TechSpot

Spyware.password

Solved
By areske86
Sep 25, 2012
  1. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    OTL EXTRAS-
    OTL Extras logfile created on: 9/27/2012 11:27:10 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\areske\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    7.95 Gb Total Physical Memory | 4.65 Gb Available Physical Memory | 58.44% Memory free
    15.90 Gb Paging File | 12.46 Gb Available in Paging File | 78.37% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 279.60 Gb Total Space | 120.35 Gb Free Space | 43.04% Space Free | Partition Type: NTFS
    Drive D: | 14.33 Gb Total Space | 0.78 Gb Free Space | 5.43% Space Free | Partition Type: NTFS
    Drive E: | 3.96 Gb Total Space | 1.08 Gb Free Space | 27.23% Space Free | Partition Type: FAT32
    Drive G: | 22.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

    Computer Name: ARESKE-HP | User Name: areske | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0CCE9897-1B71-47B5-8796-B0EB53F87A5C}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{1C1B26CF-3E99-4A2A-816F-E325ED577914}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{1DC70020-E4F6-4BA2-8EB0-DF9DDCD31855}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{240CFC38-9902-461D-AE20-B7304EBBBF29}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2608B207-3B08-4BEB-A500-39EC1A784934}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{286609A1-95DC-4D6A-8264-FE270967812D}" = rport=138 | protocol=17 | dir=out | app=system |
    "{2ECE483A-80EF-490F-AE42-724770DE501B}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4825B8BF-C4A0-4980-8A64-C8C4EB00B3F6}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{49EFDED3-85B6-4326-A69C-E0CDD54C8217}" = lport=138 | protocol=17 | dir=in | app=system |
    "{4A78BE2B-5C51-43F4-8A2E-37241332BDBB}" = lport=137 | protocol=17 | dir=in | app=system |
    "{4D6862F4-FD36-4299-94BA-722FF3F62A21}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{519A8DE5-E50B-4340-8BF6-11AFC4A802F7}" = lport=139 | protocol=6 | dir=in | app=system |
    "{54D09C73-2484-4A9D-97F2-4EC96814C067}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{64B54A5C-966F-43E7-8CE6-DB72790F1218}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
    "{66C07608-B713-4C8A-9BE6-B63BF61D1D3F}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{6BACF1D0-CFC2-48F2-A0E6-309F93AD9EE4}" = rport=137 | protocol=17 | dir=out | app=system |
    "{76AC8728-2376-4965-A4CE-D0354803DC1B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{85E02E21-3693-4961-8138-CE68F6AA06BB}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{96595AA8-3733-4DC8-9223-3EA419436F34}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{AF7B6302-5029-4649-BC96-9A47EFDFAE11}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{B347A8C0-362B-4D38-9342-A7B60F8D7A3A}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{D03515CD-36B1-44E6-9C6B-AA6A310C4023}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
    "{FB38759C-936D-47BC-BFF3-842C644A6A62}" = rport=139 | protocol=6 | dir=out | app=system |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{078F9243-7B1D-483C-8214-DDB93F4B999B}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{0B7B11B8-A6D3-4A4C-8C5D-7BB9FEDAE329}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{0BD07298-3206-4EF1-90B1-B77B23EFFDD2}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1C736998-8777-4B8E-8DBC-B447DC9E2EA9}" = protocol=6 | dir=out | app=system |
    "{2EA18695-BBD9-4A1C-BD83-E5EAA96757EC}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{33CEDAB6-00D3-4F3F-AE56-0F35D93D8A5F}" = protocol=6 | dir=in | app=c:\program files (x86)\hewlett-packard\mediasmart\roxionow\rnow.exe |
    "{36102A6C-F66D-4E6A-9F60-FD8199CC3244}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{3CD00C4D-006E-4BA2-A1FA-9015646CCF36}" = protocol=17 | dir=in | app=c:\program files (x86)\hewlett-packard\mediasmart\roxionow\rnow.exe |
    "{40DDE40D-D831-44A1-A23C-958D4D9F484C}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{4C4784AF-22CE-4D67-9A83-F21888F0775C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{4D62A539-CEC7-432A-B897-0A3411A83A83}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{56B89793-5FBC-40B7-8BCB-CED8FF325CE0}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
    "{6167EBD1-8BF0-4E73-8172-5E89F2D2F198}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{724EBF2A-0B89-466F-92EB-076741B5DC15}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{7B26D5AA-38D7-45E2-BDB2-1B90A47FC83D}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
