] ()
4 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe [239104 2009-06-03] (IDT, Inc.)
4 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-11-26] ()
4 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-11-26] ()
4 Viewpoint Manager Service; "C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)

========================== Drivers (Whitelisted) =============

1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [270912 2011-08-18] (DT Soft Ltd)
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [21832 2010-08-31] (LogMeIn, Inc.)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2008-11-28] (CyberLink Corp.)
4 eabfiltr; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [x]
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-03 20:20 - 2012-08-03 20:20 - 00000000 ____D C:\FRST
2012-08-02 17:21 - 2012-08-02 17:21 - 00266144 ____A C:\Windows\Minidump\Mini080212-01.dmp
2012-08-02 17:20 - 2012-08-02 17:56 - 289041449 ____A C:\Windows\MEMORY.DMP
2012-08-02 12:21 - 2012-08-02 12:21 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-02 12:17 - 2012-08-02 12:18 - 00000726 ____A C:\Users\Joe Rapp\Desktop\shutdown.exe.lnk
2012-08-02 04:53 - 2012-08-02 05:00 - 00384512 ____A (Microsoft Corporation) C:\services.exe
2012-08-01 19:43 - 2012-08-01 19:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-01 19:43 - 2012-08-01 19:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-01 04:15 - 2012-08-01 04:15 - 00000000 ____D C:\Windows\pss
2012-08-01 03:22 - 2012-08-01 03:22 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-31 19:09 - 2012-08-01 11:09 - 00000000 ____D C:\Users\All Users\Application Data\0C1D1A01E0DC8EA1FE0241162F3B707C
2012-07-31 19:09 - 2012-08-01 11:09 - 00000000 ____D C:\Users\All Users\0C1D1A01E0DC8EA1FE0241162F3B707C
2012-07-31 19:09 - 2012-07-31 19:09 - 00450048 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\ntshcs.dll
2012-07-31 19:09 - 2012-07-31 19:09 - 00450048 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\Application Data\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\Application Data\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Application Data\TeamViewer
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Sun
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\TeamViewer
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Sun
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Local\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:07 - 2012-07-31 19:08 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Pefeoq
2012-07-31 19:07 - 2012-07-31 19:08 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Pefeoq
2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\Application Data\apshux.dll
2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Opymbo
2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Adedn
2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Opymbo
2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Adedn
2012-07-25 21:11 - 2012-07-25 21:11 - 00010404 ____A C:\Users\Joe Rapp\Desktop\Untitled 1.ods
2012-07-15 14:40 - 2012-07-16 08:56 - 00023638 ____A C:\Users\Joe Rapp\My Documents\Untitled 1.odt
2012-07-15 14:40 - 2012-07-16 08:56 - 00023638 ____A C:\Users\Joe Rapp\Documents\Untitled 1.odt
2012-07-10 20:30 - 2012-07-10 20:30 - 00000000 ____D C:\Users\Joe Rapp\Desktop\GAI Logos
2012-07-10 20:29 - 2012-07-23 11:17 - 00000000 ____D C:\Users\Joe Rapp\Desktop\Customer 1
2012-07-10 20:29 - 2012-07-18 06:45 - 00000000 ____D C:\Users\Joe Rapp\Desktop\Machine Mayhem
2012-07-10 18:19 - 2012-07-10 18:18 - 00017896 ____A C:\paola.ttf
2012-07-05 16:00 - 2012-07-23 08:46 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Ventrilo
2012-07-05 16:00 - 2012-07-23 08:46 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Ventrilo
2012-07-05 15:59 - 2012-07-05 15:59 - 00000752 ____A C:\Users\Joe Rapp\Desktop\Ventrilo.lnk
2012-07-05 15:59 - 2012-07-05 15:59 - 00000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
2012-07-05 15:59 - 2012-07-05 15:59 - 00000000 ____D C:\Program Files\Ventrilo
2012-07-04 06:34 - 2012-07-04 06:34 - 00000528 ____A C:\Users\Joe Rapp\Desktop\Rules.txt

