Solved Infected... "sirefef" keeps returning

J

John Sharp

Posts: 23   +0
MBAM
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.22.11

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
jah :: JAH-PC [administrator]

11/22/2012 7:28:27 PM
mbam-log-2012-11-22 (19-28-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226213
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Detected: 1
c:\windows\installer\{5ea449d2-1ceb-eb2e-4878-4d29285cc3dd}\syshost.exe (Trojan.Agent) -> 2652 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\syshost32|ImagePath (Trojan.Agent) -> Data: "C:\Windows\Installer\{5EA449D2-1CEB-EB2E-4878-4D29285CC3DD}\syshost.exe" /service -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 11
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\n (Trojan.0Access) -> Delete on reboot.
C:\Users\jah\AppData\Local\Temp\631411425.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\jah\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\jah\AppData\Local\Temp\wpbt0.dll (Trojan.Agent.Mio) -> Quarantined and deleted successfully.
c:\windows\syshost.exe (Trojan.Downloader) -> Delete on reboot.
c:\users\jah\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\users\jms\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\localservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\networkservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\windows\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\windows\installer\{5ea449d2-1ceb-eb2e-4878-4d29285cc3dd}\syshost.exe (Trojan.Agent) -> Delete on reboot.

(end)

DDS
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_37
Run by jah at 19:55:46 on 2012-11-22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3893.2780 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = g.msn.com/USCON/1
uDefault_Page_URL = g.msn.com/USCON/1
uURLSearchHooks: {00000000-6E41-4FD3-8538-502F5495E5FC} - <orphaned>
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Virtual Storage Mount Notification: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\jah\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PDANET~1.LNK - C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\JUNGLE~1.LNK - C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.9.1
TCP: Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6} : DHCPNameServer = 192.168.9.1
TCP: Interfaces\{42C743E6-A1D6-40E0-B7F9-BC2302989E10} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AF2F0A21-2F5A-4F21-A096-48DD4B96F4C6} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
x64-BHO: Virtual Storage Mount Notification: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll
x64-STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.offtopic.com/
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2012-10-29 16:37; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-10-29 16:39; tineye@ideeinc.com; C:\Users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\tineye@ideeinc.com.xpi
FF - ExtSQL: 2012-10-31 13:16; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-03 17:15; {8ed952a0-199c-11d9-9669-0800200c9a66}; C:\Users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{8ed952a0-199c-11d9-9669-0800200c9a66}.xpi
FF - ExtSQL: 2012-11-21 21:03; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; C:\Users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-11-17 55280]
R1 cbfs3;cbfs3;C:\Windows\System32\drivers\cbfs3.sys [2012-10-31 321424]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-11-17 98208]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 JungleDiskService;JungleDiskService;C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-17 9761096]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-11-17 2533400]
R3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\System32\drivers\bcmvwl64.sys [2010-11-17 20984]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2010-11-17 172704]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-11-17 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-11-17 158976]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-11-17 287232]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-11-17 74280]
R3 pneteth;PdaNet Broadband;C:\Windows\System32\drivers\pneteth.sys [2012-10-27 15360]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2009-12-2 721768]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2009-12-2 269672]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2009-12-2 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2009-12-2 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-11-17 245792]
.
=============== Created Last 30 ================
.
2012-11-23 00:54:45 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8AAAE944-8C65-4237-9062-2AA068A12DD5}\offreg.dll
2012-11-23 00:14:42 -------- d-----w- C:\Users\jah\AppData\Roaming\Malwarebytes
2012-11-23 00:13:30 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-11-23 00:13:30 -------- d-----w- C:\ProgramData\Malwarebytes
2012-11-23 00:13:30 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-15 16:26:51 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-11-15 16:26:43 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8AAAE944-8C65-4237-9062-2AA068A12DD5}\mpengine.dll
2012-11-15 16:26:43 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-11-04 00:42:00 -------- d-----w- C:\ProgramData\VirtualizedApplications
2012-11-03 22:31:47 -------- d-----w- C:\Users\jah\AppData\Roaming\SoftGrid Client
2012-11-03 22:31:47 -------- d-----w- C:\Users\jah\AppData\Local\SoftGrid Client
2012-11-03 22:31:04 -------- d-----w- C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-11-03 22:30:55 -------- d-----w- C:\Users\jah\AppData\Roaming\TP
2012-10-31 21:01:02 -------- d-----w- C:\Users\jah\AppData\Roaming\JungleDisk
2012-10-31 20:59:55 -------- d-----w- C:\ProgramData\JungleDisk
2012-10-31 20:59:52 188696 ----a-w- C:\Windows\System32\CbFsMntNtf3.dll
2012-10-31 20:59:50 216856 ----a-w- C:\Windows\SysWow64\CbFsNetRdr3.dll
2012-10-31 20:59:50 155416 ----a-w- C:\Windows\SysWow64\CbFsMntNtf3.dll
2012-10-31 20:59:50 139032 ----a-w- C:\Windows\System32\CbFsNetRdr3.dll
2012-10-31 20:59:48 321424 ----a-w- C:\Windows\System32\drivers\cbfs3.sys
2012-10-31 20:59:47 -------- d-----w- C:\Program Files\Jungle Disk Desktop
2012-10-31 17:16:27 477168 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-10-30 00:01:11 -------- d-----w- C:\Users\jah\AppData\Local\Adobe
2012-10-29 20:45:09 -------- d-----w- C:\Users\jah\AppData\Local\Macromedia
2012-10-29 20:44:40 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-29 20:44:40 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-29 20:33:41 -------- d-----w- C:\Users\jah\AppData\Local\Mozilla
.
==================== Find3M ====================
.
2012-10-31 17:16:20 473072 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 19:56:27.29 ===============
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================

I still need Attach.txt part of DDS.

Next...

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

********************************************

Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
 
Thanks..here is the attach log file...I will follow the other steps and report back soon!