    "{85D70CCB-E35D-4614-9E0D-F1B885713280}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{89BD027F-B46D-4231-A2F9-D8A03C11E9D0}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
    "{943E424A-11B1-4DAD-B342-FAC50C189D7B}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
    "{97DE88F6-D39E-4EBC-80C6-4DD0D30669D7}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{996E5597-F601-4BEF-A2C1-26AB109DFA5C}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{9DA5C200-BFD9-4AC6-9A8E-AF8D1D3408DF}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{A3CABF1C-83B9-4D72-B596-328CB5CD422D}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
    "{A9D0FCB7-1D0C-4778-84E9-AE25B66EE99B}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe |
    "{AF67BFFA-96A7-4863-BDBF-B0E8120B9942}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{B25298BD-28A1-46F3-BC6F-2DF367133ED3}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{B9071F41-5AC1-4263-B719-F093CB110535}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{BECC85C1-1E33-4445-AA90-5C94C8CB7A11}" = protocol=6 | dir=in | app=c:\program files (x86)\roxio\roxionow player\rnowshell.exe |
    "{D54E6692-0474-4F7A-BD74-F6B3A056D055}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E98FEE11-CA13-4DED-82E2-5E787BF67F46}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{F33E2DC5-A2E4-48C3-B790-F08A7FED8798}" = protocol=17 | dir=in | app=c:\program files (x86)\roxio\roxionow player\rnowshell.exe |
    "{FAC20519-8D5E-4AFC-8316-D13BCBA8A122}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{FAF07ED2-D414-4D0D-AB87-B307140AE2DA}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
    "TCP Query User{2A659945-38EA-40E3-A011-B058C2D146D7}C:\users\areske\desktop\tinyumbrella-6.00.01.exe" = protocol=6 | dir=in | app=c:\users\areske\desktop\tinyumbrella-6.00.01.exe |
    "TCP Query User{4DF4BE04-5E83-414C-A34C-D6717E8F9824}C:\users\areske\downloads\tinyumbrella-6.00.01.exe" = protocol=6 | dir=in | app=c:\users\areske\downloads\tinyumbrella-6.00.01.exe |
    "TCP Query User{BE6D739B-FA85-48A9-B770-0E154663D93D}I:\pwnage\the firmware umbrella\tinyumbrella-5.11.00b.exe" = protocol=6 | dir=in | app=I:\pwnage\the firmware umbrella\tinyumbrella-5.11.00b.exe |
    "TCP Query User{FA6B92D2-BA23-456A-A9FD-64A50C6A1354}C:\program files (x86)\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "UDP Query User{40821651-AD68-4BD8-B77D-60C276DA7A36}C:\program files (x86)\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
    "UDP Query User{43A838A6-8D6A-45FE-B09F-5FD01478137C}I:\pwnage\the firmware umbrella\tinyumbrella-5.11.00b.exe" = protocol=17 | dir=in | app=I:\pwnage\the firmware umbrella\tinyumbrella-5.11.00b.exe |
    "UDP Query User{476073EF-B009-4DF1-8495-D207C2BC3512}C:\users\areske\desktop\tinyumbrella-6.00.01.exe" = protocol=17 | dir=in | app=c:\users\areske\desktop\tinyumbrella-6.00.01.exe |
    "UDP Query User{FD67B122-C096-4D96-8B5C-65508F172EB2}C:\users\areske\downloads\tinyumbrella-6.00.01.exe" = protocol=17 | dir=in | app=c:\users\areske\downloads\tinyumbrella-6.00.01.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{054EF02F-95D8-48F4-9EEB-2F9CE3072ED8}" = AuthenTec TrueAPI
    "{1493B2AE-0261-47D2-B1AA-F4DAD0F6C48B}" = iTunes
    "{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
    "{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    "{2856A1C2-70C5-4EC3-AFF7-E5B51E5530A2}" = HP Client Services
    "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    "{4BC310C4-B898-46E2-B5FB-B85A30AA7142}" = iCloud
    "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    "{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
    "{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
    "{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}" = Apple Mobile Device Support
    "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    "{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
    "{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9CAB2212-0732-4827-8EC4-61D8EF0AA65B}" = HP Launch Box
    "{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "{AEF6C676-D7A2-4487-BD4B-1BED17B229B5}" = Microsoft Mouse and Keyboard Center
    "{C78D3032-9DFD-41D0-9DE9-58EAE750CBA4}" = Microsoft Security Client
    "{CC4D56B7-6F18-470B-8734-ABCD75BCF4F1}" = HP Auto
    "{CD95F661-A5C4-44F5-A6AA-ECDD91C240D5}" = WinZip 16.5
    "{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
    "{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
    "{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
    "{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Mouse and Keyboard Center" = Microsoft Mouse and Keyboard Center
    "Microsoft Security Client" = Microsoft Security Essentials
    "SynTPDeinstKey" = Synaptics TouchPad Driver

