TechSpot

Siref? one minute shutdown

By Lisa1
Aug 18, 2012
  1. Hi - I need help with my infected HP laptop. The laptop was infected a few weeks ago - I followed online instructions downloading Malware Anti-Malware Bytes, and the computer appeared to be fixed, although MSE was disabled. Recently I tried to turn MSE back on and I now receive a 1 minute shutdown error. I don't believe I can follow all the forum posting instructions to create logs at this time because of this. I would love help! Thank you!!!
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================

    What Windows version is it?
     
  3. Lisa1

    Lisa1 TS Rookie Topic Starter

    I have Windows Vista.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     
  5. Lisa1

    Lisa1 TS Rookie Topic Starter

    Here's the FRST log:

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 18-08-2012
    Ran by SYSTEM at 18-08-2012 12:23:11
    Running from F:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [827392 2007-01-12] (Synaptics, Inc.)
    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [174872 2007-02-12] (Intel Corporation)
    HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [159744 2007-02-13] ( Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [66816 2007-09-19] (Hewlett-Packard)
    HKLM\...\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [472776 2007-03-01] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [317128 2007-01-10] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-01-02] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [166424 2008-01-02] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-01-02] (Intel Corporation)
    HKLM\...\Run: [pdfFactory Dispatcher v3] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM [516096 2008-03-05] (FinePrint Software, LLC)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-01-25] (Apple Inc.)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-15] (Adobe Systems Incorporated)
    HKLM\...\Run: [D-Link D-Link DWA-121] C:\Program Files\D-Link\DWA-121 revA\AirNCFG.exe [1041728 2010-09-26] (D-Link Corp.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-10-14] (Hewlett-Packard)
    HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [80896 2007-08-22] (Hewlett-Packard)
    HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Lisa\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125440 2006-11-02] (Microsoft Corporation)
    HKU\Lisa\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [201728 2006-11-02] (Microsoft Corporation)
    HKU\Lisa\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-02-28] (Google Inc.)
    HKU\Lisa\...\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m [x]
    HKU\Lisa\...\Run: [Google Update] "C:\Users\Lisa\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-10-20] (Google Inc.)
    HKU\Lisa\...\Run: [SmileboxTray] "C:\Users\Lisa\AppData\Roaming\Smilebox\SmileboxTray.exe" [313160 2012-01-12] (Smilebox, Inc.)
    HKU\Lisa\...\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2356088 2008-09-26] (Adobe Systems Incorporated)
    HKLM\...\Runonce: [Launcher] %WINDIR%\SMINST\launcher.exe [x]
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
    Startup: C:\Users\Lisa\Start Menu\Programs\Startup\Jacquie Lawson London Advent Calendar.lnk
    ShortcutTarget: Jacquie Lawson London Advent Calendar.lnk -> C:\Program Files\Jacquie Lawson London Advent Calendar\Jacquie Lawson London Advent Calendar.exe ()

    ================================ Services (Whitelisted) ==================

    2 atashost; "C:\Windows\system32\atashost.exe" [20376 2008-12-09] (WebEx Communications, Inc.)
    2 CLCapSvc; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe" [262243 2007-04-23] ()
    4 CLSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe" [106593 2007-04-23] ()
    2 D_Link_DWA-121_WPS; C:\Program Files\D-Link\DWA-121 revA\ANIWConnService.exe [53248 2010-07-11] ()
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [22016 2006-11-02] (Microsoft Corporation)
    2 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [135168 2006-05-02] (Hewlett-Packard Development Company, L.P.)
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    2 NitroDriverReadSpool; "C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe" [188736 2010-02-02] (Nitro PDF Software)
    2 nlsX86cc; C:\Windows\system32\NLSSRV32.EXE [65856 2010-02-02] (Nalpeiron Ltd.)
    2 PenCommService; C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe [470528 2011-10-27] (Livescribe)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-07-03] (Skype Technologies)
    2 Vongo Service; C:\Program Files\Vongo\VongoService.exe [176128 2007-03-29] (Starz Entertainment Group LLC)
    2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]

    ========================== Drivers (Whitelisted) =============
     
  6. Lisa1

    Lisa1 TS Rookie Topic Starter

    Here's the SEARCH log:

    Farbar Recovery Scan Tool Version: 18-08-2012
    Ran by SYSTEM at 2012-08-18 12:25:08
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

    C:\Windows\System32\services.exe
    [2006-11-02 00:35] - [2012-08-15 06:32] - 0279552 ____A (Microsoft Corporation) A246A7052A70C2E1BE4F7E54DF31E4DF

    C:\Windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2010-01-11 11:49] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    === End Of Search ===
     
  7. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    FRST log is incomplete.
    Redo.
     
  8. Lisa1

    Lisa1 TS Rookie Topic Starter

    How's this?

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 18-08-2012
    Ran by SYSTEM at 18-08-2012 12:59:16
    Running from F:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [827392 2007-01-12] (Synaptics, Inc.)
    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [174872 2007-02-12] (Intel Corporation)
    HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [159744 2007-02-13] ( Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [66816 2007-09-19] (Hewlett-Packard)
    HKLM\...\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [472776 2007-03-01] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [317128 2007-01-10] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-01-02] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [166424 2008-01-02] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-01-02] (Intel Corporation)
    HKLM\...\Run: [pdfFactory Dispatcher v3] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM [516096 2008-03-05] (FinePrint Software, LLC)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-01-25] (Apple Inc.)
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-15] (Adobe Systems Incorporated)
    HKLM\...\Run: [D-Link D-Link DWA-121] C:\Program Files\D-Link\DWA-121 revA\AirNCFG.exe [1041728 2010-09-26] (D-Link Corp.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-10-14] (Hewlett-Packard)
    HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [80896 2007-08-22] (Hewlett-Packard)
    HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
    HKU\Lisa\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125440 2006-11-02] (Microsoft Corporation)
    HKU\Lisa\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [201728 2006-11-02] (Microsoft Corporation)
    HKU\Lisa\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-02-28] (Google Inc.)
    HKU\Lisa\...\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m [x]
    HKU\Lisa\...\Run: [Google Update] "C:\Users\Lisa\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-10-20] (Google Inc.)
    HKU\Lisa\...\Run: [SmileboxTray] "C:\Users\Lisa\AppData\Roaming\Smilebox\SmileboxTray.exe" [313160 2012-01-12] (Smilebox, Inc.)
    HKU\Lisa\...\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2356088 2008-09-26] (Adobe Systems Incorporated)
    HKLM\...\Runonce: [Launcher] %WINDIR%\SMINST\launcher.exe [x]
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
    Startup: C:\Users\Lisa\Start Menu\Programs\Startup\Jacquie Lawson London Advent Calendar.lnk
    ShortcutTarget: Jacquie Lawson London Advent Calendar.lnk -> C:\Program Files\Jacquie Lawson London Advent Calendar\Jacquie Lawson London Advent Calendar.exe ()

    ================================ Services (Whitelisted) ==================

    2 atashost; "C:\Windows\system32\atashost.exe" [20376 2008-12-09] (WebEx Communications, Inc.)
    2 CLCapSvc; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe" [262243 2007-04-23] ()
    4 CLSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe" [106593 2007-04-23] ()
    2 D_Link_DWA-121_WPS; C:\Program Files\D-Link\DWA-121 revA\ANIWConnService.exe [53248 2010-07-11] ()
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [22016 2006-11-02] (Microsoft Corporation)
    2 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [135168 2006-05-02] (Hewlett-Packard Development Company, L.P.)
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    2 NitroDriverReadSpool; "C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe" [188736 2010-02-02] (Nitro PDF Software)
    2 nlsX86cc; C:\Windows\system32\NLSSRV32.EXE [65856 2010-02-02] (Nalpeiron Ltd.)
    2 PenCommService; C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe [470528 2011-10-27] (Livescribe)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-07-03] (Skype Technologies)
    2 Vongo Service; C:\Program Files\Vongo\VongoService.exe [176128 2007-03-29] (Starz Entertainment Group LLC)
    2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]