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 1/15/2011 8:42:40 AM
System Uptime: 11/22/2012 7:50:19 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 021CN3
Processor: Intel(R) Pentium(R) CPU P6100 @ 2.00GHz | U2E1 | 919/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 417.494 GiB free.
D: is CDROM ()
Z: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: SPH-L710
Device ID: USB\VID_04E8&PID_6860&MI_00\7&143C8534&0&0000
Manufacturer: SAMSUNG Electronics Co. Ltd.
Name: SPH-L710
PNP Device ID: USB\VID_04E8&PID_6860&MI_00\7&143C8534&0&0000
Service: WUDFRd
.
Class GUID:
Description: CDC Serial
Device ID: USB\VID_04E8&PID_6860&MI_01\7&143C8534&0&0001
Manufacturer:
Name: CDC Serial
PNP Device ID: USB\VID_04E8&PID_6860&MI_01\7&143C8534&0&0001
Service:
.
==== System Restore Points ===================
.
RP16: 3/6/2012 12:14:03 AM - Restore Operation
RP17: 3/6/2012 12:24:36 AM - Installed Java(TM) 6 Update 31
RP18: 3/6/2012 12:25:32 AM - Installed Java Runtime Environment
RP19: 3/9/2012 12:52:20 AM - Installed Virgin Mobile Broadband Modem Drivers.
RP20: 3/9/2012 12:52:49 AM - Installed MobiLink3.
RP21: 3/18/2012 12:35:53 AM - Scheduled Checkpoint
RP22: 4/1/2012 10:33:14 AM - Scheduled Checkpoint
RP23: 10/27/2012 11:50:24 PM - Device Driver Package Install: Google, Inc.
RP24: 10/27/2012 11:50:40 PM - Device Driver Package Install: SAMSUNG Electronics Co., Ltd. Universal Serial Bus controllers
RP25: 10/27/2012 11:51:43 PM - Device Driver Package Install: June Fabrics Technology Inc. Network adapters
RP26: 10/31/2012 1:15:34 PM - Installed Java(TM) 6 Update 37
RP27: 10/31/2012 4:59:30 PM - Installed Jungle Disk Desktop
RP28: 11/7/2012 6:17:09 PM - Scheduled Checkpoint
RP29: 11/15/2012 12:00:03 AM - Scheduled Checkpoint
RP30: 11/15/2012 10:04:35 AM - Removed Dell Product Registration.
RP31: 11/15/2012 10:04:55 AM - Removed Dell Getting Started Guide.
RP33: 11/15/2012 11:22:16 AM - Windows Defender Checkpoint
RP34: 11/15/2012 11:26:30 AM - Windows Update
RP36: 11/22/2012 6:49:01 PM - Windows Defender Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.1.2
Advanced Audio FX Engine
Ask Toolbar Updater
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Best Buy pc app
Dell Dock
Dell Edoc Viewer
Dell Webcam Central
DW WLAN Card
GoToAssist 8.0.0.514
InstallVC90Support
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Components
Internet Explorer
Java Auto Updater
Java(TM) 6 Update 21 (64-bit)
Java(TM) 6 Update 37
Jungle Disk Desktop
Junk Mail filter update
Live! Cam Avatar Creator
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 16.0.2 (x86 en-US)
MSVCRT
PdaNet for Android 3.50
Quickset64
Realtek High Definition Audio Driver
Roxio Burn
Synaptics Pointing Device Driver
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
.
==== Event Viewer Messages From Past Week ========
.
11/22/2012 6:37:52 PM, Error: Service Control Manager [7034] - The syshost32 service terminated unexpectedly. It has done this 1 time(s).
11/15/2012 10:04:12 AM, Error: Service Control Manager [7034] - The SoftThinks Agent Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
 
MBAR log
Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.03.01

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
jah :: JAH-PC [administrator]

11/23/2012 12:46:28 AM
mbar-log-2012-11-23 (00-46-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 25064
Time elapsed: 19 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U (Trojan.Siredef.C) -> Delete on reboot. [d1303d575effcb6b3d6621dffd03926e]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L (Trojan.Siredef.C) -> Delete on reboot. [df228b0948152511f2b36997fe021ce4]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b (Trojan.Siredef.C) -> Delete on reboot. [78895044322be84ee1c51de3ec141ee2]

Files Detected: 11
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\@ (Trojan.Siredef.C) -> Delete on reboot. [ec15b2e2dd8045f10898d62a5aa642be]
c:\windows\serviceprofiles\localservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [956c81138bd2e650365ea3910cf746ba]
c:\windows\serviceprofiles\networkservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [936ec7cd075678be5e36f83c788b44bc]
c:\windows\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [a1609bf9c5985cda3163e94b6e95f907]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\00000004.@ (Trojan.Siredef.C) -> Delete on reboot. [d1303d575effcb6b3d6621dffd03926e]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\00000008.@ (Trojan.Siredef.C) -> Delete on reboot. [d1303d575effcb6b3d6621dffd03926e]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\000000cb.@ (Trojan.Siredef.C) -> Delete on reboot. [d1303d575effcb6b3d6621dffd03926e]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\80000000.@ (Trojan.Siredef.C) -> Delete on reboot. [d1303d575effcb6b3d6621dffd03926e]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\80000032.@ (Trojan.Siredef.C) -> Delete on reboot. [d1303d575effcb6b3d6621dffd03926e]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\80000064.@ (Trojan.Siredef.C) -> Delete on reboot. [d1303d575effcb6b3d6621dffd03926e]
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\00000004.@ (Trojan.Siredef.C) -> Delete on reboot. [df228b0948152511f2b36997fe021ce4]

(end)

System-log
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 4081606656, free: 2880249856

Could not load protection driver
DDA Driver installation error.
Driver installed on boot. Reboot required.
System shutdown occured
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 4081606656, free: 3051216896

<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8006854060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa800491f050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 4081606656, free: 3125022720

Could not load protection driver
DDA Driver installation error.
Driver installed on boot. Reboot required.
System shutdown occured
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 4081606656, free: 3090579456

<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004b0a060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004938050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004b0a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004b07600, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004b0a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004938050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xfffff8a00272c960, 0xfffffa8004b0a060, 0xfffffa80087d84c0
Lower DeviceData: 0xfffff8a0023550f0, 0xfffffa8004938050, 0xfffffa80086f2e40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File user open failed: C:\Windows\system32\drivers\1ff79e307a5874f9.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\fastfat.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\fdc.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\fileinfo.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\filetrace.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\flpydisk.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\i8042prt.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\iaStor.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\iaStorV.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\igdkmd64.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\iirsp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\Impcd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\IntcDAud.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\intelide.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\intelppm.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ipfltdrv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\IPMIDrv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ipnat.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\irda.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\irenum.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\isapnp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\kbdclass.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\kbdhid.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ks.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ksecdd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ksecpkg.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ksthunk.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\L1C62x64.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\lltdio.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\msfs.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mshidkmdf.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\msisadrv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\msiscsi.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mskssrv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mspclock.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mspqm.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\msrpc.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mssmbios.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mstee.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\MTConfig.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mup.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ndis.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ndiscap.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ndistapi.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ndisuio.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ndiswan.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\scfilter.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\scsiport.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\secdrv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\serenum.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\serial.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\sermouse.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\sffdisk.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\sffp_mmc.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\sffp_sd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\sfloppy.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\Sftfslh.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\Sftplaylh.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\Sftredirlh.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\Sftvollh.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\sisraid2.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\sisraid4.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\smb.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\smclib.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\spldr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\spsys.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\srv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\b57nd60a.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\discache.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\fltMgr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\hwpolicy.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\lsi_fc.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\msdsm.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ndproxy.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\pcmcia.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\sbp2port.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\srv2.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\USBCAMD2.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\volmgr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\netbios.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\netbt.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\netio.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\nfrd960.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\npfs.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\nsiproxy.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ntfs.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\null.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\nvraid.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\nvstor.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\NV_AGP.SYS (0x00000005)
File user open failed: C:\Windows\system32\drivers\nwifi.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\nwvmmdm.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\nwvmser.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\nwvmser2.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ohci1394.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\pacer.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\parport.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\partmgr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\PCASp50a64.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\pci.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\pciide.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\pciidex.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\pcw.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\PEAuth.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\pneteth.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\portcls.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\processr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\PxHlpa64.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ql2300.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ql40xx.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\qwavedrv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rasacd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rasl2tp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\raspppoe.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\raspptp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rassstp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rdbss.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rdpbus.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\RDPCDD.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\RDPENCDD.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\RDPREFMP.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rdpwd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rdyboost.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rmcast.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\RNDISMP.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rootmdm.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\rspndr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\RTKVHD64.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\RtsUStor.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbccgp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbcir.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbehci.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbhub.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbohci.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbport.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbprint.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbrpm.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\USBSTOR.SYS (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbuhci.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usbvideo.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\vdrvroot.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\vga.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\vgapnp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\vhdmp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\viaide.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\videoprt.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\srvnet.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\stexstor.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\storport.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\stream.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\swenum.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\SynTP.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tape.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tcpip.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tcpipreg.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tdi.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tdpipe.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tdtcp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tdx.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\termdd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tssecsrv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\tunnel.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\UAGP35.SYS (0x00000005)
File user open failed: C:\Windows\system32\drivers\udfs.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ULIAGPKX.SYS (0x00000005)
File user open failed: C:\Windows\system32\drivers\umbus.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\umpass.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\usb8023.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\lsi_sas.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\lsi_sas2.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\lsi_scsi.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\luafv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mcd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\megasas.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\MegaSR.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\modem.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\monitor.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mouclass.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mouhid.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mountmgr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mpio.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mpsdrv.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mrxdav.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mrxsmb.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mrxsmb10.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\mrxsmb20.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\msahci.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\fsdepends.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\fs_rec.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\fvevol.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\FWPKCLNT.SYS (0x00000005)
File user open failed: C:\Windows\system32\drivers\GAGP30KX.SYS (0x00000005)
File user open failed: C:\Windows\system32\drivers\hcw85cir.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\hdaudbus.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\HECIx64.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\hidbatt.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\hidbth.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\hidclass.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\hidir.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\hidparse.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\hidusb.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\HpSAMD.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\http.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\volmgrx.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\volsnap.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\vsmraid.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\vwifibus.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\vwififlt.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\vwifimp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\wacompen.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\wanarp.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\watchdog.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\wd.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\Wdf01000.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\WdfLdr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\wfplwf.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\WimFltr.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\wimmount.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\winusb.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\wmiacpi.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\wmilib.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\ws2ifsl.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\WUDFPf.sys (0x00000005)
File user open failed: C:\Windows\system32\drivers\WUDFRd.sys (0x00000005)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 7F2837E