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
    "{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
    "{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
    "{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
    "{0EDEB615-1A60-425E-8306-0E10519C7B55}" = RoxioNow Player
    "{120262A6-7A4B-4889-AE85-F5E5688D3683}" = HP MovieStore
    "{14DC0059-00F1-4F62-BD1A-AB23CD51A95E}" = Adobe AIR
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{23767F5D-A80C-4264-B8EA-ED4085FC332A}" = Adobe Illustrator CS5.1
    "{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
    "{28E82311-8616-11E1-BEB0-B8AC6F97B88E}" = Google Earth
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{31CEFF4E-B6D1-46A5-9169-7C67570E7FFA}" = HP SimplePass PE 2011
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{5036764A-435D-40C9-869C-31085A3D741D}" = HP Setup
    "{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
    "{53B17A98-5BF0-40BC-AAFF-850A357975AC}" = HP Quick Launch
    "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
    "{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
    "{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support
    "{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
    "{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.2.0
    "{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}" = HP Support Assistant
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}" = Adobe Photoshop CS6
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8B52057C-15DB-433E-957C-E279BC7D07E3}" = HP QuickWeb
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{9008D736-35CA-40DB-A2BE-5F32D954E5AA}" = HP MovieStore
    "{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
    "{9191979D-821C-4EA8-B021-2DA1D859A7C5}" = GuardedID
    "{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{9368DDD5-CE7F-4BD7-A83A-F00FABE338EC}" = Blio
    "{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
    "{962CB079-85E6-405F-8704-1C62365AE46F}" = HP Software Framework
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9D3D8C60-A55F-4123-B2B9-173F09590E16}" = REALTEK Wireless LAN Driver
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.4) MUI
    "{AE856388-AFAD-4753-81DF-D96B19D0A17C}" = HP Setup Manager
    "{AF37176A-78CA-545B-34EF-8B6A21514DD1}" = Adobe Help Manager
    "{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
    "{C01A86F5-56E7-101F-9BC9-E3F1025EB779}" = Intel(R) Identity Protection Technology 1.1.2.0
    "{C1594429-8296-4652-BF54-9DBE4932A44C}" = Realtek PCIE Card Reader
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
    "{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{D8BCE5B9-67CF-4F3F-93AE-3ACC754C72EB}" = HP Power Manager
    "{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
    "{DBCD5E64-7379-4648-9444-8A6558DCB614}" = Recovery Manager
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
    "{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
    "{E56E5D38-5972-420A-9BAF-0F84471E0142}" = HP Documentation
    "{E96CAA2A-0244-4A2A-8403-0C3C9534778B}" = ESU for Microsoft Windows 7 SP1
    "{EA5F34F3-3911-B4DB-63CA-1E44B2AB13A1}" = Adobe Download Assistant
    "{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
    "{ED1BD69A-07E3-418C-91F1-D856582581BF}" = HP On Screen Display
    "{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
    "{F6E36639-10C8-4FAD-AF1F-E84D5B6653D1}" = FontLab Studio 5
    "{F761359C-9CED-45AE-9A51-9D6605CD55C4}" = Evernote v. 4.2.3
    "{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel(R) Control Center
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Help Manager
    "com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant
    "ID Vault" = Constant Guard Protection Suite
    "InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400
    "Office14.Click2Run" = Microsoft Office Click-to-Run 2010
    "uTorrent" = ĀµTorrent
    "VIP Access SDK" = VIP Access SDK (1.0.1.2)
    "WinGimp-2.0_is1" = Gimp 2.6.2 Debug
    "WinLiveSuite" = Windows Live Essentials
    "winscp3_is1" = WinSCP 4.3.9
    "xfin_portal" = XFINITY Toolbar