    ========================== Drivers (Whitelisted) =============

    1 anodlwf; C:\Windows\System32\DRIVERS\anodlwf.sys [12800 2010-06-07] ()
    3 DRTL8192cu; C:\Windows\System32\DRIVERS\RTL8192cu.sys [602216 2010-08-19] (Realtek Semiconductor Corporation )
    1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
    3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
    2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2007-12-09] (RealNetworks, Inc.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 NWADI; C:\Windows\System32\DRIVERS\NWADIenum.sys [194048 2007-04-19] (Novatel Wireless Inc)
    3 NWUSBModem; C:\Windows\System32\DRIVERS\nwusbmdm.sys [99200 2007-04-19] (Novatel Wireless Inc.)
    3 NWUSBPort; C:\Windows\System32\DRIVERS\nwusbser.sys [99200 2007-04-19] (Novatel Wireless Inc.)
    3 PulseUsb; C:\Windows\System32\DRIVERS\PulseUsb.sys [20480 2011-10-27] (Windows (R) Win 7 DDK provider)
    3 ssmirrdr; C:\Windows\System32\DRIVERS\ssmirrdr.sys [10112 2010-05-14] (support.com, Inc)
    3 BDFsDrv; \??\C:\Program Files\Softwin\BitDefender10\bdfsdrv.sys [x]
    3 BDRsDrv; \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys [x]
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-18 12:23 - 2012-08-18 12:23 - 00000000 ____D C:\FRST
    2012-08-15 06:27 - 2012-08-15 06:27 - 00000055 ____A C:\Users\Lisa\Application Data\mbam.context.scan
    2012-08-15 06:27 - 2012-08-15 06:27 - 00000055 ____A C:\Users\Lisa\AppData\Roaming\mbam.context.scan
    2012-08-15 06:26 - 2012-08-15 06:28 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-13 22:19 - 2012-08-13 22:19 - 00000000 ____D C:\1611dc7c24c07e3ad49b4b54aa0bb9
    2012-08-13 22:02 - 2012-08-13 22:03 - 10288512 ____A (Microsoft Corporation) C:\Users\Lisa\Downloads\mseinstall.exe
    2012-08-02 17:33 - 2012-08-02 17:33 - 00119052 ____A C:\Users\Lisa\Desktop\immediate-opening-for-staff-position-sponsorship-sales-manager.htm
    2012-08-02 17:33 - 2012-08-02 17:33 - 00000000 ____D C:\Users\Lisa\Desktop\immediate-opening-for-staff-position-sponsorship-sales-manager_files
    2012-08-01 19:53 - 2012-08-01 19:53 - 00000000 ____D C:\Program Files\Common Files\Skype
    2012-07-31 14:00 - 2012-07-31 14:00 - 00014336 ____A C:\Users\Lisa\Desktop\payments.xls
    2012-07-29 22:43 - 2012-07-29 22:43 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-29 22:35 - 2012-07-29 22:35 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-29 22:35 - 2012-07-29 22:35 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-29 22:35 - 2012-07-29 22:35 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-07-29 22:35 - 2012-07-03 12:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-29 22:32 - 2012-07-29 22:33 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Lisa\Downloads\mbam-setup(1).exe
    2012-07-29 22:31 - 2012-07-29 22:32 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Lisa\Downloads\mbam-setup.exe
    2012-07-29 22:26 - 2012-07-29 22:26 - 00000755 ____A C:\Users\Public\Desktop\7-zip.lnk
    2012-07-29 22:26 - 2012-07-29 22:26 - 00000755 ____A C:\Users\All Users\Desktop\7-zip.lnk
    2012-07-29 22:26 - 2012-07-29 22:26 - 00000000 ____D C:\Program Files\7-zip
    2012-07-29 22:24 - 2012-07-29 22:24 - 01552064 ____A (W3i, LLC) C:\Users\Lisa\Downloads\7zip_installer_1650(1).exe
    2012-07-29 22:22 - 2012-07-29 22:22 - 01552064 ____A (W3i, LLC) C:\Users\Lisa\Downloads\7zip_installer_1650.exe
    2012-07-29 21:15 - 2012-07-29 21:17 - 00000000 ____D C:\Users\All Users\Application Data\036DFF980008EE9902B32B59C2E33E28
    2012-07-29 21:15 - 2012-07-29 21:17 - 00000000 ____D C:\Users\All Users\036DFF980008EE9902B32B59C2E33E28
    2012-07-29 09:25 - 2012-07-29 09:30 - 40442366 ____A C:\Users\Lisa\Downloads\Update_kindle_5.1.0.bin
    2012-07-29 09:19 - 2012-07-29 09:19 - 01587203 ____A C:\Users\Lisa\Downloads\Update_kindle_5.1.2.bin