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 208782

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 208845 Numsec = 30720000
Partition file system is NTFS
Partition is bootable

Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 30928845 Numsec = 945842275

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Done!
Performing system, memory and registry scan...
Read File: File "C:\ProgramData\{04A07C23-5821-4F25-BF46-1188636AE238}\delldock.dat" is compressed (flags = 1)
Read File: File "C:\ProgramData\{04A07C23-5821-4F25-BF46-1188636AE238}\instance.dat" is compressed (flags = 1)
Read File: File "C:\ProgramData\{7B344F95-C8A2-414E-BF1A-2D2F08D3D6B2}\Best Buy pc app Setup.dat" is compressed (flags = 1)
Read File: File "C:\ProgramData\{7B344F95-C8A2-414E-BF1A-2D2F08D3D6B2}\instance.dat" is compressed (flags = 1)
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\@ --> [Trojan.Siredef.C]
Infected: c:\windows\serviceprofiles\networkservice\appdata\local\temp\syshost.exe --> [Spyware.Agent]
Infected: c:\windows\temp\syshost.exe --> [Spyware.Agent]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\00000004.@ --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\00000008.@ --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\000000cb.@ --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\80000000.@ --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\80000032.@ --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U\80000064.@ --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\00000004.@ --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b --> [Trojan.Siredef.C]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occured
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 4081606656, free: 3092353024
 
I still can not run MBAR once windows loads...it says it can not load protection driver.

MBAR
Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.03.01

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
jah :: JAH-PC [administrator]

11/23/2012 12:37:04 PM
mbar-log-2012-11-23 (12-37-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 25053
Time elapsed: 17 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
c:\windows\serviceprofiles\networkservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [0bf6fe966df0ea4c890be94bc43fdd23]
c:\windows\temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [c0411381c29b13232b692e06bd467789]

(end)
 
  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

=================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
Rouge
RogueKiller V8.3.1 [Nov 23 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : jah [Admin rights]
Mode : Scan -- Date : 11/23/2012 12:49:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[STARTUP][SUSP PATH] Best Buy pc app.lnk Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BEVT-75A0RT0 +++++
--- User ---
[MBR] dd6967e897e9549401c89a8d9f38da4a
[BSP] dea9defa67a18cc486b8c709b2ee22f0 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 208845 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30928845 | Size: 461837 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_11232012_02d1249.txt >>
RKreport[1]_S_11232012_02d1249.txt

aswMBR
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-23 12:53:14
-----------------------------
12:53:14.948 OS Version: Windows x64 6.1.7600
12:53:14.958 Number of processors: 2 586 0x2505
12:53:14.958 ComputerName: JAH-PC UserName: jah
12:53:16.060 Initialze error C0000001 - driver not loaded
13:15:58.994 Service scanning
13:15:59.478 Service 1ff79e307a5874f9 C:\Windows\System32\Drivers\1ff79e307a5874f9.sys **HIDDEN**
13:16:39.118 Modules scanning
13:16:39.118 Disk 0 trace - called modules:
13:16:39.118
13:16:39.133 Scan finished successfully
13:17:05.716 The log file has been saved successfully to "C:\Users\jah\Desktop\aswMBR.txt"


 
No.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes in your reply.

I'll expect two logs:
- FRST.txt
- Search.txt
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2012
Ran by SYSTEM at 23-11-2012 14:11:44
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-13] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3203440 2010-04-06] (Dell Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Jungle Disk Desktop.lnk
ShortcutTarget: Jungle Disk Desktop.lnk -> C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe (Jungle Disk, Inc.)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\jah\Start Menu\Programs\Startup\PdaNet Desktop.lnk
ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()

==================== Services (Whitelisted) ===================

2 JungleDiskService; "C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe" --service [9761096 2011-05-17] (Jungle Disk, Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)