============ 3 Months Modified Files ========================

2012-08-03 02:53 - 2009-09-23 23:56 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-03 02:51 - 2011-07-09 17:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-03 02:51 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-03 02:51 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-03 02:51 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-02 17:56 - 2012-08-02 17:20 - 289041449 ____A C:\Windows\MEMORY.DMP
2012-08-02 17:21 - 2012-08-02 17:21 - 00266144 ____A C:\Windows\Minidump\Mini080212-01.dmp
2012-08-02 12:21 - 2012-08-02 12:21 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-02 12:20 - 2012-04-10 08:14 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-02 12:18 - 2012-08-02 12:17 - 00000726 ____A C:\Users\Joe Rapp\Desktop\shutdown.exe.lnk
2012-08-02 05:00 - 2012-08-02 04:53 - 00384512 ____A (Microsoft Corporation) C:\services.exe
2012-08-01 19:44 - 2011-01-31 12:27 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\Local Settings\GDIPFONTCACHEV1.DAT
2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-01 19:43 - 2011-01-31 12:26 - 00709162 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-01 19:39 - 2011-07-09 17:50 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-01 19:39 - 2011-01-12 16:23 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000UA.job
2012-08-01 11:59 - 2006-11-02 07:42 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-01 11:59 - 2006-11-02 07:21 - 05048416 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-01 11:58 - 2009-03-07 00:41 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-07-31 19:09 - 2012-07-31 19:09 - 00450048 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\ntshcs.dll
2012-07-31 19:09 - 2012-07-31 19:09 - 00450048 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll
2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\Application Data\apshux.dll
2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
2012-07-31 07:39 - 2011-01-12 16:23 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000Core.job
2012-07-29 19:44 - 2012-01-21 10:45 - 00000346 ____A C:\Windows\Tasks\HPCeeScheduleForJoe Rapp.job
2012-07-28 17:00 - 2009-06-13 09:19 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-07-27 07:04 - 2012-04-10 08:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-27 07:04 - 2011-08-30 13:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-25 21:11 - 2012-07-25 21:11 - 00010404 ____A C:\Users\Joe Rapp\Desktop\Untitled 1.ods
2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-16 08:56 - 2012-07-15 14:40 - 00023638 ____A C:\Users\Joe Rapp\My Documents\Untitled 1.odt
2012-07-16 08:56 - 2012-07-15 14:40 - 00023638 ____A C:\Users\Joe Rapp\Documents\Untitled 1.odt
2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\Local Settings\d3d9caps.dat
2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\Local Settings\Application Data\d3d9caps.dat
2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\AppData\Local\d3d9caps.dat
2012-07-10 18:18 - 2012-07-10 18:19 - 00017896 ____A C:\paola.ttf
2012-07-05 15:59 - 2012-07-05 15:59 - 00000752 ____A C:\Users\Joe Rapp\Desktop\Ventrilo.lnk
2012-07-05 15:59 - 2012-07-05 15:59 - 00000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
2012-07-04 06:34 - 2012-07-04 06:34 - 00000528 ____A C:\Users\Joe Rapp\Desktop\Rules.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI0320.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI0126.txt
2012-06-29 03:04 - 2010-08-13 19:36 - 00466456 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
2012-06-29 03:04 - 2010-08-13 19:36 - 00444952 ____A (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2012-06-29 03:04 - 2010-08-13 19:36 - 00122904 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
2012-06-29 03:04 - 2010-08-13 19:36 - 00109080 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2012-06-25 11:40 - 2012-06-25 11:40 - 00000902 ____A C:\Users\Public\Desktop\Adobe Download Assistant.lnk
2012-06-25 11:40 - 2012-06-25 11:40 - 00000902 ____A C:\Users\All Users\Desktop\Adobe Download Assistant.lnk
2012-06-23 14:33 - 2006-11-02 04:33 - 67895296 ____A C:\Windows\System32\config\software_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 56623104 ____A C:\Windows\System32\config\components_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 23855104 ____A C:\Windows\System32\config\system_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\default_previous
2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI1902.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI1766.txt
2012-06-20 09:22 - 2012-06-20 09:22 - 00000770 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-20 09:22 - 2012-06-20 09:22 - 00000770 ____A C:\Users\All Users\Desktop\CCleaner.lnk
2012-06-15 07:33 - 2012-06-15 07:32 - 06877439 ____A C:\Users\Joe Rapp\ROBLOX.zip
2012-06-11 10:48 - 2012-06-11 10:48 - 00001684 ____A C:\Users\Joe Rapp\Desktop\HydraIRC.lnk
2012-06-11 10:05 - 2012-06-11 10:05 - 00001702 ____A C:\Users\Joe Rapp\DesktopGods and Idols.lnk
2012-06-02 14:19 - 2012-06-23 14:47 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 14:47 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-23 14:47 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-23 14:47 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-23 14:47 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 11:19 - 2012-06-23 14:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:19 - 2012-06-23 14:46 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 11:15 - 2012-06-23 14:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 11:12 - 2012-06-23 14:46 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-05-31 02:41 - 2012-05-30 18:57 - 00118905 ____A C:\Users\Joe Rapp\PaperDraft.odt
2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI318B.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI3041.txt
2012-05-22 11:25 - 2012-05-22 11:25 - 02500792 ____A C:\Users\Joe Rapp\Downloads\AdobeDownloadAssistant.exe
2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI3051.txt
2012-05-12 13:16 - 2006-11-02 04:46 - 00694396 ____A C:\Windows\System32\PerfStringBackup.INI


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3836.89 MB
Available physical RAM: 3178.53 MB
Total Pagefile: 3523.62 MB
Available Pagefile: 3162.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:219.77 GB) (Free:43.2 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:13.11 GB) (Free:2.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (SC4DELUXE2) (CDROM) (Total:0.63 GB) (Free:0 GB) CDFS
4 Drive f: (FD) (Removable) (Total:1.89 GB) (Free:0.49 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1024 KB
Disk 1 Online 1936 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 220 GB 1024 KB
Partition 2 Primary 13 GB 220 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 220 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 13 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1936 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FD FAT32 Removable 1936 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-08-01 12:59

======================= End Of Log ==========================

Thanks for your help so far :D
 
You're welcome. :)

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

FRST2.gif


When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.
 
Hello again!

Is there something the matter with my Services.exe file? I heard the virus can corrupt it.

Below is the search.txt that has been created. Thanks again for reviewing!

Farbar Recovery Scan Tool Version: 04-08-2012
Ran by SYSTEM at 2012-08-04 11:35:57
Running from F:\

================== Search: "services.exe" ===================

C:\services.exe
[2012-08-02 04:53] - [2012-08-02 05:00] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-23 23:56] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-09-23 23:56] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-09-23 23:56] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2009-09-23 23:56] - [2012-08-03 02:53] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

====== End Of Search ======
 
It is indeed corrupted. Now, time to fix it!