    ============ 3 Months Modified Files ========================

    2012-08-18 11:15 - 2010-04-18 21:44 - 00000378 ____A C:\Windows\Tasks\FileCure Startup.job
    2012-08-18 11:15 - 2006-11-02 04:47 - 00003072 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-18 11:15 - 2006-11-02 04:47 - 00003072 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-15 07:02 - 2010-03-02 09:00 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-15 07:02 - 2007-11-13 16:44 - 00000416 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{B6B6C140-5E1E-411E-B485-943831A01F6C}.job
    2012-08-15 07:02 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-15 06:32 - 2011-04-09 06:29 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4138486717-124904987-590684891-1000UA.job
    2012-08-15 06:32 - 2006-11-02 00:35 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-15 06:28 - 2012-08-15 06:26 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-15 06:27 - 2012-08-15 06:27 - 00000055 ____A C:\Users\Lisa\Application Data\mbam.context.scan
    2012-08-15 06:27 - 2012-08-15 06:27 - 00000055 ____A C:\Users\Lisa\AppData\Roaming\mbam.context.scan
    2012-08-15 06:20 - 2010-03-02 09:00 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-13 22:39 - 2006-11-02 05:01 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-13 22:25 - 2007-09-19 14:05 - 02092756 ____A C:\Windows\WindowsUpdate.log
    2012-08-13 22:11 - 2011-11-02 16:33 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-13 22:03 - 2012-08-13 22:02 - 10288512 ____A (Microsoft Corporation) C:\Users\Lisa\Downloads\mseinstall.exe
    2012-08-13 21:41 - 2011-10-10 20:33 - 00002377 ____A C:\Users\Public\Desktop\Skype.lnk
    2012-08-13 21:41 - 2011-10-10 20:33 - 00002377 ____A C:\Users\All Users\Desktop\Skype.lnk
    2012-08-12 22:09 - 2007-11-13 17:09 - 00000318 ____A C:\Windows\Tasks\HPCeeScheduleForLisa.job
    2012-08-09 17:00 - 2010-04-18 21:44 - 00000442 ____A C:\Windows\Tasks\ParetoLogic Registration3.job
    2012-08-09 10:16 - 2006-11-02 02:33 - 00720778 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-07 14:31 - 2011-04-09 06:29 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4138486717-124904987-590684891-1000Core.job
    2012-08-06 12:01 - 2011-02-22 22:10 - 00007372 ____A C:\Windows\setupact.log
    2012-08-06 01:02 - 2010-04-18 21:44 - 00000416 ____A C:\Windows\Tasks\ParetoLogic Update Version3.job
    2012-08-02 17:33 - 2012-08-02 17:33 - 00119052 ____A C:\Users\Lisa\Desktop\immediate-opening-for-staff-position-sponsorship-sales-manager.htm
    2012-07-31 14:00 - 2012-07-31 14:00 - 00014336 ____A C:\Users\Lisa\Desktop\payments.xls
    2012-07-29 23:59 - 2008-05-06 14:54 - 00104030 ____A C:\Windows\PFRO.log
    2012-07-29 22:35 - 2012-07-29 22:35 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-29 22:35 - 2012-07-29 22:35 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-29 22:33 - 2012-07-29 22:32 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Lisa\Downloads\mbam-setup(1).exe
    2012-07-29 22:32 - 2012-07-29 22:31 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Lisa\Downloads\mbam-setup.exe
    2012-07-29 22:26 - 2012-07-29 22:26 - 00000755 ____A C:\Users\Public\Desktop\7-zip.lnk
    2012-07-29 22:26 - 2012-07-29 22:26 - 00000755 ____A C:\Users\All Users\Desktop\7-zip.lnk
    2012-07-29 22:24 - 2012-07-29 22:24 - 01552064 ____A (W3i, LLC) C:\Users\Lisa\Downloads\7zip_installer_1650(1).exe
    2012-07-29 22:22 - 2012-07-29 22:22 - 01552064 ____A (W3i, LLC) C:\Users\Lisa\Downloads\7zip_installer_1650.exe
    2012-07-29 09:30 - 2012-07-29 09:25 - 40442366 ____A C:\Users\Lisa\Downloads\Update_kindle_5.1.0.bin
    2012-07-29 09:19 - 2012-07-29 09:19 - 01587203 ____A C:\Users\Lisa\Downloads\Update_kindle_5.1.2.bin
    2012-07-12 02:01 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-03 12:46 - 2012-07-29 22:35 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-24 13:48 - 2012-06-24 13:48 - 00018361 ____A C:\Users\Lisa\Desktop\London - May 2012.htm
    2012-06-24 13:13 - 2012-06-24 13:13 - 00239448 ____A (Trusteer Ltd.) C:\Users\Lisa\Downloads\RapportSetup.exe
    2012-06-23 09:35 - 2012-06-23 09:35 - 00118028 ____A C:\Users\Lisa\Downloads\The Dude's Library.gex
    2012-06-20 20:24 - 2012-06-20 20:23 - 17425196 ____A C:\Users\Lisa\Downloads\Who_Wants_to_be_a_Millionaire_Full_Theme_Song___YouTube.wav
    2012-06-20 19:32 - 2012-06-20 19:30 - 00000190 ____A C:\Windows\System32\rmdata.nal
    2012-06-20 18:40 - 2012-06-20 18:40 - 14722604 ____A C:\Users\Lisa\Downloads\Who_Wants_To_Be_A_Millionaire_Music___100___1000_Questions___YouTube.wav
    2012-06-20 15:53 - 2012-06-20 15:52 - 12725464 ____A C:\Users\Lisa\Downloads\GameMaker-Installer-8.1.exe
    2012-06-18 18:45 - 2012-06-18 18:45 - 00739816 ____A (Google Inc.) C:\Users\Lisa\Downloads\GoogleEarthSetup.exe
    2012-06-18 15:48 - 2012-06-18 15:48 - 00338355 ____A C:\Users\Lisa\Desktop\pink flowers.htm
    2012-06-18 15:47 - 2012-06-18 15:47 - 00316718 ____A C:\Users\Lisa\Desktop\photo.php.htm
    2012-06-10 16:20 - 2012-06-10 16:20 - 09931012 ____A C:\Users\Lisa\Desktop\MEGAAWESOMEPOWERPOINT.pptx
    2012-06-09 15:06 - 2012-06-09 15:05 - 08350181 ____A (Chris Jones ) C:\Users\Lisa\Downloads\AGS-3.2.1.exe
    2012-05-25 14:42 - 2012-05-25 14:42 - 03279465 ____A C:\Users\Lisa\Desktop\jlquicksendwidget.air


    ZeroAccess:
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

    ZeroAccess:
    C:\Users\Lisa\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Users\Lisa\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Users\Lisa\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Users\Lisa\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A246A7052A70C2E1BE4F7E54DF31E4DF ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 29%
    Total physical RAM: 2037.81 MB
    Available physical RAM: 1427.45 MB
    Total Pagefile: 1767.87 MB
    Available Pagefile: 1563.43 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1990.14 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:103.51 GB) (Free:51.59 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (HP_RECOVERY) (Fixed) (Total:8.28 GB) (Free:1.38 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: () (Removable) (Total:0.47 GB) (Free:0.34 GB) FAT
    5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 112 GB 1528 KB
    Disk 1 Online 484 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 104 GB 32 KB
    Partition 2 Primary 8 GB 104 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 C NTFS Partition 104 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D HP_RECOVERY NTFS Partition 8 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 483 MB 119 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F FAT Removable 483 MB Healthy

    ==================================================================================

    Last Boot: 2012-07-30 16:29

    ======================= End Of Log ==========================
     
  9. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good :)

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     

    Attached Files:

  10. Lisa1

    Lisa1 TS Rookie Topic Starter

    Hi - Here is the fixlog.txt:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 18-08-2012
    Ran by SYSTEM at 2012-08-18 15:12:38 Run:1
    Running from F:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
    C:\Users\Lisa\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
     
  11. Lisa1

    Lisa1 TS Rookie Topic Starter

    Hi again,

    Here is the final c:\combofix.txt:

    ComboFix 12-08-18.03 - Lisa 08/18/2012 15:39:44.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.979 [GMT -7:00]
    Running from: c:\users\Lisa\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Lisa\AppData\Local\{7848AD55-A02D-47FB-8FBD-A9B2B5B9562C}
    c:\users\Lisa\AppData\Local\{7848AD55-A02D-47FB-8FBD-A9B2B5B9562C}\chrome.manifest
    c:\users\Lisa\AppData\Local\{7848AD55-A02D-47FB-8FBD-A9B2B5B9562C}\chrome\content\_cfg.js
    c:\users\Lisa\AppData\Local\{7848AD55-A02D-47FB-8FBD-A9B2B5B9562C}\chrome\content\overlay.xul
    c:\users\Lisa\AppData\Local\{7848AD55-A02D-47FB-8FBD-A9B2B5B9562C}\install.rdf
    c:\users\Lisa\Documents\~WRL0584.tmp
    c:\users\Lisa\Documents\~WRL0863.tmp
    c:\users\Lisa\Documents\~WRL1322.tmp
    c:\users\Lisa\Documents\~WRL1359.tmp
    c:\users\Lisa\Documents\~WRL1770.tmp
    c:\users\Lisa\Documents\~WRL2144.tmp
    c:\users\Lisa\Documents\~WRL2387.tmp
    c:\users\Lisa\Documents\~WRL3847.tmp
    c:\users\Lisa\Documents\~WRL4074.tmp
    c:\users\Lisa\g2mdlhlpx.exe
    c:\windows\XSxS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-18 22:54 . 2012-08-18 22:54 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4D15B3EE-220A-4963-B32B-2D6B71523959}\offreg.dll
    2012-08-18 20:23 . 2012-08-18 20:23 -------- d-----w- C:\FRST
    2012-08-14 06:24 . 2012-06-29 08:44 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4D15B3EE-220A-4963-B32B-2D6B71523959}\mpengine.dll
    2012-08-14 06:19 . 2012-08-14 06:19 -------- d-----w- C:\1611dc7c24c07e3ad49b4b54aa0bb9
    2012-08-14 06:05 . 2012-06-29 08:44 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-02 23:18 . 2012-08-02 23:18 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
    2012-08-02 23:18 . 2012-08-02 23:18 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
    2012-08-02 03:53 . 2012-08-02 03:53 -------- d-----w- c:\program files\Common Files\Skype
    2012-07-30 06:43 . 2012-07-30 06:43 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-30 06:35 . 2012-07-30 06:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-30 06:35 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-30 06:26 . 2012-07-30 06:26 -------- d-----w- c:\program files\7-zip
    2012-07-30 05:15 . 2012-07-30 05:17 -------- d-----w- c:\programdata\036DFF980008EE9902B32B59C2E33E28
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-02 23:18 . 2011-04-17 16:21 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-01 39408]
    "SmileboxTray"="c:\users\Lisa\AppData\Roaming\Smilebox\SmileboxTray.exe" [2012-01-13 313160]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-09-20 66816]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-03 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-03 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-03 133656]
    "pdfFactory Dispatcher v3"="c:\windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-03-05 516096]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "D-Link D-Link DWA-121"="c:\program files\D-Link\DWA-121 revA\AirNCFG.exe" [2010-09-27 1041728]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-23 80896]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
    .
    c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Jacquie Lawson London Advent Calendar.lnk - c:\program files\Jacquie Lawson London Advent Calendar\Jacquie Lawson London Advent Calendar.exe [2011-11-24 142336]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4138486717-124904987-590684891-1000]
    "EnableNotifications"=dword:00000001
    "EnableNotificationsRef"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-08 c:\windows\Tasks\FileCure Default.job
    - c:\program files\ParetoLogic\FileCure\FileCure.exe [2010-03-28 19:47]
    .
    2012-08-18 c:\windows\Tasks\FileCure Startup.job
    - c:\program files\ParetoLogic\FileCure\FileCure.exe [2010-03-28 19:47]
    .
    2012-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:00]
    .
    2012-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:00]
    .
    2012-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4138486717-124904987-590684891-1000Core.job
    - c:\users\Lisa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-09 00:15]
    .
    2012-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4138486717-124904987-590684891-1000UA.job
    - c:\users\Lisa\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-09 00:15]
    .
    2012-08-13 c:\windows\Tasks\HPCeeScheduleForLisa.job
    - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-05-14 21:23]
    .
    2012-08-10 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]
    .
    2012-08-06 c:\windows\Tasks\ParetoLogic Update Version3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-04 18:19]
    .
    2012-08-18 c:\windows\Tasks\User_Feed_Synchronization-{B6B6C140-5E1E-411E-B485-943831A01F6C}.job
    - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig?refresh=1
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: homeserver.com\tjx2
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Lisa\AppData\Roaming\Mozilla\Firefox\Profiles\a6ya8c80.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-SmartRAM - c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
    SafeBoot-klmdb.sys
    AddRemove-VIEW322.0.4.0 - c:\windows\Strata\VIEW32\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-18 15:56
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\users\Lisa\AppData\Local\Temp\catchme.dll 53248 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(1920)
    c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\ehome\ehmsas.exe
    c:\windows\system32\WerCon.exe
    c:\windows\system32\atashost.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
    c:\program files\D-Link\DWA-121 revA\ANIWConnService.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe
    c:\windows\system32\NLSSRV32.EXE
    c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe
    c:\program files\Vongo\VongoService.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-18 16:02:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-18 23:01
    .
    Pre-Run: 56,823,488,512 bytes free
    Post-Run: 57,772,642,304 bytes free
    .
    - - End Of File - - 733A74AB6939045218D719431ED273DB
     