==================== Drivers (Whitelisted) =====================

0 1ff79e307a5874f9; C:\Windows\System32\Drivers\1ff79e307a5874f9.sys [73160 2012-11-22] () ATTENTION =====> Rootkit?
1 cbfs3; C:\Windows\System32\Drivers\cbfs3.sys [321424 2010-11-30] (EldoS Corporation)
0 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [36680 2012-11-23] ()
0 mbamswissarmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [152392 2012-11-23] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-23 14:11 - 2012-11-23 14:11 - 00000000 ____D C:\FRST
2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
2012-11-23 12:17 - 2012-11-23 12:17 - 00000718 ____A C:\Users\jah\Desktop\aswMBR.txt
2012-11-23 11:49 - 2012-11-23 11:49 - 00002111 ____A C:\Users\jah\Desktop\RKreport[1]_S_11232012_02d1249.txt
2012-11-23 11:49 - 2012-11-23 11:49 - 00000000 ____D C:\Users\jah\Desktop\RK_Quarantine
2012-11-23 11:46 - 2012-11-23 11:48 - 04732416 ____A (AVAST Software) C:\Users\jah\Desktop\aswMBR.exe
2012-11-23 11:45 - 2012-11-23 11:46 - 00752128 ____A C:\Users\jah\Desktop\RogueKiller.exe
2012-11-23 11:17 - 2012-11-23 11:17 - 00152392 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-11-22 23:19 - 2012-11-22 23:19 - 00000000 ____D C:\Users\jah\Desktop\MBAR
2012-11-22 23:15 - 2012-11-22 23:17 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-11-22 18:56 - 2012-11-22 18:56 - 00014529 ____A C:\Users\jah\Desktop\dds.txt
2012-11-22 18:56 - 2012-11-22 18:56 - 00004342 ____A C:\Users\jah\Desktop\attach.txt
2012-11-22 18:25 - 2012-11-22 18:45 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
2012-11-22 18:23 - 2012-11-22 18:24 - 00688992 ____R (Swearware) C:\Users\jah\Desktop\dds.com
2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-22 18:13 - 2012-09-29 18:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-22 18:05 - 2012-11-22 18:12 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
2012-11-22 17:38 - 2012-11-22 17:38 - 00073160 ____A C:\Windows\System32\Drivers\1ff79e307a5874f9.sys
2012-11-15 10:26 - 2012-05-31 11:25 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-11-15 09:04 - 2012-11-15 09:04 - 00035908 ____A C:\RPSetup.exe.log
2012-11-07 07:59 - 2012-11-07 07:59 - 00683568 ____A C:\Windows\Minidump\110712-24180-01.dmp
2012-11-06 17:44 - 2012-11-06 17:45 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Adobe
2012-11-06 17:44 - 2012-11-06 17:45 - 00000000 ____D C:\Users\JMS\Local Settings\Adobe
2012-11-06 17:44 - 2012-11-06 17:45 - 00000000 ____D C:\Users\JMS\AppData\Local\Adobe
2012-11-06 17:44 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\Local Settings\Macromedia
2012-11-06 17:44 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Macromedia
2012-11-06 17:44 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\AppData\Local\Macromedia
2012-11-06 17:22 - 2012-11-11 14:49 - 00000000 ____D C:\Users\JMS\Application Data\JungleDisk
2012-11-06 17:22 - 2012-11-11 14:49 - 00000000 ____D C:\Users\JMS\AppData\Roaming\JungleDisk
2012-11-03 18:42 - 2012-11-07 08:11 - 00000000 ____D C:\Users\All Users\VirtualizedApplications
2012-11-03 18:42 - 2012-11-07 08:11 - 00000000 ____D C:\Users\All Users\Application Data\VirtualizedApplications
2012-11-03 16:31 - 2012-11-22 17:38 - 00000000 ____D C:\Users\jah\Application Data\SoftGrid Client
2012-11-03 16:31 - 2012-11-22 17:38 - 00000000 ____D C:\Users\jah\AppData\Roaming\SoftGrid Client
2012-11-03 16:31 - 2012-11-03 16:31 - 00731106 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Local Settings\SoftGrid Client
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\SoftGrid Client
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\AppData\Local\SoftGrid Client
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Program Files\Microsoft Office
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-11-03 16:30 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Application Data\TP
2012-11-03 16:30 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\AppData\Roaming\TP
2012-11-03 11:46 - 2012-11-03 11:49 - 00000000 ____D C:\Users\jah\Desktop\From Phone
2012-10-31 15:01 - 2012-11-07 10:47 - 00000000 ____D C:\Users\jah\Application Data\JungleDisk
2012-10-31 15:01 - 2012-11-07 10:47 - 00000000 ____D C:\Users\jah\AppData\Roaming\JungleDisk
2012-10-31 14:59 - 2012-10-31 15:01 - 00000000 ____D C:\Users\All Users\JungleDisk
2012-10-31 14:59 - 2012-10-31 15:01 - 00000000 ____D C:\Users\All Users\Application Data\JungleDisk
2012-10-31 14:59 - 2010-11-30 11:03 - 00321424 ____A (EldoS Corporation) C:\Windows\System32\Drivers\cbfs3.sys
2012-10-31 14:59 - 2010-11-30 11:03 - 00216856 ____A (EldoS Corporation) C:\Windows\SysWOW64\CbFsNetRdr3.dll
2012-10-31 14:59 - 2010-11-30 11:03 - 00188696 ____A (EldoS Corporation) C:\Windows\System32\CbFsMntNtf3.dll
2012-10-31 14:59 - 2010-11-30 11:03 - 00155416 ____A (EldoS Corporation) C:\Windows\SysWOW64\CbFsMntNtf3.dll
2012-10-31 14:59 - 2010-11-30 11:03 - 00139032 ____A (EldoS Corporation) C:\Windows\System32\CbFsNetRdr3.dll
2012-10-31 14:58 - 2012-10-31 14:59 - 08092672 ____A C:\Users\jah\Downloads\JungleDiskDesktop64-3160.msi
2012-10-31 11:16 - 2012-10-31 11:16 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-10-31 11:16 - 2012-10-31 11:16 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-10-31 11:16 - 2012-10-31 11:16 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-10-31 11:16 - 2012-10-31 11:16 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-10-31 11:16 - 2012-10-31 11:16 - 00000000 ____D C:\Program Files (x86)\Java
2012-10-29 18:01 - 2012-10-29 18:01 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Adobe
2012-10-29 18:01 - 2012-10-29 18:01 - 00000000 ____D C:\Users\jah\Local Settings\Adobe
2012-10-29 18:01 - 2012-10-29 18:01 - 00000000 ____D C:\Users\jah\AppData\Local\Adobe
2012-10-29 14:52 - 2012-11-21 19:48 - 00000000 ____D C:\Users\jah\My Documents\Misc
2012-10-29 14:52 - 2012-11-21 19:48 - 00000000 ____D C:\Users\jah\Documents\Misc
2012-10-29 14:45 - 2012-10-29 14:45 - 00000000 ____D C:\Users\jah\Local Settings\Macromedia
2012-10-29 14:45 - 2012-10-29 14:45 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Macromedia
2012-10-29 14:45 - 2012-10-29 14:45 - 00000000 ____D C:\Users\jah\AppData\Local\Macromedia
2012-10-29 14:44 - 2012-10-29 14:44 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-29 14:44 - 2012-10-29 14:44 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-10-29 14:44 - 2012-10-29 14:44 - 00000000 ____D C:\Windows\System32\Macromed
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\Local Settings\Mozilla
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Mozilla
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\Application Data\Mozilla
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\AppData\Roaming\Mozilla
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\AppData\Local\Mozilla
2012-10-27 22:24 - 2012-10-27 22:24 - 00000000 ____D C:\Users\JMS\Local Settings\Best Buy pc app
2012-10-27 22:24 - 2012-10-27 22:24 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Best Buy pc app
2012-10-27 22:24 - 2012-10-27 22:24 - 00000000 ____D C:\Users\JMS\AppData\Local\Best Buy pc app
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\Local Settings\Mozilla
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Mozilla
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\Application Data\Mozilla
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Mozilla
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\AppData\Local\Mozilla
2012-10-27 21:51 - 2012-10-27 21:51 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-10-27 21:51 - 2012-10-27 21:51 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUSB_01007.Wdf
2012-10-27 21:49 - 2012-10-27 21:49 - 00001149 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-10-27 21:49 - 2012-10-27 21:49 - 00001149 ____A C:\Users\All Users\Desktop\Mozilla Firefox.lnk
2012-10-27 21:49 - 2012-10-27 21:49 - 00000000 ____D C:\Program Files (x86)\PdaNet for Android
2012-10-27 21:49 - 2012-10-27 21:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-10-27 21:49 - 2011-11-25 01:25 - 00015360 ____A (June Fabrics Technology Inc.) C:\Windows\System32\Drivers\pneteth.sys
2012-10-27 21:49 - 2009-11-08 02:41 - 01490656 ____A (Microsoft Corporation) C:\Windows\System32\WdfCoInstaller01007.dll
2012-10-27 21:49 - 2009-11-08 02:41 - 00708168 ____A (Microsoft Corporation) C:\Windows\System32\WinUSBCoInstaller.dll
2012-10-27 21:46 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\Application Data\Adobe
2012-10-27 21:46 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Adobe
2012-10-27 21:46 - 2012-10-27 21:46 - 00000000 ____D C:\Users\JMS\Application Data\Macromedia
2012-10-27 21:46 - 2012-10-27 21:46 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Macromedia
2012-10-27 19:26 - 2012-10-27 19:26 - 00057560 ____A C:\Users\JMS\Local Settings\GDIPFONTCACHEV1.DAT
2012-10-27 19:26 - 2012-10-27 19:26 - 00057560 ____A C:\Users\JMS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-10-27 19:26 - 2012-10-27 19:26 - 00057560 ____A C:\Users\JMS\AppData\Local\GDIPFONTCACHEV1.DAT
2012-10-27 19:26 - 2012-10-27 19:26 - 00000000 ____D C:\Users\JMS\Application Data\Dell
2012-10-27 19:26 - 2012-10-27 19:26 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Dell
2012-10-27 19:25 - 2012-10-27 22:25 - 00000000 ____D C:\Users\JMS\Local Settings\Deployment
2012-10-27 19:25 - 2012-10-27 22:25 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Deployment
2012-10-27 19:25 - 2012-10-27 22:25 - 00000000 ____D C:\Users\JMS\AppData\Local\Deployment
2012-10-27 19:25 - 2012-10-27 19:25 - 00000020 ___SH C:\Users\JMS\ntuser.ini
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\VirtualStore
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\Stardock_Corporation
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\VirtualStore
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Stardock_Corporation
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Application Data\Roxio
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Application Data\Leadertech
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Roxio
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Leadertech
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Local\VirtualStore
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Local\Stardock_Corporation
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Local\Apps\2.0
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\users\JMS
2012-10-27 19:25 - 2010-11-17 19:32 - 00000000 ____D C:\Users\JMS\Local Settings\SoftThinks
2012-10-27 19:25 - 2010-11-17 19:32 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftThinks
2012-10-27 19:25 - 2010-11-17 19:32 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftThinks