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
I am not on a Windows PC, however I have used the Mac program "Text Edit" to paste the information. I had to save as an .rtf, would it be OK if I just changed the file extension to .txt?

Forget about it, I found a work around :)
 
Ok, the boot seemed normal, however I haven't had the time to babysit it yet so I will boot it up later and tell you how it looks. So far, I haven't received the 1 minute error, which is good. It still seems to run slowly. I have my PC sound turned off, but that's an issue with MSconfig after I tried to fiddle around with the services/bootups before coming here.

Posted is the Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-08-2012
Ran by SYSTEM at 2012-08-04 12:25:04 Run:1
Running from F:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Thanks!
 
Ok, so after rebooting and moving to a new location, the computer ran a CHKDSK it seems on startup, but I didn't see an results. Running a full MSE scan now. Things seem to be working, except my sound device is disabled in MSconfig, haven't changed anything since I've been told not to xD Will do if I have permission.
Anything I should do now that I have control of my computer back? Sorry for conescutive post, seems I can't edit them when they're strung out.
 
ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
Hello DragonMaster. Please bear with me, as I am a bit dazed on some heavy painkillers. I managed to break my arm in a nasty sport accident. I won't be able to write very prompt replies, I apologize.
The ComboFix seems not to be working, no logs are left. I tried different names to no avail. Maybe it's something wrong on my end.
I've taken three screenshots of shady activity. I've run a full MSE scan before the ComboFix and found/removed the dozens of sirfefs the scan found.
One of the issues is that MSE can't update its dictionaries.
Another is that I can't view my firewall options.
The final, even more strange, is that there are several "iexplorer.exe"s running when I look at the task manager...but I use Firefox.

Screenshots to come when I get some rest. Until then, ciao
 
Ok, here are the pictures and the FRST log. My computer is running extremely slow, I had to upload from another.

error1n.jpg


error2xf.jpg

Combofix renamed itself after its attempt to work. I also don't recall it disconnecting me from the internet...
error3n.jpg



Scan result of Farbar Recovery Scan Tool Version: 04-08-2012
Ran by SYSTEM at 06-08-2012 11:33:33
Running from F:\
Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [442368 2009-06-03] (IDT, Inc.)
HKLM\...\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [914224 2008-11-18] (Hewlett-Packard)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [246784 2008-03-31] (Alps Electric Co., Ltd.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [x]
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2008-11-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" [218408 2008-11-14] (CyberLink Corp.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [202024 2009-05-11] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
HKLM-x32\...\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [1148200 2008-11-28] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SwitchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [x]
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2008-08-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin [x]
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [x]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Joe Rapp\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1353080 2012-08-04] (Valve Corporation)
HKU\Joe Rapp\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Joe Rapp\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Joe Rapp\...\Run: [Google Update] "C:\Users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-01-12] (Google Inc.)
HKU\Joe Rapp\...\Run: [Akamai NetSession Interface] "C:\Users\Joe Rapp\AppData\Local\Akamai\netsession_win.exe" [4327744 2012-05-26] (Akamai Technologies, Inc)
HKU\Joe Rapp\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [880496 2012-05-19] (BitTorrent, Inc.)
HKU\Joe Rapp\...\Run: [Urozaghyp] "C:\Users\Joe Rapp\AppData\Roaming\Opymbo\uxixb.exe" [186880 2010-06-16] ()
HKU\Joe Rapp\...\Run: [renovator] C:\Users\Joe Rapp\AppData\Roaming\Sun\{0B3CB77C-A41B-4C99-B89A-B4BF948DAB9F}\renovator.exe [383488 2012-07-31] ()
HKU\Joe Rapp\...\Run: [ntshcs] "C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll",List_SetSlice [x]
HKU\Joe Rapp\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [4910912 2011-08-01] (DT Soft Ltd)
HKU\Joe Rapp\...\Run: [apshux] rundll32.exe "C:\Users\Joe Rapp\AppData\Roaming\apshux.dll",RetrieveColumn [128512 2012-07-31] (Crytek)
HKU\Joe Rapp\...\Run: [owudtx] "C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll",SetInterrupt [458752 2012-08-05] (Andrew Zhezherun)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Startup: C:\Users\Joe Rapp\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-10] (Akamai Technologies, Inc)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-02] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe [239104 2009-06-03] (IDT, Inc.)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2008-11-26] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2008-11-26] ()
2 Viewpoint Manager Service; "C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)