  12. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Looks good :)

    Any current issues?

    =========================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    Alternate download: http://www.filehippo.com/download_malwarebytes_anti_malware/
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =======================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  13. Lisa1

    Lisa1 TS Rookie Topic Starter

    No, it seems good! Does this mean I'm good to go? :)
     
  14. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Not yet. I just need some update from you.
    Proceed with steps from my previous reply.
     
  15. Lisa1

    Lisa1 TS Rookie Topic Starter

    Whoops - sorry I didn't run the the two last requests. Here is the Malwarebytes Log:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.15.04

    Windows Vista x86 NTFS
    Internet Explorer 7.0.6000.16982
    Lisa :: LISA-PC [administrator]

    8/18/2012 5:16:59 PM
    mbam-log-2012-08-18 (17-16-59).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 198665
    Time elapsed: 10 minute(s), 27 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Users\Lisa\Downloads\7zip_installer_1650(1).exe (PUP.BundleOffers.IIQ) -> No action taken.
    C:\Users\Lisa\Downloads\7zip_installer_1650.exe (PUP.BundleOffers.IIQ) -> No action taken.

    (end)
     
  16. Lisa1

    Lisa1 TS Rookie Topic Starter

    Hi again,

    Here is the OTL.txt:

    OTL logfile created on: 8/18/2012 5:36:06 PM - Run 1
    OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\Lisa\Desktop
    Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6000.16982)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 48.58% Memory free
    4.19 Gb Paging File | 3.15 Gb Available in Paging File | 75.09% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 103.51 Gb Total Space | 53.91 Gb Free Space | 52.08% Space Free | Partition Type: NTFS
    Drive D: | 8.28 Gb Total Space | 1.28 Gb Free Space | 15.48% Space Free | Partition Type: NTFS