==================== One Month Modified Files and Folders =======

2012-11-23 14:11 - 2012-11-23 14:11 - 00000000 ____D C:\FRST
2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
2012-11-23 13:07 - 2009-07-13 23:13 - 00714754 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-23 13:07 - 2009-07-13 22:51 - 00024993 ____A C:\Windows\setupact.log
2012-11-23 12:17 - 2012-11-23 12:17 - 00000718 ____A C:\Users\jah\Desktop\aswMBR.txt
2012-11-23 11:49 - 2012-11-23 11:49 - 00002111 ____A C:\Users\jah\Desktop\RKreport[1]_S_11232012_02d1249.txt
2012-11-23 11:49 - 2012-11-23 11:49 - 00000000 ____D C:\Users\jah\Desktop\RK_Quarantine
2012-11-23 11:48 - 2012-11-23 11:46 - 04732416 ____A (AVAST Software) C:\Users\jah\Desktop\aswMBR.exe
2012-11-23 11:46 - 2012-11-23 11:45 - 00752128 ____A C:\Users\jah\Desktop\RogueKiller.exe
2012-11-23 11:46 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-23 11:46 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-23 11:39 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-23 11:17 - 2012-11-23 11:17 - 00152392 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-11-22 23:51 - 2010-11-17 20:47 - 00008662 ____A C:\Windows\PFRO.log
2012-11-22 23:19 - 2012-11-22 23:19 - 00000000 ____D C:\Users\jah\Desktop\MBAR
2012-11-22 23:17 - 2012-11-22 23:15 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
2012-11-22 23:17 - 2009-07-13 23:10 - 00219666 ____A C:\Windows\WindowsUpdate.log
2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-11-22 18:56 - 2012-11-22 18:56 - 00014529 ____A C:\Users\jah\Desktop\dds.txt
2012-11-22 18:56 - 2012-11-22 18:56 - 00004342 ____A C:\Users\jah\Desktop\attach.txt
2012-11-22 18:45 - 2012-11-22 18:25 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
2012-11-22 18:24 - 2012-11-22 18:23 - 00688992 ____R (Swearware) C:\Users\jah\Desktop\dds.com
2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-22 18:12 - 2012-11-22 18:05 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
2012-11-22 17:38 - 2012-11-22 17:38 - 00073160 ____A C:\Windows\System32\Drivers\1ff79e307a5874f9.sys
2012-11-22 17:38 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Application Data\SoftGrid Client
2012-11-22 17:38 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\AppData\Roaming\SoftGrid Client
2012-11-21 19:48 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\My Documents\Misc
2012-11-21 19:48 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\Documents\Misc
2012-11-15 09:05 - 2010-11-17 19:29 - 00000000 ____D C:\Program Files (x86)\Dell
2012-11-15 09:04 - 2012-11-15 09:04 - 00035908 ____A C:\RPSetup.exe.log
2012-11-13 18:51 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF
2012-11-13 18:40 - 2011-01-15 07:44 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\SoftThinks
2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\SoftThinks
2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\AppData\Local\SoftThinks
2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\Application Data\JungleDisk
2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\AppData\Roaming\JungleDisk
2012-11-07 10:47 - 2012-10-31 15:01 - 00000000 ____D C:\Users\jah\Application Data\JungleDisk
2012-11-07 10:47 - 2012-10-31 15:01 - 00000000 ____D C:\Users\jah\AppData\Roaming\JungleDisk
2012-11-07 08:11 - 2012-11-03 18:42 - 00000000 ____D C:\Users\All Users\VirtualizedApplications
2012-11-07 08:11 - 2012-11-03 18:42 - 00000000 ____D C:\Users\All Users\Application Data\VirtualizedApplications
2012-11-07 07:59 - 2012-11-07 07:59 - 00683568 ____A C:\Windows\Minidump\110712-24180-01.dmp
2012-11-07 07:59 - 2012-09-08 22:42 - 00000000 ____D C:\Windows\Minidump
2012-11-07 07:59 - 2012-09-08 22:41 - 400176354 ____A C:\Windows\MEMORY.DMP
2012-11-06 17:45 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Adobe
2012-11-06 17:45 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\Local Settings\Adobe
2012-11-06 17:45 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\AppData\Local\Adobe
2012-11-06 17:44 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\Local Settings\Macromedia
2012-11-06 17:44 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Macromedia
2012-11-06 17:44 - 2012-11-06 17:44 - 00000000 ____D C:\Users\JMS\AppData\Local\Macromedia
2012-11-06 17:44 - 2012-10-27 21:46 - 00000000 ____D C:\Users\JMS\Application Data\Adobe
2012-11-06 17:44 - 2012-10-27 21:46 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Adobe
2012-11-03 16:31 - 2012-11-03 16:31 - 00731106 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Local Settings\SoftGrid Client
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\SoftGrid Client
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\AppData\Local\SoftGrid Client
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Program Files\Microsoft Office
2012-11-03 16:31 - 2012-11-03 16:31 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-11-03 16:31 - 2012-11-03 16:30 - 00000000 ____D C:\Users\jah\Application Data\TP
2012-11-03 16:31 - 2012-11-03 16:30 - 00000000 ____D C:\Users\jah\AppData\Roaming\TP
2012-11-03 16:31 - 2010-11-17 19:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2012-11-03 16:31 - 2009-07-13 21:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-11-03 11:49 - 2012-11-03 11:46 - 00000000 ____D C:\Users\jah\Desktop\From Phone
2012-10-31 15:01 - 2012-10-31 14:59 - 00000000 ____D C:\Users\All Users\JungleDisk
2012-10-31 15:01 - 2012-10-31 14:59 - 00000000 ____D C:\Users\All Users\Application Data\JungleDisk
2012-10-31 14:59 - 2012-10-31 14:58 - 08092672 ____A C:\Users\jah\Downloads\JungleDiskDesktop64-3160.msi
2012-10-31 11:16 - 2012-10-31 11:16 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-10-31 11:16 - 2012-10-31 11:16 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-10-31 11:16 - 2012-10-31 11:16 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-10-31 11:16 - 2012-10-31 11:16 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-10-31 11:16 - 2012-10-31 11:16 - 00000000 ____D C:\Program Files (x86)\Java
2012-10-31 11:16 - 2010-11-17 18:55 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-10-31 11:15 - 2010-11-17 19:16 - 00000000 ____D C:\Users\All Users\McAfee
2012-10-31 11:15 - 2010-11-17 19:16 - 00000000 ____D C:\Users\All Users\Application Data\McAfee
2012-10-29 18:01 - 2012-10-29 18:01 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Adobe
2012-10-29 18:01 - 2012-10-29 18:01 - 00000000 ____D C:\Users\jah\Local Settings\Adobe