========================== Drivers (Whitelisted) =============

1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [270912 2011-08-18] (DT Soft Ltd)
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [21832 2010-08-31] (LogMeIn, Inc.)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2008-11-28] (CyberLink Corp.)
4 eabfiltr; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [x]
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [x]
1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-05 18:32 - 2012-08-05 18:32 - 00000398 ____A C:\Windows\PFRO.log
2012-08-05 17:08 - 2012-08-05 17:08 - 04725168 ____R (Swearware) C:\Users\Joe Rapp\Desktop\explorer.exe
2012-08-05 16:56 - 2012-08-05 16:57 - 00000000 ____D C:\Qoobox
2012-08-05 16:51 - 2012-08-05 17:10 - 00000000 ___SD C:\32788R22FWJFW
2012-08-05 16:51 - 2012-08-05 16:51 - 00000000 ____D C:\Windows\erdnt
2012-08-05 16:16 - 2012-08-05 16:16 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Help
2012-08-05 16:16 - 2012-08-05 16:16 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Help
2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\owudtx.dll
2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll
2012-08-04 09:35 - 2012-08-05 18:44 - 00044834 ____A C:\Windows\WindowsUpdate.log
2012-08-03 20:20 - 2012-08-03 20:20 - 00000000 ____D C:\FRST
2012-08-02 17:21 - 2012-08-02 17:21 - 00266144 ____A C:\Windows\Minidump\Mini080212-01.dmp
2012-08-02 17:20 - 2012-08-02 17:56 - 289041449 ____A C:\Windows\MEMORY.DMP
2012-08-02 12:21 - 2012-08-05 10:20 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-02 12:17 - 2012-08-02 12:18 - 00000726 ____A C:\Users\Joe Rapp\Desktop\shutdown.exe.lnk
2012-08-01 19:43 - 2012-08-01 19:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-01 19:43 - 2012-08-01 19:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-01 04:15 - 2012-08-05 10:00 - 00000000 ____D C:\Windows\pss
2012-08-01 03:22 - 2012-08-01 03:22 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-31 19:09 - 2012-08-01 11:09 - 00000000 ____D C:\Users\All Users\Application Data\0C1D1A01E0DC8EA1FE0241162F3B707C
2012-07-31 19:09 - 2012-08-01 11:09 - 00000000 ____D C:\Users\All Users\0C1D1A01E0DC8EA1FE0241162F3B707C
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\Application Data\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\Application Data\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Local Settings\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Application Data\TeamViewer
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Sun
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\TeamViewer
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Sun
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Local\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:09 - 2012-07-31 19:09 - 00000000 ____D C:\Users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
2012-07-31 19:07 - 2012-08-05 18:45 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Pefeoq
2012-07-31 19:07 - 2012-08-05 18:45 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Pefeoq
2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\Application Data\apshux.dll
2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Opymbo
2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\Application Data\Adedn
2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Opymbo
2012-07-31 19:07 - 2012-07-31 19:07 - 00000000 ____D C:\Users\Joe Rapp\AppData\Roaming\Adedn
2012-07-25 21:11 - 2012-07-25 21:11 - 00010404 ____A C:\Users\Joe Rapp\Desktop\Untitled 1.ods
2012-07-15 14:40 - 2012-07-16 08:56 - 00023638 ____A C:\Users\Joe Rapp\My Documents\Untitled 1.odt
2012-07-15 14:40 - 2012-07-16 08:56 - 00023638 ____A C:\Users\Joe Rapp\Documents\Untitled 1.odt
2012-07-10 20:30 - 2012-07-10 20:30 - 00000000 ____D C:\Users\Joe Rapp\Desktop\GAI Logos
2012-07-10 20:29 - 2012-07-23 11:17 - 00000000 ____D C:\Users\Joe Rapp\Desktop\Customer 1
2012-07-10 20:29 - 2012-07-18 06:45 - 00000000 ____D C:\Users\Joe Rapp\Desktop\Machine Mayhem
2012-07-10 18:19 - 2012-07-10 18:18 - 00017896 ____A C:\paola.ttf