    Computer Name: LISA-PC | User Name: Lisa | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/08/18 17:34:57 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Lisa\Desktop\OTL.exe
    PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
    PRC - [2012/01/12 18:25:52 | 000,313,160 | ---- | M] (Smilebox, Inc.) -- C:\Users\Lisa\AppData\Roaming\Smilebox\SmileboxTray.exe
    PRC - [2011/10/27 16:56:35 | 000,470,528 | ---- | M] (Livescribe) -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
    PRC - [2010/09/26 20:09:08 | 001,041,728 | ---- | M] (D-Link Corp.) -- C:\Program Files\D-Link\DWA-121 revA\AirNCFG.exe
    PRC - [2010/07/11 23:39:24 | 000,053,248 | ---- | M] () -- C:\Program Files\D-Link\DWA-121 revA\ANIWConnService.exe
    PRC - [2010/03/28 12:47:44 | 001,692,440 | ---- | M] (ParetoLogic) -- C:\Program Files\ParetoLogic\FileCure\FileCure.exe
    PRC - [2010/02/02 12:35:30 | 000,065,856 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\System32\NLSSRV32.EXE
    PRC - [2010/02/02 12:35:20 | 000,188,736 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
    PRC - [2008/12/09 14:51:41 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\System32\atashost.exe
    PRC - [2008/10/28 23:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2007/04/23 18:11:42 | 000,262,243 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
    PRC - [2007/03/29 13:59:42 | 000,176,128 | ---- | M] (Starz Entertainment Group LLC) -- C:\Program Files\Vongo\VongoService.exe
    PRC - [2007/03/09 10:50:02 | 004,390,912 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
    PRC - [2007/02/12 07:38:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    PRC - [2007/02/12 07:37:58 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/10/31 16:10:38 | 000,315,392 | ---- | M] () -- C:\Program Files\D-Link\DWA-121 revA\ANPDApi.dll
    MOD - [2010/11/17 14:16:56 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2010/09/26 19:16:34 | 000,290,816 | ---- | M] () -- C:\Program Files\D-Link\DWA-121 revA\wlanapp.dll
    MOD - [2010/02/02 12:35:36 | 000,115,008 | ---- | M] () -- C:\Program Files\Nitro PDF\Professional\NPShellExtension.dll
    MOD - [2007/04/23 18:10:44 | 000,061,440 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2012/08/02 16:18:44 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/07/03 13:19:28 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV - [2011/10/27 16:56:35 | 000,470,528 | ---- | M] (Livescribe) [Auto | Running] -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe -- (PenCommService)
    SRV - [2010/07/11 23:39:24 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Program Files\D-Link\DWA-121 revA\ANIWConnService.exe -- (D_Link_DWA-121_WPS)
    SRV - [2010/02/02 12:35:30 | 000,065,856 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\System32\NLSSRV32.EXE -- (nlsX86cc)
    SRV - [2010/02/02 12:35:20 | 000,188,736 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe -- (NitroDriverReadSpool)
    SRV - [2008/12/09 14:51:41 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) [Auto | Running] -- C:\Windows\System32\atashost.exe -- (atashost)
    SRV - [2007/11/13 14:47:32 | 000,265,912 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2007/04/23 18:11:44 | 000,106,593 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe -- (CLSched)
    SRV - [2007/04/23 18:11:42 | 000,262,243 | ---- | M] () [Auto | Running] -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe -- (CLCapSvc)
    SRV - [2007/03/29 13:59:42 | 000,176,128 | ---- | M] (Starz Entertainment Group LLC) [Auto | Running] -- C:\Program Files\Vongo\VongoService.exe -- (Vongo Service)
    SRV - [2007/02/12 07:38:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Lisa\AppData\Local\Temp\mbr.sys -- (mbr)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys -- (BDRsDrv)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Softwin\BitDefender10\bdfsdrv.sys -- (BDFsDrv)
    DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/10/27 16:57:23 | 000,020,480 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PulseUsb.sys -- (PulseUsb)
    DRV - [2010/08/19 23:27:30 | 000,602,216 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTL8192cu.sys -- (DRTL8192cu)
    DRV - [2010/06/07 14:42:40 | 000,012,800 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\anodlwf.sys -- (anodlwf)
    DRV - [2010/05/14 02:15:16 | 000,010,112 | ---- | M] (support.com, Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssmirrdr.sys -- (ssmirrdr)
    DRV - [2009/07/14 05:12:29 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
    DRV - [2009/03/18 17:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
    DRV - [2007/12/09 13:02:30 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mcstrm.sys -- (MCSTRM)
    DRV - [2007/04/19 12:09:42 | 000,194,048 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
    DRV - [2007/04/19 12:09:42 | 000,099,200 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
    DRV - [2007/04/19 12:09:42 | 000,099,200 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
    DRV - [2007/03/05 14:28:00 | 000,076,288 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
    DRV - [2007/03/01 05:49:58 | 002,216,448 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netw4v32.sys -- (NETw4v32)
    DRV - [2007/02/24 07:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2007/01/23 10:03:28 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
    DRV - [2007/01/23 09:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
    DRV - [2006/11/30 10:24:58 | 000,008,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\Windows\System32\drivers\eabfiltr.sys -- (eabfiltr)
    DRV - [2006/11/02 02:15:23 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wsdprint.sys -- (WSDPrintDevice)
    DRV - [2006/11/02 00:30:54 | 001,781,760 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netw3v32.sys -- (NETw3v32)
    DRV - [2006/10/09 13:47:58 | 000,981,504 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
    DRV - [2006/06/28 09:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{266B0F19-BF0E-4E12-8518-86D59D5A63A5}: "URL" = http://search.live.com/results.aspx...entrypoint={referrer:source?}&amp;FORM=HVDUS7
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKLM\..\SearchScopes\{9EECE930-EA06-477C-A728-406A4A40B9C1}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
    IE - HKLM\..\SearchScopes\{B0F2BB51-91F8-46C6-AB21-953BC6C7B8D7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?refresh=1
    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..\SearchScopes\{266B0F19-BF0E-4E12-8518-86D59D5A63A5}: "URL" = http://search.live.com/results.aspx...entrypoint={referrer:source?}&amp;FORM=HVDUS7
    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&sourceid=ie7&rlz=1I7ADFA_enUS368
    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..\SearchScopes\{9EECE930-EA06-477C-A728-406A4A40B9C1}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..\SearchScopes\{B0F2BB51-91F8-46C6-AB21-953BC6C7B8D7}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-4138486717-124904987-590684891-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Google"
    FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
    FF - prefs.js..keyword.URL: "http://www.google.com/search?sourceid=navclient&hl=en&q="
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Lisa\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Lisa\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/08/02 16:18:45 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2011/04/17 09:21:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lisa\AppData\Roaming\Mozilla\Extensions
    [2012/07/24 18:01:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lisa\AppData\Roaming\Mozilla\Firefox\Profiles\a6ya8c80.default\extensions
    [2011/07/01 00:12:22 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Lisa\AppData\Roaming\Mozilla\Firefox\Profiles\a6ya8c80.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    [2011/11/10 13:44:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/10/14 21:51:20 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    [2012/08/02 16:18:45 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/04/18 16:51:59 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/04/18 16:51:59 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
    CHR - homepage: http://www.google.com/ig?refresh=1
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Lisa\AppData\Local\Google\Chrome\Application\10.0.648.205\gcswf32.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Lisa\AppData\Local\Google\Chrome\Application\10.0.648.205\pdf.dll
    CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Users\Lisa\AppData\Local\Google\Chrome\Application\10.0.648.205\gears.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: Entanglement = C:\Users\Lisa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.7.9_0\
    CHR - Extension: Skype Click to Call = C:\Users\Lisa\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\
    CHR - Extension: Poppit = C:\Users\Lisa\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
    CHR - Extension: AT_YannArthus-BertrandV2 = C:\Users\Lisa\AppData\Local\Google\Chrome\User Data\Default\Extensions\plaekpceeonanmjojailaojkconcgofc\3_0\

    O1 HOSTS File: ([2012/08/18 15:53:34 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [D-Link D-Link DWA-121] C:\Program Files\D-Link\DWA-121 revA\AirNCFG.exe (D-Link Corp.)
    O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [pdfFactory Dispatcher v3] C:\Windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe (FinePrint Software, LLC)
    O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    O4 - HKU\S-1-5-21-4138486717-124904987-590684891-1000..\Run: [SmileboxTray] C:\Users\Lisa\AppData\Roaming\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
    O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
    O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
    O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
    O4 - Startup: C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jacquie Lawson London Advent Calendar.lnk = C:\Program Files\Jacquie Lawson London Advent Calendar\Jacquie Lawson London Advent Calendar.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-4138486717-124904987-590684891-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-4138486717-124904987-590684891-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
    O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
    O15 - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..Trusted Domains: homeserver.com ([tjx2] https in Trusted sites)
    O15 - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DF4C67C1-A13D-4E93-8B1B-DB07718BDCDE}: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EC302945-AED3-4D1F-96C8-3D97C28F4FC1}: DhcpNameServer = 4.2.2.1
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\Lisa\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O24 - Desktop BackupWallPaper: C:\Users\Lisa\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/05/14 05:10:42 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2005/09/11 08:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/08/18 17:34:53 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Lisa\Desktop\OTL.exe
    [2012/08/18 15:53:37 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2012/08/18 15:37:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/08/18 15:37:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/08/18 15:37:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2012/08/18 15:37:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/08/18 15:37:10 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/08/18 15:37:04 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/08/18 15:36:10 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/08/18 15:19:53 | 004,735,580 | R--- | C] (Swearware) -- C:\Users\Lisa\Desktop\ComboFix.exe
    [2012/08/18 13:23:02 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/08/13 23:19:56 | 000,000,000 | ---D | C] -- C:\1611dc7c24c07e3ad49b4b54aa0bb9
    [2012/08/02 18:33:33 | 000,000,000 | ---D | C] -- C:\Users\Lisa\Desktop\immediate-opening-for-staff-position-sponsorship-sales-manager_files
    [2012/08/01 20:53:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
    [2012/08/01 20:53:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [2012/07/29 23:43:04 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
    [2012/07/29 23:35:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/29 23:35:39 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/07/29 23:35:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/07/29 23:26:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-zip
    [2012/07/29 23:26:51 | 000,000,000 | ---D | C] -- C:\Program Files\7-zip
    [2012/07/29 22:15:22 | 000,000,000 | ---D | C] -- C:\ProgramData\036DFF980008EE9902B32B59C2E33E28