2012-10-29 18:01 - 2012-10-29 18:01 - 00000000 ____D C:\Users\jah\AppData\Local\Adobe
2012-10-29 14:45 - 2012-10-29 14:45 - 00000000 ____D C:\Users\jah\Local Settings\Macromedia
2012-10-29 14:45 - 2012-10-29 14:45 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Macromedia
2012-10-29 14:45 - 2012-10-29 14:45 - 00000000 ____D C:\Users\jah\AppData\Local\Macromedia
2012-10-29 14:44 - 2012-10-29 14:44 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-29 14:44 - 2012-10-29 14:44 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-10-29 14:44 - 2012-10-29 14:44 - 00000000 ____D C:\Windows\System32\Macromed
2012-10-29 14:44 - 2010-11-17 19:08 - 00000000 ____D C:\Users\All Users\Application Data\Adobe
2012-10-29 14:44 - 2010-11-17 19:08 - 00000000 ____D C:\Users\All Users\Adobe
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\Local Settings\Mozilla
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Mozilla
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\Application Data\Mozilla
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\AppData\Roaming\Mozilla
2012-10-29 14:33 - 2012-10-29 14:33 - 00000000 ____D C:\Users\jah\AppData\Local\Mozilla
2012-10-27 22:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\Deployment
2012-10-27 22:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Deployment
2012-10-27 22:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Local\Deployment
2012-10-27 22:24 - 2012-10-27 22:24 - 00000000 ____D C:\Users\JMS\Local Settings\Best Buy pc app
2012-10-27 22:24 - 2012-10-27 22:24 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Best Buy pc app
2012-10-27 22:24 - 2012-10-27 22:24 - 00000000 ____D C:\Users\JMS\AppData\Local\Best Buy pc app
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\Local Settings\Mozilla
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Mozilla
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\Application Data\Mozilla
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Mozilla
2012-10-27 21:53 - 2012-10-27 21:53 - 00000000 ____D C:\Users\JMS\AppData\Local\Mozilla
2012-10-27 21:51 - 2012-10-27 21:51 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-10-27 21:51 - 2012-10-27 21:51 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUSB_01007.Wdf
2012-10-27 21:49 - 2012-10-27 21:49 - 00001149 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-10-27 21:49 - 2012-10-27 21:49 - 00001149 ____A C:\Users\All Users\Desktop\Mozilla Firefox.lnk
2012-10-27 21:49 - 2012-10-27 21:49 - 00000000 ____D C:\Program Files (x86)\PdaNet for Android
2012-10-27 21:49 - 2012-10-27 21:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-10-27 21:46 - 2012-10-27 21:46 - 00000000 ____D C:\Users\JMS\Application Data\Macromedia
2012-10-27 21:46 - 2012-10-27 21:46 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Macromedia
2012-10-27 19:26 - 2012-10-27 19:26 - 00057560 ____A C:\Users\JMS\Local Settings\GDIPFONTCACHEV1.DAT
2012-10-27 19:26 - 2012-10-27 19:26 - 00057560 ____A C:\Users\JMS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-10-27 19:26 - 2012-10-27 19:26 - 00057560 ____A C:\Users\JMS\AppData\Local\GDIPFONTCACHEV1.DAT
2012-10-27 19:26 - 2012-10-27 19:26 - 00000000 ____D C:\Users\JMS\Application Data\Dell
2012-10-27 19:26 - 2012-10-27 19:26 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Dell
2012-10-27 19:25 - 2012-10-27 19:25 - 00000020 ___SH C:\Users\JMS\ntuser.ini
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\VirtualStore
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\Stardock_Corporation
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\VirtualStore
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\Stardock_Corporation
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Application Data\Roxio
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\Application Data\Leadertech
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Roxio
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Roaming\Leadertech
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Local\VirtualStore
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Local\Stardock_Corporation
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\Users\JMS\AppData\Local\Apps\2.0
2012-10-27 19:25 - 2012-10-27 19:25 - 00000000 ____D C:\users\JMS

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-03-08 23:52:53
Restore point made on: 2012-03-17 22:36:07
Restore point made on: 2012-04-01 08:33:22
Restore point made on: 2012-10-27 21:50:32
Restore point made on: 2012-10-27 21:50:46
Restore point made on: 2012-10-27 21:51:50
Restore point made on: 2012-10-31 11:15:46
Restore point made on: 2012-10-31 14:59:35
Restore point made on: 2012-11-07 17:17:16
Restore point made on: 2012-11-14 23:00:10
Restore point made on: 2012-11-15 09:04:39
Restore point made on: 2012-11-15 09:04:59
Restore point made on: 2012-11-15 10:22:22
Restore point made on: 2012-11-15 10:26:34
Restore point made on: 2012-11-22 17:49:08
Restore point made on: 2012-11-22 23:18:28
Restore point made on: 2012-11-22 23:50:24
Restore point made on: 2012-11-23 11:37:24

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3892.52 MB
Available physical RAM: 3340.7 MB
Total Pagefile: 3890.67 MB
Available Pagefile: 3327.19 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:417.11 GB) NTFS
3 Drive e: () (Removable) (Total:7.45 GB) (Free:0.78 GB) FAT32
4 Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7643 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 101 MB 31 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 451 GB 14 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 101 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7643 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E FAT32 Removable 7643 MB Healthy

=========================================================

Last Boot: 2012-11-14 23:53

==================== End Of Log =============================





Farbar Recovery Scan Tool (x64) Version: 23-11-2012
Ran by SYSTEM at 2012-11-23 14:14:04
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======
 
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally and re-run aswMBR.
 

Attachments

  • fixlist.txt
    317 bytes · Views: 1
Ix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2012
Ran by SYSTEM at 2012-11-23 14:37:40 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
1ff79e307a5874f9 service deleted successfully.
C:\Windows\System32\Drivers\1ff79e307a5874f9.sys moved successfully.

The operation completed successfully.