============ 3 Months Modified Files ========================

2012-08-05 18:44 - 2012-08-04 09:35 - 00044834 ____A C:\Windows\WindowsUpdate.log
2012-08-05 18:39 - 2011-01-12 16:23 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000UA.job
2012-08-05 18:33 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-05 18:33 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-05 18:32 - 2012-08-05 18:32 - 00000398 ____A C:\Windows\PFRO.log
2012-08-05 18:32 - 2011-07-09 17:50 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-05 18:32 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-05 17:08 - 2012-08-05 17:08 - 04725168 ____R (Swearware) C:\Users\Joe Rapp\Desktop\explorer.exe
2012-08-05 16:20 - 2012-04-10 08:14 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-05 16:14 - 2011-07-09 17:50 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-05 16:13 - 2012-04-10 08:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-05 16:13 - 2011-08-30 13:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-05 10:20 - 2012-08-02 12:21 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\owudtx.dll
2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll
2012-08-05 10:00 - 2009-03-07 00:41 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-08-05 10:00 - 2006-11-02 07:42 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-05 07:39 - 2011-01-12 16:23 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000Core.job
2012-08-02 17:56 - 2012-08-02 17:20 - 289041449 ____A C:\Windows\MEMORY.DMP
2012-08-02 17:21 - 2012-08-02 17:21 - 00266144 ____A C:\Windows\Minidump\Mini080212-01.dmp
2012-08-02 12:18 - 2012-08-02 12:17 - 00000726 ____A C:\Users\Joe Rapp\Desktop\shutdown.exe.lnk
2012-08-01 19:44 - 2011-01-31 12:27 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\Local Settings\GDIPFONTCACHEV1.DAT
2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-08-01 19:44 - 2009-06-12 14:02 - 00129288 ____A C:\Users\Joe Rapp\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-01 19:43 - 2011-01-31 12:26 - 00709162 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-01 11:59 - 2006-11-02 07:21 - 05048416 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\Application Data\apshux.dll
2012-07-31 19:07 - 2012-07-31 19:07 - 00128512 __ASH (Crytek) C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
2012-07-29 19:44 - 2012-01-21 10:45 - 00000346 ____A C:\Windows\Tasks\HPCeeScheduleForJoe Rapp.job
2012-07-28 17:00 - 2009-06-13 09:19 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-07-25 21:11 - 2012-07-25 21:11 - 00010404 ____A C:\Users\Joe Rapp\Desktop\Untitled 1.ods
2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-20 03:39 - 2009-06-15 10:10 - 00146432 ____A C:\Users\Joe Rapp\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-16 08:56 - 2012-07-15 14:40 - 00023638 ____A C:\Users\Joe Rapp\My Documents\Untitled 1.odt
2012-07-16 08:56 - 2012-07-15 14:40 - 00023638 ____A C:\Users\Joe Rapp\Documents\Untitled 1.odt
2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\Local Settings\d3d9caps.dat
2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\Local Settings\Application Data\d3d9caps.dat
2012-07-15 16:16 - 2009-06-13 08:24 - 00007052 ____A C:\Users\Joe Rapp\AppData\Local\d3d9caps.dat
2012-07-10 18:18 - 2012-07-10 18:19 - 00017896 ____A C:\paola.ttf
2012-07-05 15:59 - 2012-07-05 15:59 - 00000752 ____A C:\Users\Joe Rapp\Desktop\Ventrilo.lnk
2012-07-05 15:59 - 2012-07-05 15:59 - 00000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
2012-07-04 06:34 - 2012-07-04 06:34 - 00000528 ____A C:\Users\Joe Rapp\Desktop\Rules.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00368820 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI0320.txt
2012-06-29 07:02 - 2012-06-29 07:02 - 00011418 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI0320.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00370702 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI0126.txt
2012-06-29 07:00 - 2012-06-29 07:00 - 00011386 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI0126.txt
2012-06-29 03:04 - 2010-08-13 19:36 - 00466456 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
2012-06-29 03:04 - 2010-08-13 19:36 - 00444952 ____A (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2012-06-29 03:04 - 2010-08-13 19:36 - 00122904 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
2012-06-29 03:04 - 2010-08-13 19:36 - 00109080 ____A (Portions (C) Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2012-06-25 11:40 - 2012-06-25 11:40 - 00000902 ____A C:\Users\Public\Desktop\Adobe Download Assistant.lnk
2012-06-25 11:40 - 2012-06-25 11:40 - 00000902 ____A C:\Users\All Users\Desktop\Adobe Download Assistant.lnk
2012-06-23 14:33 - 2006-11-02 04:33 - 67895296 ____A C:\Windows\System32\config\software_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 56623104 ____A C:\Windows\System32\config\components_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 23855104 ____A C:\Windows\System32\config\system_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-06-23 14:33 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\default_previous
2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00369184 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI1902.txt
2012-06-23 09:22 - 2012-06-23 09:22 - 00011434 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI1902.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00370318 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI1766.txt
2012-06-23 09:20 - 2012-06-23 09:20 - 00011370 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI1766.txt
2012-06-20 09:22 - 2012-06-20 09:22 - 00000770 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-20 09:22 - 2012-06-20 09:22 - 00000770 ____A C:\Users\All Users\Desktop\CCleaner.lnk
2012-06-15 07:33 - 2012-06-15 07:32 - 06877439 ____A C:\Users\Joe Rapp\ROBLOX.zip
2012-06-11 10:48 - 2012-06-11 10:48 - 00001684 ____A C:\Users\Joe Rapp\Desktop\HydraIRC.lnk
2012-06-11 10:05 - 2012-06-11 10:05 - 00001702 ____A C:\Users\Joe Rapp\DesktopGods and Idols.lnk
2012-06-02 14:19 - 2012-06-23 14:47 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 14:47 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-23 14:47 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-23 14:47 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-23 14:47 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-23 14:47 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 11:19 - 2012-06-23 14:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:19 - 2012-06-23 14:46 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 11:15 - 2012-06-23 14:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 11:12 - 2012-06-23 14:46 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-05-31 02:41 - 2012-05-30 18:57 - 00118905 ____A C:\Users\Joe Rapp\PaperDraft.odt
2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00369912 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI318B.txt
2012-05-22 16:58 - 2012-05-22 16:57 - 00011466 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI318B.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00373006 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI3041.txt
2012-05-22 16:56 - 2012-05-22 16:56 - 00011482 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI3041.txt
2012-05-22 11:25 - 2012-05-22 11:25 - 02500792 ____A C:\Users\Joe Rapp\Downloads\AdobeDownloadAssistant.exe
2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistMSI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistMSI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00438054 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistMSI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\Local Settings\dd_vcredistUI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\Local Settings\Application Data\dd_vcredistUI3051.txt
2012-05-19 19:16 - 2012-05-19 19:15 - 00013988 ____A C:\Users\Joe Rapp\AppData\Local\dd_vcredistUI3051.txt
2012-05-12 13:16 - 2006-11-02 04:46 - 00694396 ____A C:\Windows\System32\PerfStringBackup.INI


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3836.89 MB
Available physical RAM: 3177.88 MB
Total Pagefile: 3523.62 MB
Available Pagefile: 3162.84 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:219.77 GB) (Free:40.13 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:13.11 GB) (Free:2.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (SC4DELUXE2) (CDROM) (Total:0.63 GB) (Free:0 GB) CDFS
4 Drive f: (FD) (Removable) (Total:1.89 GB) (Free:0.49 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1024 KB
Disk 1 Online 1936 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 220 GB 1024 KB
Partition 2 Primary 13 GB 220 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 220 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 13 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1936 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FD FAT32 Removable 1936 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-08-05 18:38

======================= End Of Log ==========================

Thanks!!!
 
We'll take care of that...