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3884388331-1653558372-2755294257-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 12

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 13

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 14

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 16

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 17

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 18

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 19

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 20

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 21

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 22

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 23

    Error - 9/21/2012 11:15:37 PM | Computer Name = areske-HP | Source = Bonjour Service | ID = 100
    Description = ERROR: handle_resolve_request bad interfaceIndex 24

    [ HP Software Framework Events ]
    Error - 9/8/2012 12:44:10 PM | Computer Name = areske-HP | Source = CaslSmBios | ID = 5
    Description = 2012/09/08 12:44:10.232|000009EC|Error |[CaslWmi]CommandPanelBrightness::GetCurrentPanelBrightnessFromOS{hpCasl.enReturnCode(CaslWmi.enPanelBrightnessDataType,ushort&)}|Exception
    occurred in querying WMI for WmiMonitorBrightness: 'Not supported '

    Error - 9/8/2012 12:45:12 PM | Computer Name = areske-HP | Source = CaslSmBios | ID = 5
    Description = 2012/09/08 12:45:12.465|00001450|Error |[CaslWmi]CommandPanelBrightness::GetCurrentPanelBrightnessFromOS{hpCasl.enReturnCode(CaslWmi.enPanelBrightnessDataType,ushort&)}|Exception
    occurred in querying WMI for WmiMonitorBrightness: 'Not supported '

    Error - 9/8/2012 12:45:17 PM | Computer Name = areske-HP | Source = CaslSmBios | ID = 5
    Description = 2012/09/08 12:45:17.002|00000C50|Error |[CaslWmi]CommandPanelBrightness::GetCurrentPanelBrightnessFromOS{hpCasl.enReturnCode(CaslWmi.enPanelBrightnessDataType,ushort&)}|Exception
    occurred in querying WMI for WmiMonitorBrightness: 'Not supported '

    [ System Events ]
    Error - 9/24/2012 10:02:13 PM | Computer Name = areske-HP | Source = cdrom | ID = 262155
    Description = The driver detected a controller error on \Device\CdRom1.

    Error - 9/24/2012 10:02:13 PM | Computer Name = areske-HP | Source = cdrom | ID = 262155
    Description = The driver detected a controller error on \Device\CdRom1.

    Error - 9/24/2012 10:02:13 PM | Computer Name = areske-HP | Source = cdrom | ID = 262155
    Description = The driver detected a controller error on \Device\CdRom1.

    Error - 9/24/2012 10:02:14 PM | Computer Name = areske-HP | Source = cdrom | ID = 262155
    Description = The driver detected a controller error on \Device\CdRom1.

    Error - 9/24/2012 10:02:14 PM | Computer Name = areske-HP | Source = cdrom | ID = 262155
    Description = The driver detected a controller error on \Device\CdRom1.

    Error - 9/24/2012 10:02:14 PM | Computer Name = areske-HP | Source = cdrom | ID = 262155
    Description = The driver detected a controller error on \Device\CdRom1.

    Error - 9/25/2012 9:39:09 PM | Computer Name = areske-HP | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 9:37:43 PM on ?9/?25/?2012 was unexpected.

    Error - 9/27/2012 9:42:46 PM | Computer Name = areske-HP | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 9/27/2012 9:44:43 PM | Computer Name = areske-HP | Source = Application Popup | ID = 1060
    Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility
    with this system. Please contact your software vendor for a compatible version
    of the driver.

    Error - 9/27/2012 9:45:10 PM | Computer Name = areske-HP | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.