==== End of Fixlog ====

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-23 14:42:19
-----------------------------
14:42:19.553 OS Version: Windows x64 6.1.7600
14:42:19.553 Number of processors: 2 586 0x2505
14:42:19.553 ComputerName: JAH-PC UserName: jah
14:42:20.832 Initialize success
14:42:26.919 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:42:26.919 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
14:42:26.950 Disk 0 MBR read successfully
14:42:26.950 Disk 0 MBR scan
14:42:26.965 Disk 0 Windows VISTA default MBR code
14:42:26.965 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 101 MB offset 63
14:42:26.981 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 208845
14:42:26.997 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461837 MB offset 30928845
14:42:27.012 Disk 0 scanning C:\Windows\system32\drivers
14:42:38.587 Service scanning
14:43:18.773 Modules scanning
14:43:18.773 Disk 0 trace - called modules:
14:43:18.789
14:43:18.789 Scan finished successfully
14:43:43.718 Disk 0 MBR has been saved successfully to "C:\Users\jah\Desktop\MBR.dat"
14:43:43.718 The log file has been saved successfully to "C:\Users\jah\Desktop\aswMBR2.txt"
 
Good job :)

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

===============================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
ComboFix 12-11-23.02 - jah 11/23/2012 19:10:57.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3893.2584 [GMT -5:00]
Running from: c:\users\jah\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-24 to 2012-11-24 )))))))))))))))))))))))))))))))
.
.
2012-11-24 00:15 . 2012-11-24 00:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-23 20:11 . 2012-11-23 20:11 -------- d-----w- C:\FRST
2012-11-23 17:17 . 2012-11-23 17:17 152392 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-11-23 17:17 . 2012-11-23 17:17 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-11-23 03:45 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4C776FC9-95F8-473F-A2DA-9292485EBAB8}\mpengine.dll
2012-11-23 01:54 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-23 01:00 . 2012-11-23 01:00 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-11-23 01:00 . 2012-11-23 01:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-23 00:14 . 2012-11-23 00:14 -------- d-----w- c:\users\jah\AppData\Roaming\Malwarebytes
2012-11-23 00:13 . 2012-11-23 00:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-23 00:13 . 2012-11-23 00:13 -------- d-----w- c:\programdata\Malwarebytes
2012-11-23 00:13 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-15 16:26 . 2012-10-17 08:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8AAAE944-8C65-4237-9062-2AA068A12DD5}\mpengine.dll
2012-11-15 16:26 . 2012-05-31 17:25 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-11-04 00:42 . 2012-11-07 14:11 -------- d-----w- c:\programdata\VirtualizedApplications
2012-11-03 22:31 . 2012-11-22 23:38 -------- d-----w- c:\users\jah\AppData\Roaming\SoftGrid Client
2012-11-03 22:31 . 2012-11-03 22:31 -------- d-----w- c:\users\jah\AppData\Local\SoftGrid Client
2012-11-03 22:31 . 2012-11-03 22:31 -------- d-----w- c:\program files (x86)\Microsoft Application Virtualization Client
2012-11-03 22:31 . 2012-11-03 22:31 -------- d-----w- c:\program files\Microsoft Office
2012-11-03 22:30 . 2012-11-03 22:31 -------- d-----w- c:\users\jah\AppData\Roaming\TP
2012-10-31 21:01 . 2012-11-07 16:47 -------- d-----w- c:\users\jah\AppData\Roaming\JungleDisk
2012-10-31 20:59 . 2012-10-31 21:01 -------- d-----w- c:\programdata\JungleDisk
2012-10-31 20:59 . 2010-11-30 17:03 188696 ----a-w- c:\windows\system32\CbFsMntNtf3.dll
2012-10-31 20:59 . 2010-11-30 17:03 216856 ----a-w- c:\windows\SysWow64\CbFsNetRdr3.dll
2012-10-31 20:59 . 2010-11-30 17:03 155416 ----a-w- c:\windows\SysWow64\CbFsMntNtf3.dll
2012-10-31 20:59 . 2010-11-30 17:03 139032 ----a-w- c:\windows\system32\CbFsNetRdr3.dll
2012-10-31 20:59 . 2010-11-30 17:03 321424 ----a-w- c:\windows\system32\drivers\cbfs3.sys
2012-10-31 20:59 . 2012-10-31 20:59 -------- d-----w- c:\program files\Jungle Disk Desktop
2012-10-31 17:16 . 2012-10-31 17:16 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-10-31 17:16 . 2012-10-31 17:16 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-10-31 17:16 . 2012-10-31 17:16 -------- d-----w- c:\program files (x86)\Java
2012-10-30 00:01 . 2012-10-30 00:01 -------- d-----w- c:\users\jah\AppData\Local\Adobe
2012-10-29 20:45 . 2012-10-29 20:45 -------- d-----w- c:\users\jah\AppData\Local\Macromedia
2012-10-29 20:44 . 2012-10-29 20:44 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-29 20:44 . 2012-10-29 20:44 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-29 20:44 . 2012-10-29 20:44 -------- d-----w- c:\windows\system32\Macromed
2012-10-29 20:33 . 2012-10-29 20:33 -------- d-----w- c:\users\jah\AppData\Local\Mozilla
2012-10-28 03:49 . 2012-10-28 03:49 -------- d-----w- c:\program files (x86)\PdaNet for Android
2012-10-28 03:49 . 2011-11-25 07:25 15360 ----a-w- c:\windows\system32\drivers\pneteth.sys
2012-10-28 03:49 . 2009-11-08 08:41 708168 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2012-10-28 03:49 . 2009-11-08 08:41 1490656 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2012-10-28 01:25 . 2012-10-28 01:25 -------- d-----w- c:\users\JMS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-31 17:16 . 2010-11-18 00:55 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-31 03:03 . 2012-08-31 03:03 228768 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-31 03:03 . 2012-08-31 03:03 128456 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-11-30 17:03 155416 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\users\jah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files (x86)\PdaNet for Android\PdaNetPC.exe [2012-10-27 484976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Jungle Disk Desktop.lnk - c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-17 9761096]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-10-13 9216]
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 245792]
S0 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-11-23 36680]
S0 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-11-23 152392]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-11-30 321424]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-05-17 9761096]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [2010-02-02 20984]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 287232]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2009-12-22 74280]
S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2011-11-25 15360]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-11-30 17:03 188696 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]
@="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"
[HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]
2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]
@="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"
[HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]
2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]
@="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"
[HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]
2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-14 10144288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = g.msn.com/USCON/1
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.offtopic.com/
FF - ExtSQL: 2012-10-29 16:37; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-10-29 16:39; tineye@ideeinc.com; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\tineye@ideeinc.com.xpi
FF - ExtSQL: 2012-10-31 13:16; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-03 17:15; {8ed952a0-199c-11d9-9669-0800200c9a66}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{8ed952a0-199c-11d9-9669-0800200c9a66}.xpi
FF - ExtSQL: 2012-11-21 21:03; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2012-11-23 13:21; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{79A765E1-C399-405B-85AF-466F52E918B0} - c:\program files (x86)\Ask.com\Updater\Updater.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-23 19:18:15
ComboFix-quarantined-files.txt 2012-11-24 00:18
.
Pre-Run: 448,629,325,824 bytes free
Post-Run: 448,839,819,264 bytes free
.
- - End Of File - - 2288B184D7B5D8F40871E4F2CDA71522
 
Looks good :)

Any current issues?

============================

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next...

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.

=========================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
I got a blue screen a couple of times saying something to the effect of a system file has been modified and failed, but other than that, it seems good! I will run those apps now!
 