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Joe Rapp\...\Run: [Urozaghyp] "C:\Users\Joe Rapp\AppData\Roaming\Opymbo\uxixb.exe" [186880 2010-06-16] ()
HKU\Joe Rapp\...\Run: [renovator] C:\Users\Joe Rapp\AppData\Roaming\Sun\{0B3CB77C-A41B-4C99-B89A-B4BF948DAB9F}\renovator.exe [383488 2012-07-31] ()
HKU\Joe Rapp\...\Run: [ntshcs] "C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll",List_SetSlice [x]
HKU\Joe Rapp\...\Run: [apshux] rundll32.exe "C:\Users\Joe Rapp\AppData\Roaming\apshux.dll",RetrieveColumn [128512 2012-07-31] (Crytek)
HKU\Joe Rapp\...\Run: [owudtx] "C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll",SetInterrupt [458752 2012-08-05] (Andrew Zhezherun)
2 Viewpoint Manager Service; "C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\Application Data\owudtx.dll
2012-08-05 10:04 - 2012-08-05 10:04 - 00458752 ____A (Andrew Zhezherun) C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll
C:\Users\Joe Rapp\AppData\Roaming\apshux.dll
C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll
C:\Users\Joe Rapp\AppData\Roaming\Sun\{0B3CB77C-A41B-4C99-B89A-B4BF948DAB9F}\renovator.exe
C:\Users\Joe Rapp\AppData\Roaming\Opymbo
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
OK, going to boot in a couple minutes.
Here's the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-08-2012
Ran by SYSTEM at 2012-08-06 16:36:44 Run:2
Running from F:\

==============================================

HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\Urozaghyp Value deleted successfully.
HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\renovator Value deleted successfully.
HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\ntshcs Value deleted successfully.
HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\apshux Value deleted successfully.
HKEY_USERS\Joe Rapp\Software\Microsoft\Windows\CurrentVersion\Run\\owudtx Value deleted successfully.
Viewpoint Manager Service service deleted successfully.
C:\Users\Joe Rapp\Application Data\owudtx.dll moved successfully.
C:\Users\Joe Rapp\AppData\Roaming\owudtx.dll not found.
C:\Users\Joe Rapp\AppData\Roaming\apshux.dll moved successfully.
C:\Users\Joe Rapp\AppData\Roaming\ntshcs.dll not found.
C:\Users\Joe Rapp\AppData\Roaming\Sun\{0B3CB77C-A41B-4C99-B89A-B4BF948DAB9F}\renovator.exe moved successfully.
C:\Users\Joe Rapp\AppData\Roaming\Opymbo moved successfully.

==== End of Fixlog ====

Things seem to be smoother. MSE can't update and the firewall is still funny. ComboFix is the next step?
 
We will take care of that stuff. It happens all the time.

Actually, there is evidence of rogue software, so we're going to use RogueKiller, please:

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
RGKRScan.png


  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
RGKRDelete.png


  • The report has been created on the desktop.
  • Next click on the ShortcutsFix

    RGKRShortcutsFix.png
  • The report has been created on the desktop.
Please post:

All RKreport.txt text files located on your desktop.
 
Done. Here's the 3 reports:

Report 1:
RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: Joe Rapp [Admin rights]
Mode: Scan -- Date: 08/07/2012 15:49:40

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543225L9A300 ATA Device +++++
--- User ---
[MBR] 45b10501e7e6151d070f775a69dd1dcf
[BSP] f4c7988f8bb01accb63c005743f441fe : Toshiba tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 225045 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 460894208 | Size: 13426 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt


Report2:

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: Joe Rapp [Admin rights]
Mode: Remove -- Date: 08/07/2012 15:52:01

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543225L9A300 ATA Device +++++
--- User ---
[MBR] 45b10501e7e6151d070f775a69dd1dcf
[BSP] f4c7988f8bb01accb63c005743f441fe : Toshiba tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 225045 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 460894208 | Size: 13426 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Report3:

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: Joe Rapp [Admin rights]
Mode: Shortcuts HJfix -- Date: 08/07/2012 16:01:30

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 33 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 144 / Fail 0
My documents: Success 1 / Fail 0
My favorites: Success 5 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 122 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 343 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\CdRom1 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt




Thanks again!
 
ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
Here's the combofix log!