    ========== Files - Modified Within 30 Days ==========

    [2012/08/18 17:34:57 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Lisa\Desktop\OTL.exe
    [2012/08/18 17:31:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4138486717-124904987-590684891-1000UA.job
    [2012/08/18 17:18:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/08/18 17:16:03 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/08/18 17:16:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/08/18 17:16:02 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/08/18 15:55:38 | 000,001,078 | ---- | M] () -- C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jacquie Lawson London Advent Calendar.lnk
    [2012/08/18 15:53:34 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/08/18 15:53:08 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/08/18 15:53:08 | 000,000,378 | ---- | M] () -- C:\Windows\tasks\FileCure Startup.job
    [2012/08/18 15:52:47 | 2137,448,448 | -HS- | M] () -- C:\hiberfil.sys
    [2012/08/18 15:31:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4138486717-124904987-590684891-1000Core.job
    [2012/08/18 15:22:00 | 000,621,552 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/08/18 15:22:00 | 000,104,868 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/08/18 15:21:58 | 004,735,580 | R--- | M] (Swearware) -- C:\Users\Lisa\Desktop\ComboFix.exe
    [2012/08/18 15:20:11 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{B6B6C140-5E1E-411E-B485-943831A01F6C}.job
    [2012/08/15 07:28:44 | 000,000,906 | ---- | M] () -- C:\Users\Lisa\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/08/15 07:27:51 | 000,000,055 | ---- | M] () -- C:\Users\Lisa\AppData\Roaming\mbam.context.scan
    [2012/08/13 23:11:40 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/08/13 22:41:18 | 000,002,377 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
    [2012/08/13 12:22:11 | 000,525,964 | ---- | M] () -- C:\Users\Lisa\Desktop\Watchdog 2012-2013 Rates & Info.pdf
    [2012/08/13 12:21:43 | 000,068,990 | ---- | M] () -- C:\Users\Lisa\Desktop\Watchdog 2012-2013 Calendar.pdf
    [2012/08/12 23:09:03 | 000,000,318 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForLisa.job
    [2012/08/09 18:00:00 | 000,000,442 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
    [2012/08/06 02:02:18 | 000,000,416 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Update Version3.job
    [2012/08/02 18:33:40 | 000,119,052 | ---- | M] () -- C:\Users\Lisa\Desktop\immediate-opening-for-staff-position-sponsorship-sales-manager.htm
    [2012/07/29 23:35:41 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/29 23:26:51 | 000,000,755 | ---- | M] () -- C:\Users\Public\Desktop\7-zip.lnk

    ========== Files Created - No Company Name ==========

    [2012/08/18 15:37:15 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/08/18 15:37:15 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/08/18 15:37:15 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/08/18 15:37:15 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/08/18 15:37:15 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/08/15 07:28:44 | 000,000,906 | ---- | C] () -- C:\Users\Lisa\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/08/15 07:27:51 | 000,000,055 | ---- | C] () -- C:\Users\Lisa\AppData\Roaming\mbam.context.scan
    [2012/08/13 23:05:15 | 000,001,826 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/08/13 12:22:11 | 000,525,964 | ---- | C] () -- C:\Users\Lisa\Desktop\Watchdog 2012-2013 Rates & Info.pdf
    [2012/08/13 12:21:43 | 000,068,990 | ---- | C] () -- C:\Users\Lisa\Desktop\Watchdog 2012-2013 Calendar.pdf
    [2012/08/02 18:33:32 | 000,119,052 | ---- | C] () -- C:\Users\Lisa\Desktop\immediate-opening-for-staff-position-sponsorship-sales-manager.htm
    [2012/07/30 00:59:59 | 2137,448,448 | -HS- | C] () -- C:\hiberfil.sys
    [2012/07/29 23:35:41 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/29 23:26:51 | 000,000,755 | ---- | C] () -- C:\Users\Public\Desktop\7-zip.lnk
    [2012/01/29 12:37:27 | 000,157,516 | ---- | C] () -- C:\Windows\hphins27.dat
    [2012/01/29 12:37:27 | 000,000,787 | ---- | C] () -- C:\Windows\hphmdl27.dat
    [2011/10/31 16:07:23 | 000,012,800 | ---- | C] () -- C:\Windows\System32\drivers\anodlwf.sys
    [2011/04/17 09:21:41 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2011/03/09 20:03:52 | 000,815,104 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
    [2011/03/09 20:03:52 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
    [2010/12/27 00:51:07 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
    [2010/12/27 00:33:56 | 000,074,752 | ---- | C] () -- C:\Windows\System32\CLEyeDevices.dll
    [2010/12/03 17:39:55 | 000,087,552 | ---- | C] () -- C:\Windows\System32\cpwmon2k.dll
    [2010/09/19 15:19:58 | 000,000,120 | ---- | C] () -- C:\Users\Lisa\AppData\Local\Agivav.dat
    [2010/09/19 15:19:58 | 000,000,000 | ---- | C] () -- C:\Users\Lisa\AppData\Local\Ghogeciferabat.bin
    [2010/02/09 21:02:17 | 000,000,240 | ---- | C] () -- C:\Users\Lisa\AppData\Roaming\wklnhst.dat
    [2008/05/06 16:54:26 | 000,000,680 | ---- | C] () -- C:\Users\Lisa\AppData\Local\d3d9caps.dat
    [2008/01/04 15:21:05 | 000,000,167 | ---- | C] () -- C:\Users\Lisa\udownload.dat
    [2007/12/06 20:18:07 | 000,014,336 | ---- | C] () -- C:\Users\Lisa\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== LOP Check ==========

    [2011/02/24 19:17:49 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\.minecraft
    [2010/06/16 11:09:30 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\060D667083C989E33BD7C4FFA692FE39
    [2012/02/12 11:09:57 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\com.livescribe.LivescribeConnect
    [2010/04/28 11:14:22 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\Downloaded Installations
    [2012/08/04 13:15:17 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\GameMaker
    [2011/07/12 16:26:31 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\go
    [2011/02/12 23:26:57 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\IObit
    [2011/11/24 09:35:45 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\JLAdventCalendarLondon2011
    [2011/10/31 16:11:18 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\Leadertech
    [2010/12/03 17:41:11 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\Nitro PDF
    [2007/12/28 13:44:10 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\PlayFirst
    [2012/02/05 04:10:04 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\Smilebox
    [2007/11/13 12:37:30 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\Smith Micro
    [2010/06/16 10:48:10 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\supportdotcom
    [2010/06/16 10:31:33 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\SupportSoft
    [2010/02/09 21:02:21 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\Template
    [2009/05/19 15:25:38 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\webex
    [2007/11/10 18:25:49 | 000,000,000 | ---D | M] -- C:\Users\Lisa\AppData\Roaming\WildTangent
    [2012/02/08 14:19:04 | 000,000,362 | ---- | M] () -- C:\Windows\Tasks\FileCure Default.job
    [2012/08/18 15:53:08 | 000,000,378 | ---- | M] () -- C:\Windows\Tasks\FileCure Startup.job
    [2012/08/09 18:00:00 | 000,000,442 | ---- | M] () -- C:\Windows\Tasks\ParetoLogic Registration3.job
    [2012/08/06 02:02:18 | 000,000,416 | ---- | M] () -- C:\Windows\Tasks\ParetoLogic Update Version3.job
    [2012/08/18 15:51:47 | 000,032,586 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2012/08/18 15:20:11 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{B6B6C140-5E1E-411E-B485-943831A01F6C}.job

    ========== Purity Check ==========



    < End of report >
     
  17. Lisa1

    Lisa1 TS Rookie Topic Starter

    Hi again,

    Here is the Extras.txt:

    OTL Extras logfile created on: 8/18/2012 5:36:06 PM - Run 1
    OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\Lisa\Desktop
    Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6000.16982)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 48.58% Memory free
    4.19 Gb Paging File | 3.15 Gb Available in Paging File | 75.09% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 103.51 Gb Total Space | 53.91 Gb Free Space | 52.08% Space Free | Partition Type: NTFS
    Drive D: | 8.28 Gb Total Space | 1.28 Gb Free Space | 15.48% Space Free | Partition Type: NTFS

    Computer Name: LISA-PC | User Name: Lisa | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-4138486717-124904987-590684891-1000\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "AntiVirusDisableNotify" = 0
    "AntiVirusOverride" = 1
    "FirewallDisableNotify" = 0
    "FirewallOverride" = 1
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4138486717-124904987-590684891-1000]
    "EnableNotifications" = 1
    "EnableNotificationsRef" = 1