    < End of report >
     
  2. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKU\S-1-5-21-3884388331-1653558372-2755294257-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
      O4 - HKLM..\Run: [] File not found
      O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
      [2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
      
      [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
      
      [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
      
      [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
      
      [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
      
      [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
      "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 01:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
      "ThreadingModel" = Apartment
      
      [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
      "" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 00:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
      "ThreadingModel" = Apartment
      
      [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
      "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
      "ThreadingModel" = Free
      
      [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
      "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 23:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
      "ThreadingModel" = Free
      
      [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
      "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
      "ThreadingModel" = Both
      
      [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    ========================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    3. Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    4. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    5. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  3. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    All processes killed
    ========== OTL ==========
    Registry value HKEY_USERS\S-1-5-21-3884388331-1653558372-2755294257-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeCS5.5ServiceManager deleted successfully.
    C:\Windows\assembly\Desktop.ini moved successfully.
    File EY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
    File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
    File EY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 not found.
    File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] not found.
    File EY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
    File EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
    Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64\ not found.
    Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]\ not found.
    Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64\ not found.
    Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56504 bytes

    User: All Users

    User: areske
    ->Temp folder emptied: 4887376 bytes
    ->Temporary Internet Files folder emptied: 234120490 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 8938153 bytes
    ->Flash cache emptied: 57658 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56504 bytes

    User: Default User

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 119046867 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 350.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: areske
    ->Java cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: areske
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 09282012_154423

    Files\Folders moved on Reboot...
    C:\Users\areske\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  4. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    S of screen317's Security Check version 0.99.51
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.0.1400
    Java 7 Update 7
    Adobe Reader X (10.1.4)
    Google Chrome 21.0.1180.89
    Google Chrome 22.0.1229.79
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````
     
  5. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    Farbar Service Scanner Version: 19-09-2012
    Ran by areske (administrator) on 28-09-2012 at 16:03:58
    Running from "C:\Users\areske\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.
    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    System Restore:
    ============
    System Restore Disabled Policy:
    ========================
    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================
    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.
    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1
    Other Services:
    ==============
    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    **** End of log ****
     
  6. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    # AdwCleaner v2.003 - Logfile created 09/28/2012 at 16:11:08
    # Updated 23/09/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : areske - ARESKE-HP
    # Boot Mode : Normal
    # Running from : C:\Users\areske\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Users\Public\Desktop\eBay.lnk

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
    Key Deleted : HKLM\Software\Freeze.com
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Google Chrome v22.0.1229.79

    File : C:\Users\areske\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Deleted [l.19] : urls_to_restore_on_startup = [ "hxxps://isearch.avg.com/?cid={08DA7D99-F630-445D-ABE3-9F7245F6141F}&mid=78ae2bb0989f47d09dc6a9aaf3b828f4-4abbf01dcef735ab13a59ce5116589aa06a2665b&lang=en&ds=ft011&pr=sa&d=2012-05-25 12:17:57&v=11.1.1.7&sap=hp" ]
    Deleted [l.2283] : urls_to_restore_on_startup = [ "hxxps://isearch.avg.com/?cid={08DA7D99-F630-445D-ABE3-9F7245F6141F}&mid=78ae2bb0989f47d09dc6a9aaf3b828f4-4abbf01dcef735ab13a59ce5116589aa06a2665b&lang=en&ds=ft011&pr=sa&d=2012-05-25 12:17:57&v=11.1.1.7&sap=hp" ]

    *************************

    AdwCleaner[S1].txt - [1944 octets] - [28/09/2012 16:11:08]

    ########## EOF - C:\AdwCleaner[S1].txt - [2004 octets] ##########
    ***WHEN I OPENED GOOGLE CHROME IT SAID MY PREF FILES IS CORRUPTED CANNOT RECOVER MY SETTINGS AFTER RUNNING ADWCLEANER.. IS THIS NORMAL???
     
  7. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    I'm not sure.
    I suggest you reinstall Chrome.

    ...and Eset...
     
  8. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    Eset found nothing
     
  9. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    13. Please, let me know, how your computer is doing.
     
  10. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    You have been great.. thank you.. hear is the otl log-ll processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: areske
    ->Temp folder emptied: 2224716 bytes
    ->Temporary Internet Files folder emptied: 240740 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 69930030 bytes
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 15180 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 69.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: areske
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: areske
    ->Java cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Public

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 09282012_220636

    Files\Folders moved on Reboot...
    C:\Users\areske\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  11. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
     
  12. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    I have one more question.. earlier when turning on security essentials it said windows defender was deactivated.. what is it and do I need it activated.. if so ho to??
     
  13. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Not to mention that Windows Defender is totally useless but MSE will disable WD by default.
     
  14. areske86

    areske86 TS Rookie Topic Starter Posts: 27

    Also sent a small donation.. hope thats ok
     
  15. Broni

    Broni Malware Annihilator Posts: 47,020   +255

    Thank you :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.