ComboFix 12-08-07.05 - Joe Rapp 08/08/2012 8:51.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2206 [GMT -4:00]
Running from: c:\users\Joe Rapp\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Joe Rapp\AppData\Roaming\Help\coredb\storage
.
.
((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
.
.
2012-08-08 13:13 . 2012-08-08 13:13 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{865823A5-1A84-46F5-B68F-5197725D1428}\offreg.dll
2012-08-08 13:11 . 2012-08-08 13:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-08 00:35 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{865823A5-1A84-46F5-B68F-5197725D1428}\mpengine.dll
2012-08-07 16:34 . 2012-08-07 16:34 -------- d-----w- c:\program files\iPod
2012-08-07 16:34 . 2012-08-07 16:36 -------- d-----w- c:\program files\iTunes
2012-08-06 20:56 . 2012-08-06 20:56 476976 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-04 04:20 . 2012-08-04 04:20 -------- d-----w- C:\FRST
2012-08-02 20:21 . 2012-08-05 18:20 9827016 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-08-02 03:50 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-08-02 03:49 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-02 03:43 . 2012-08-02 03:43 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-02 03:43 . 2012-08-02 03:44 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-01 11:22 . 2012-08-01 11:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\TeamViewer
2012-08-01 03:09 . 2012-08-01 19:09 -------- d-----w- c:\programdata\0C1D1A01E0DC8EA1FE0241162F3B707C
2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Local\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
2012-08-01 03:07 . 2012-08-06 02:45 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\Pefeoq
2012-08-01 03:07 . 2012-08-01 03:07 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\Adedn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-06 20:56 . 2010-06-10 12:28 472880 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-06 00:13 . 2012-04-10 16:14 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-06 00:13 . 2011-08-30 21:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-29 11:04 . 2010-08-14 03:36 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-06-29 11:04 . 2010-08-14 03:36 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-06-29 11:04 . 2010-08-14 03:36 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-06-29 11:04 . 2010-08-14 03:36 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-06-02 22:19 . 2012-06-23 22:47 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 22:47 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 22:47 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 22:47 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 22:47 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-23 22:47 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 22:47 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-23 22:47 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 22:47 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-23 22:47 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 19:19 . 2012-06-23 22:46 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:19 . 2012-06-23 22:46 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 19:15 . 2012-06-23 22:46 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 19:12 . 2012-06-23 22:46 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-10-30 . 66CFDF478939DD6388858DE06F2CE14C . 302080 . . [6.0.6000.16386] .. c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-04 1353080]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Akamai NetSession Interface"="c:\users\Joe Rapp\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-05-20 880496]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
"UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
"TVAgent"="c:\program files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-05-12 202024]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\users\Joe Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 250056]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 15:04]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-10 01:49]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-10 01:49]
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000Core.job
- c:\users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 00:23]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000UA.job
- c:\users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 00:23]
.
2012-07-30 c:\windows\Tasks\HPCeeScheduleForJoe Rapp.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-03-07 19:34]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{E1B66EBE-ED5D-44FC-A4E2-B5CBD124692C}.job
- c:\windows\system32\msfeedssync.exe [2012-02-29 08:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-04 442368]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-31 246784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2929250
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Joe Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\zy9j3avr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2929250&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ce7499e7-af3c-4662-ac92-454212345ddb} - (no file)
Wow6432Node-HKLM-Run-SwitchBoard - c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
Wow6432Node-HKLM-Run-AdobeCS6ServiceManager - c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe
Wow6432Node-HKLM-Run-Adobe Acrobat Speed Launcher - c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe
Wow6432Node-HKLM-Run-Acrobat Assistant 8.0 - c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
WebBrowser-{CE7499E7-AF3C-4662-AC92-454212345DDB} - (no file)
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
HKLM-Run-AdobeAAMUpdater-1.0 - c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Acid-Base Solutions - c:\windows\system32\javaws.exe
AddRemove-RealHighway Mod - c:\users\Joe Rapp\Documents\SimCity 4\Plugins\Network Addon Mod\Real Highway Mod\uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
@SACL=
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid]
@Denied: (A 2) (Everyone)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\SMINST\BLService.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
.
**************************************************************************
.
Completion time: 2012-08-08 09:28:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-08 13:28
.
Pre-Run: 46,386,720,768 bytes free
Post-Run: 46,338,605,056 bytes free
.
- - End Of File - - 0239311E05DB297733B4A722745A18B5
 
ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    ClearJavaCache::

    Folder::
    c:\users\Joe Rapp\AppData\Roaming\Pefeoq
    c:\users\Joe Rapp\AppData\Roaming\Adedn

    DDS::
    FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2929250&SearchSource=3&q={searchTerms}
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2929250
    Click to expand...
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.
 
Here you are, thanks!