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{693AD89D-B57D-4060-B372-D39ADE16C933}" = protocol=17 | dir=in | app=c:\windows\system32\spoolsv.exe |
    "{75342F51-05CA-4F79-B63C-BD974E2A9ACF}" = protocol=6 | dir=in | app=c:\windows\system32\spoolsv.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
    "{07620C4F-0964-4086-A872-C9C12E418E52}" = DJ_SF_03_D4300_Software
    "{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
    "{0BFC200F-C45D-4271-AF34-4CA969225DEB}" = muvee autoProducer 6.0
    "{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
    "{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
    "{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
    "{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
    "{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library
    "{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive
    "{1517A7CB-5F00-4A88-8F06-E89B6DB63784}" = ESU for Microsoft Vista
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
    "{190C7419-C254-408e-81F8-BE11FCD72A1F}" = dj_sf_software
    "{190D0C6E-C8A7-4019-8FB5-FD041EC1F2D2}" = Mobile Broadband Drivers
    "{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{24EFA94F-F3D6-4386-8824-B54712C9DC88}" = D4300_Help
    "{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check
    "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 26
    "{26E76762-7F20-4694-AD06-CC3A9B547A71}" = Microsoft Office Live Meeting 2007
    "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
    "{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
    "{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
    "{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}" = Roxio MyDVD Basic v9
    "{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
    "{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.20 B1
    "{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module
    "{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
    "{387D9916-BD27-480f-8CF0-3228832BBAA2}" = HP Deskjet D4300 Printer Driver Software 10.0 Rel .3
    "{3FFB3B34-D639-4384-9AE9-DDE58430D86F}" = MSCU for Microsoft Vista
    "{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
    "{42C7C4D8-033E-44F9-BF34-43808A0686CC}" = D4300
    "{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.2
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
    "{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{58535A90-1788-44f5-80BB-CFF62D9CE6D5}" = HP Deskjet 8.0 Software
    "{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
    "{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
    "{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
    "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
    "{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
    "{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components
    "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
    "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
    "{709F27C3-B9A1-16D9-105D-B5918E03AA48}" = Livescribe Connect
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
    "{8B0A7592-2AE0-48EA-A327-6EB7DAB25E4A}" = DJ_SF_03_D4300_Software_Min
    "{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}" = Vongo
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90260409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Web Components
    "{9061CEF2-51F5-42C9-8A70-9ED351C6597A}" = HP Help and Support
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
    "{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
    "{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
    "{A19E1C26-6DAF-AFDC-4EFF-EFF7FA36F72D}" = Jacquie Lawson London Advent Calendar
    "{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
    "{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
    "{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
    "{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
    "{ACB879B8-19A7-4310-BD93-5D745CA6B798}" = D-Link DWA-121
    "{AF79934E-ED58-410A-9CCB-9434E2115A21}" = HP Color LaserJet CP3525 Screen Fonts
    "{AFD89880-C544-4777-B645-FBF6D3391B11}" = Belkin F7D1101 Basic Wireless USB Adapter
    "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
    "{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
    "{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
    "{C1C441C4-57FA-4950-BDBA-BABFBAA2AA39}" = ParetoLogic FileCure
    "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
    "{C716522C-3731-4667-8579-40B098294500}" = Toolbox
    "{C7E154EF-D5EC-4da4-9D00-43B85967B120}" = dj_sf_ProductContext
    "{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
    "{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
    "{D32067CD-7409-4792-BFA0-1469BCD8F0C8}" = HP Wireless Assistant
    "{DDFD9BA2-8E26-4E49-92AE-882424DAB1BC}" = HP User Guides 0057
    "{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
    "{E60A3FF1-856E-4DD2-BFC6-FD9B976FE1C5}" = DJ_SF_03_D4300_ProductContext
    "{E9E13063-C8E2-4D39-8F6B-5FE5D2EAD0E5}" = Nitro PDF Professional
    "{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
    "{ECF9CEBF-53E0-446D-9C0A-8F1453C5DC78}" = HP Color LaserJet CP3525 User Guide
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
    "{EFF78ADB-B586-4b49-8473-F2441B47F9AD}" = D1400_Help
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F327A8F7-00C6-4491-9782-1DFFBB0594A2}" = dj_sf_software_req
    "{F6B29003-A078-4491-AFBE-62EFB6CFFE19}" = HP Total Care Advisor
    "{F6E69D86-4A9D-436D-AAE7-B764EA87420D}" = D1400
    "{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}" = 32 Bit HP CIO Components Installer
    "{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}" = HP Active Support Library 32 bit components
    "{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
    "7-zip" = 7-zip v9.20
    "Access 97 Runtime" = Access 97 Runtime
    "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
    "ActiveTouchMeetingClient" = WebEx
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "AGSAdventureDev321Final_is1" = Adventure Game Studio 3.2.1
    "CL-Eye Driver" = CL-Eye Driver
    "CoffeeCup Free FTP" = CoffeeCup Free FTP
    "com.livescribe.LivescribeConnect" = Livescribe Connect
    "CutePDF Writer Installation" = CutePDF Writer 2.8
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "HP Color LaserJet CP3525 PCL 6" = HP Color LaserJet CP3525 PCL 6 [HP Color LaserJet CP3525 PCL 6]
    "HP Imaging Device Functions" = HP Imaging Device Functions 10.0
    "HP Photosmart Essential" = HP Photosmart Essential 2.5
    "HP Smart Web Printing" = HP Smart Web Printing
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
    "HPExtendedCapabilities" = HP Customer Participation Program 10.0
    "InstallShield_{AFD89880-C544-4777-B645-FBF6D3391B11}" = Belkin F7D1101 Basic Wireless USB Adapter
    "JLAdventCalendarLondon2011" = Jacquie Lawson London Advent Calendar
    "Livescribe Desktop 2.8.3" = Livescribe Desktop
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft Security Client" = Microsoft Security Essentials
    "Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US)
    "MozillaMaintenanceService" = Mozilla Maintenance Service
    "Pdf995" = Pdf995
    "pdfFactory" = pdfFactory
    "Sandlot Games Client Services_is1" = Sandlot Games Client Services
    "Shop for HP Supplies" = Shop for HP Supplies
    "SMSERIAL" = Motorola SM56 Data Fax Modem
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "VIEW Reports 32" = VIEW Reports 32
    "VIEW2.0.4.0" = VIEW
    "VIEW32" = Strata VIEW32 for Media Buying
    "WildTangent hplaptop Master Uninstall" = My HP Games
    "Xvid_is1" = Xvid 1.2.1 final uninstall
    "Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer
    "Yahoo! Toolbar" = Yahoo! Toolbar

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-4138486717-124904987-590684891-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Game Organizer" = EasyBits GO
    "GameMaker81" = GameMaker 8.1
    "Google Chrome" = Google Chrome
    "GoToMeeting" = GoToMeeting 5.0.0.799
    "Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
    "Smilebox" = Smilebox

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 10/14/2011 12:29:17 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 1029

    Error - 10/14/2011 12:29:18 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 10/14/2011 12:29:18 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 2496

    Error - 10/14/2011 12:29:18 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 2496

    Error - 10/14/2011 12:29:19 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 10/14/2011 12:29:19 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 3603

    Error - 10/14/2011 12:29:19 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 3603

    Error - 10/14/2011 12:29:20 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 10/14/2011 12:29:20 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 4789

    Error - 10/14/2011 12:29:20 AM | Computer Name = Lisa-PC | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 4789

    [ Media Center Events ]
    Error - 8/5/2012 6:28:32 PM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/6/2012 4:03:08 AM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/6/2012 10:50:07 PM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/7/2012 12:18:23 PM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/8/2012 12:52:43 AM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/8/2012 7:15:37 PM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/9/2012 8:37:18 PM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/13/2012 2:00:45 AM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/14/2012 2:09:09 AM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    Error - 8/18/2012 7:04:50 PM | Computer Name = Lisa-PC | Source = MCUpdate | ID = 0
    Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

    [ System Events ]
    Error - 8/18/2012 6:47:03 PM | Computer Name = Lisa-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 8/18/2012 6:51:28 PM | Computer Name = Lisa-PC | Source = Service Control Manager | ID = 7023
    Description =

    Error - 8/18/2012 6:51:30 PM | Computer Name = Lisa-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 8/18/2012 6:52:37 PM | Computer Name = Lisa-PC | Source = volmgr | ID = 262190
    Description = Crash dump initialization failed!

    Error - 8/18/2012 6:52:44 PM | Computer Name = Lisa-PC | Source = volmgr | ID = 262190
    Description = Crash dump initialization failed!

    Error - 8/18/2012 6:54:23 PM | Computer Name = Lisa-PC | Source = DCOM | ID = 10016
    Description =

    Error - 8/18/2012 7:07:20 PM | Computer Name = Lisa-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.1989.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 8/18/2012 7:07:20 PM | Computer Name = Lisa-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.1989.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 8/18/2012 8:28:04 PM | Computer Name = Lisa-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.1989.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.


    Error - 8/18/2012 8:28:04 PM | Computer Name = Lisa-PC | Source = Microsoft Antimalware | ID = 2001
    Description = %%860 has encountered an error trying to update signatures. New Signature
    Version: Previous Signature Version: 1.131.1989.0 Update Source: %%859 Update Stage:
    %%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

    User:
    NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error
    code: 0x80240022 Error description: The program can't check for definition updates.



    < End of report >
     
  18. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
      O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
      O15 - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..Trusted Domains: homeserver.com ([tjx2] https in Trusted sites)
      O15 - HKU\S-1-5-21-4138486717-124904987-590684891-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
      [2012/08/18 13:23:02 | 000,000,000 | ---D | C] -- C:\FRST
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    =====================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  19. Lisa1

    Lisa1 TS Rookie Topic Starter

    Hi - Here are the first 3 scans. As I'm sure you already know, I'm not particularly tech-savvy, so I'm sending them before I run the last one. (I also ran the temp file cleaner).

    Farbar Service Scanner Version: 06-08-2012
    Ran by Lisa (administrator) on 18-08-2012 at 19:43:44
    Running from "C:\Users\Lisa\Desktop"
    Microsoft® Windows Vista™ Home Premium (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll
    [2007-11-13 14:47] - [2007-11-13 14:47] - 0265912 ____A (Microsoft Corporation) 0D5AD0E71FF5DDAC5DD2F443B499ABD0

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****


    Results of screen317's Security Check version 0.99.46
    Windows Vista x86 (UAC is disabled!)
    Out of date service pack!!
    Internet Explorer 7 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java(TM) 6 Update 26
    Java(TM) SE Runtime Environment 6
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 10.2.159.1 Flash Player out of Date!
    Adobe Reader 8 Adobe Reader out of Date!
    Mozilla Firefox (14.0.1)
    Google Chrome 10.0.648.204
    Google Chrome 10.0.648.205
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````

    All processes killed
    ========== OTL ==========
    Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
    Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http not found.
    Registry key HKEY_USERS\S-1-5-21-4138486717-124904987-590684891-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\homeserver.com\tjx2\ deleted successfully.
    Registry value HKEY_USERS\S-1-5-21-4138486717-124904987-590684891-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U folder moved successfully.
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L folder moved successfully.
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} folder moved successfully.
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U folder moved successfully.
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L folder moved successfully.
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} folder moved successfully.
    C:\FRST\Quarantine folder moved successfully.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56475 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Lisa
    ->Temp folder emptied: 32086 bytes
    ->Temporary Internet Files folder emptied: 6882911 bytes
    ->Java cache emptied: 12935510 bytes
    ->FireFox cache emptied: 68707965 bytes
    ->Google Chrome cache emptied: 105335184 bytes
    ->Flash cache emptied: 15383674 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 584574 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 200.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Lisa
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Lisa
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb



    OTL by OldTimer - Version 3.2.56.0 log created on 08182012_192509

    Files\Folders moved on Reboot...
    C:\Users\Lisa\AppData\Local\Temp\ehmsas.txt moved successfully.
    File move failed. C:\Windows\temp\WebEx\Log\818\atashost.log scheduled to be moved on reboot.
    C:\Windows\temp\sqlite_Oa3MNv5jCD0lzBC moved successfully.
    File\Folder C:\Windows\temp\TMP000000037F7F7EF3F2142DA6 not found!

    PendingFileRenameOperations files...
    File C:\Users\Lisa\AppData\Local\Temp\ehmsas.txt not found!
    [2012/08/18 19:29:24 | 000,000,642 | ---- | M] () C:\Windows\temp\WebEx\Log\818\atashost.log : Unable to obtain MD5
    File C:\Windows\temp\sqlite_Oa3MNv5jCD0lzBC not found!
    File C:\Windows\temp\TMP000000037F7F7EF3F2142DA6 not found!

    Registry entries deleted on Reboot...

    I will run the ESET online scanner now....
     
  20. Broni

    Broni Malware Annihilator Posts: 52,897   +344

  21. Lisa1

    Lisa1 TS Rookie Topic Starter

    Hi - Here is the ESET report:

    C:\Users\Lisa\AppData\Roaming\060D667083C989E33BD7C4FFA692FE39\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
    C:\Users\Lisa\AppData\Roaming\060D667083C989E33BD7C4FFA692FE39\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
    C:\Users\Lisa\Downloads\7zip_installer_1650(1).exe a variant of Win32/InstallIQ application cleaned by deleting - quarantined
    C:\Users\Lisa\Downloads\7zip_installer_1650.exe a variant of Win32/InstallIQ application cleaned by deleting - quarantined
    C:\_OTL\MovedFiles\08182012_192509\C_FRST\Quarantine\services.exe Win32/Sirefef.FE trojan deleted - quarantined
     
  22. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    ===================================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    ===================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    =================================

    We have one corrupted registry key affecting Windows updates.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on bits.reg file and confirm the prompt.
    Restart computer.
    Post new FSS log.
     
  23. Lisa1

    Lisa1 TS Rookie Topic Starter

    Hi - I did all of the above and here is the new FSS log:

    Farbar Service Scanner Version: 06-08-2012
    Ran by Lisa (administrator) on 19-08-2012 at 09:03:23
    Running from "C:\Users\Lisa\Desktop"
    Microsoft® Windows Vista™ Home Premium (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll
    [2007-11-13 14:47] - [2007-11-13 14:47] - 0265912 ____A (Microsoft Corporation) 0D5AD0E71FF5DDAC5DD2F443B499ABD0

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  24. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  25. Lisa1

    Lisa1 TS Rookie Topic Starter

    Hi Broni,

    Here is the last (hopefully!) log. I can't thank you enough and I will be making a donation.

    Lisa:)(y)

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Lisa
    ->Temp folder emptied: 159867 bytes
    ->Temporary Internet Files folder emptied: 794323 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 96361378 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1221 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 592369 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 93.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Lisa
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Lisa
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.56.0 log created on 08192012_101536

    Files\Folders moved on Reboot...
    C:\Users\Lisa\AppData\Local\Temp\ehmsas.txt moved successfully.
    File move failed. C:\Windows\temp\WebEx\Log\819\atashost.log scheduled to be moved on reboot.
    C:\Windows\temp\sqlite_10z6nvH3WlOejUM moved successfully.
    File\Folder C:\Windows\temp\TMP00000001FB02E403E841CF51 not found!

    PendingFileRenameOperations files...
    File C:\Users\Lisa\AppData\Local\Temp\ehmsas.txt not found!
    [2012/08/19 10:19:24 | 000,000,634 | ---- | M] () C:\Windows\temp\WebEx\Log\819\atashost.log : Unable to obtain MD5
    File C:\Windows\temp\sqlite_10z6nvH3WlOejUM not found!
    File C:\Windows\temp\TMP00000001FB02E403E841CF51 not found!

    Registry entries deleted on Reboot...
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...