ComboFix 12-08-07.05 - Joe Rapp 08/09/2012 18:02:48.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2312 [GMT -4:00]
Running from: c:\users\Joe Rapp\Desktop\ComboFix.exe
Command switches used :: c:\users\Joe Rapp\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Joe Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\Joe Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
.
.
((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
.
.
2012-08-09 22:21 . 2012-08-09 22:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-09 21:39 . 2012-08-09 21:39 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BBAD2D4-3ED1-4F45-9BB5-707490528C36}\offreg.dll
2012-08-08 13:34 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BBAD2D4-3ED1-4F45-9BB5-707490528C36}\mpengine.dll
2012-08-07 16:34 . 2012-08-07 16:34 -------- d-----w- c:\program files\iPod
2012-08-07 16:34 . 2012-08-07 16:36 -------- d-----w- c:\program files\iTunes
2012-08-06 20:56 . 2012-08-06 20:56 476976 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-04 04:20 . 2012-08-04 04:20 -------- d-----w- C:\FRST
2012-08-02 20:21 . 2012-08-05 18:20 9827016 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-08-02 03:50 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-08-02 03:49 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-02 03:43 . 2012-08-02 03:43 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-02 03:43 . 2012-08-02 03:44 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-01 11:22 . 2012-08-01 11:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\TeamViewer
2012-08-01 03:09 . 2012-08-01 19:09 -------- d-----w- c:\programdata\0C1D1A01E0DC8EA1FE0241162F3B707C
2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Local\{41F71C6E-DB86-11E1-8270-B8AC6F996F26}
2012-08-01 03:09 . 2012-08-01 03:09 -------- d-----w- c:\users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}
2012-08-01 03:07 . 2012-08-06 02:45 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\Pefeoq
2012-08-01 03:07 . 2012-08-01 03:07 -------- d-----w- c:\users\Joe Rapp\AppData\Roaming\Adedn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-06 20:56 . 2010-06-10 12:28 472880 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-06 00:13 . 2012-04-10 16:14 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-06 00:13 . 2011-08-30 21:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-29 11:04 . 2010-08-14 03:36 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-06-29 11:04 . 2010-08-14 03:36 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-06-29 11:04 . 2010-08-14 03:36 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-06-29 11:04 . 2010-08-14 03:36 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-06-02 22:19 . 2012-06-23 22:47 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 22:47 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 22:47 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 22:47 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 22:47 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-23 22:47 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 22:47 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-23 22:47 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 22:47 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-23 22:47 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 19:19 . 2012-06-23 22:46 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:19 . 2012-06-23 22:46 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 19:15 . 2012-06-23 22:46 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 19:12 . 2012-06-23 22:46 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-10 . 9235EC680D3DB17464B39C7C7DECB4DD . 301568 . . [6.0.6001.18287] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18287_none_28ff7f1fd585934f\shsvcs.dll
[7] 2009-07-10 . 3F6101365E6319171054ADD75788516C . 300032 . . [6.0.6000.21081] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.21081_none_279cb3aaf1823d60\shsvcs.dll
[7] 2009-07-10 . C2409C9B7C7E422E7680AE4E1738BFC8 . 302080 . . [6.0.6001.22467] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.22467_none_299ebda8ee92f85e\shsvcs.dll
[7] 2009-07-10 . F33C4D0B9EEFCDE346F8753DC4D6867F . 299520 . . [6.0.6000.16883] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16883_none_27153f51d8629d02\shsvcs.dll
[7] 2009-07-10 . 00DD742B99B278429714DEE859A73DD0 . 302080 . . [6.0.6002.22169] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.22169_none_2b873024ebb78030\shsvcs.dll
[7] 2009-07-10 . 56793271ECDEDD350C5ADD305603E963 . 302080 . . [6.0.6002.18063] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18063_none_2af7919dd29f485c\shsvcs.dll
[7] 2009-04-11 . 2AD15758174DCC7993FF3C00A955DD66 . 301568 . . [6.0.6002.18005] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18005_none_2b3a71b9d26cd364\shsvcs.dll
[7] 2008-01-21 . EB3114330236CF030E8EDF62881BAF67 . 301568 . . [6.0.6001.18000] .. c:\windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_294ef8add54b0818\shsvcs.dll
[-] 2011-10-30 . 66CFDF478939DD6388858DE06F2CE14C . 302080 . . [6.0.6000.16386] .. c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-08-08_13.20.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-08-08 13:21 62780 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-08-09 21:46 98928 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-06-12 21:57 . 2012-08-09 21:46 25024 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2448708025-4140109235-615150339-1000_UserData.bin
- 2012-08-08 13:12 . 2012-08-08 13:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-08 13:12 . 2012-08-09 21:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-08 13:12 . 2012-08-09 21:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-08 13:12 . 2012-08-08 13:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-04 1353080]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Akamai NetSession Interface"="c:\users\Joe Rapp\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-05-20 880496]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
"UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
"TVAgent"="c:\program files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-05-12 202024]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\users\Joe Rapp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 250056]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 15:04]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-10 01:49]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-10 01:49]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000Core.job
- c:\users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 00:23]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2448708025-4140109235-615150339-1000UA.job
- c:\users\Joe Rapp\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 00:23]
.
2012-07-30 c:\windows\Tasks\HPCeeScheduleForJoe Rapp.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-03-07 19:34]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{E1B66EBE-ED5D-44FC-A4E2-B5CBD124692C}.job
- c:\windows\system32\msfeedssync.exe [2012-02-29 08:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-04 442368]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-31 246784]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Joe Rapp\AppData\Roaming\Mozilla\Firefox\Profiles\zy9j3avr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2929250&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?ourmark=3&sid=100275&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@SACL=
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
@SACL=
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@SACL=
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@SACL=
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@SACL=
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@SACL=
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@SACL=
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@SACL=
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@SACL=
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid]
@Denied: (A 2) (Everyone)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@SACL=
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@SACL=
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@SACL=
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@SACL=
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@SACL=
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@SACL=
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-08-09 18:27:24
ComboFix-quarantined-files.txt 2012-08-09 22:27
ComboFix2.txt 2012-08-08 13:28
.
Pre-Run: 46,188,060,672 bytes free
Post-Run: 46,150,266,880 bytes free
.
- - End Of File - - 1952EAE90D79784248D099EFE1A0FA92
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Here you go!

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=7108aa31bd02494cb854bc344db1bbdd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-10 04:16:34
# local_time=2012-08-10 12:16:34 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 56 54124841 181203832 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=338481
# found=7
# cleaned=7
# scan_time=10268
C:\FRST\Quarantine\apshux.dll a variant of Win32/Medfos.CE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\FRST\Quarantine\owudtx.dll a variant of Win32/Kryptik.AJLB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\FRST\Quarantine\renovator.exe Win32/Gataka.B trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\FRST\Quarantine\Opymbo\uxixb.exe a variant of Win32/Kryptik.AJFL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Yontoo Layers\YontooIEClient.dll Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Joe Rapp\AppData\Local\{41F6EAF3-DB86-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
 
Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran CCleaner
  • Ran Security Check
Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
 
I've completed a system restore and ran OTC, however I already have CCleaner on my computer, should I still install it from the links given?

Also, MSE still can't update, not sure what's the matter with it.
 
Status
Not open for further replies.

Similar threads

midian182
Nvidia CEO Jensen Huang's message to kids: generative AI means you don't need to learn...
2
Replies
29
Views
598
Superconductor
Superconductor
A
ExpressVPN disables security feature that was leaking DNS requests to third-party servers
Replies
2
Views
150
return
return
Cal Jeffrey
Airbnb bans indoor security cameras from rentals
Replies
7
Views
134
kiwigraeme
K

Latest posts

Back