# AdwCleaner v2.008 - Logfile created 11/23/2012 at 19:32:06
# Updated 17/11/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : jah - JAH-PC
# Boot Mode : Normal
# Running from : C:\Users\jah\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\ProgramData\Ask

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Users\JMS\AppData\Roaming\Mozilla\Firefox\Profiles\32faunlf.default\prefs.js

Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");

*************************

AdwCleaner[S1].txt - [1421 octets] - [23/11/2012 19:32:06]

########## EOF - C:\AdwCleaner[S1].txt - [1481 octets] ##########






OTL logfile created on: 11/23/2012 7:35:41 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\jah\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.80 Gb Total Physical Memory | 2.93 Gb Available Physical Memory | 77.13% Memory free
7.60 Gb Paging File | 6.62 Gb Available in Paging File | 87.03% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 418.10 Gb Free Space | 92.70% Space Free | Partition Type: NTFS

Computer Name: JAH-PC | User Name: jah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/23 19:28:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\jah\Desktop\OTL.exe
PRC - [2012/03/09 15:30:50 | 000,484,976 | ---- | M] () -- C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
PRC - [2009/12/02 23:23:38 | 000,209,768 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2009/12/02 23:23:32 | 000,483,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2009/10/15 04:10:28 | 000,498,160 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2009/06/24 17:21:38 | 000,409,744 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
PRC - [2009/06/09 09:11:14 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/09 15:30:50 | 000,484,976 | ---- | M] () -- C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
MOD - [2009/10/15 04:10:28 | 000,498,160 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe


========== Services (SafeList) ==========

SRV:64bit: - [2012/09/12 21:21:48 | 000,368,896 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/09/12 21:21:48 | 000,022,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011/05/17 17:14:46 | 009,761,096 | ---- | M] (Jungle Disk, Inc.) [Auto | Running] -- C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe -- (JungleDiskService)
SRV:64bit: - [2009/11/17 21:14:26 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/06/09 09:11:14 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2010/11/17 20:09:32 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2010/07/01 15:10:26 | 002,533,400 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2010/07/01 15:10:22 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2009/12/02 23:23:38 | 000,209,768 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2009/12/02 23:23:32 | 000,483,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- c:\program files\dell support center\pcdsrvc_x64.pkms -- (PCDSRVC{1E208CE0-FB7451FF-06020101}_0)
DRV:64bit: - [2012/11/23 12:17:33 | 000,152,392 | ---- | M] (Malwarebytes Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\mbamswissarmy.sys -- (mbamswissarmy)
DRV:64bit: - [2012/11/23 12:17:32 | 000,036,680 | ---- | M] () [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV:64bit: - [2012/08/30 22:03:48 | 000,128,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2011/11/25 02:25:52 | 000,015,360 | ---- | M] (June Fabrics Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pneteth.sys -- (pneteth)
DRV:64bit: - [2010/11/30 12:03:06 | 000,321,424 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\cbfs3.sys -- (cbfs3)
DRV:64bit: - [2010/11/17 21:41:20 | 000,107,912 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010/11/17 21:41:20 | 000,027,016 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/07/20 08:40:38 | 010,603,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/06/21 18:15:54 | 000,287,232 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2010/05/07 14:19:58 | 000,245,792 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/05/07 05:44:32 | 000,321,584 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010/03/03 22:51:40 | 000,540,696 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/02/27 08:02:12 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2010/02/03 08:13:06 | 003,058,168 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2010/02/02 17:13:08 | 000,020,984 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bcmvwl64.sys -- (BcmVWL)
DRV:64bit: - [2009/12/22 12:18:50 | 000,074,280 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2009/12/02 23:23:38 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2009/12/02 23:23:34 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2009/12/02 23:23:32 | 000,269,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2009/12/02 23:23:26 | 000,721,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2009/09/17 15:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/09 04:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/06/15 14:06:42 | 000,172,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2006/11/01 13:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE:64bit: - HKLM\..\SearchScopes\{372AF392-41A0-4604-A7EF-5CC73BA507D0}: "URL" = http://www.bing.com/search?q={searchTerms}&amp;form=DLCDF8&amp;pc=MDDC&amp;src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{E4A85F6A-6118-4E51-903F-6435109820D0}: "URL" = http://www.bing.com/search?q={searchTerms}&amp;form=DLCDF8&amp;pc=MDDC&amp;src=IE-SearchBox


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-4169508272-3924329090-955796134-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = g.msn.com/USCON/1
IE - HKU\S-1-5-21-4169508272-3924329090-955796134-1000\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-4169508272-3924329090-955796134-1000\..\SearchScopes\{9FABBEC4-C0C2-4E34-9578-11C57CD46D03}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=5217A5BB-D5C1-4069-A0DA-41AABF99EA5A
IE - HKU\S-1-5-21-4169508272-3924329090-955796134-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://forums.offtopic.com/"
FF - prefs.js..extensions.enabledAddons: tineye@ideeinc.com:1.1
FF - prefs.js..extensions.enabledAddons: {8ed952a0-199c-11d9-9669-0800200c9a66}:2.0.2
FF - prefs.js..extensions.enabledAddons: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:1.5
FF - prefs.js..extensions.enabledAddons: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.6.2
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_37: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/10/27 22:49:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/10/29 15:33:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jah\AppData\Roaming\mozilla\Extensions
[2012/11/23 13:21:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jah\AppData\Roaming\mozilla\Firefox\Profiles\1ekl3aw3.default\extensions
[2012/10/29 15:39:04 | 000,008,001 | ---- | M] () (No name found) -- C:\Users\jah\AppData\Roaming\mozilla\firefox\profiles\1ekl3aw3.default\extensions\tineye@ideeinc.com.xpi
[2012/11/23 13:21:09 | 000,530,519 | ---- | M] () (No name found) -- C:\Users\jah\AppData\Roaming\mozilla\firefox\profiles\1ekl3aw3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2012/11/03 16:15:21 | 000,031,439 | ---- | M] () (No name found) -- C:\Users\jah\AppData\Roaming\mozilla\firefox\profiles\1ekl3aw3.default\extensions\{8ed952a0-199c-11d9-9669-0800200c9a66}.xpi
[2012/11/21 20:53:23 | 000,804,737 | ---- | M] () (No name found) -- C:\Users\jah\AppData\Roaming\mozilla\firefox\profiles\1ekl3aw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/11/21 21:03:45 | 000,243,496 | ---- | M] () (No name found) -- C:\Users\jah\AppData\Roaming\mozilla\firefox\profiles\1ekl3aw3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
[2012/10/31 12:16:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/10/31 12:16:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
[2012/10/24 12:50:58 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/10/24 12:50:17 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/10/24 12:50:17 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Virtual Storage Mount Notification) - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Virtual Storage Mount Notification) - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\jah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk = C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4169508272-3924329090-955796134-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4169508272-3924329090-955796134-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6}: DhcpNameServer = 192.168.9.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{42C743E6-A1D6-40E0-B7F9-BC2302989E10}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AF2F0A21-2F5A-4F21-A096-48DD4B96F4C6}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O22:64bit: - SharedTaskScheduler: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - Virtual Storage Mount Notification - C:\Windows\SysNative\CbFsMntNtf3.dll (EldoS Corporation)
O22 - SharedTaskScheduler: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - Virtual Storage Mount Notification - C:\Windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/23 19:27:51 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\jah\Desktop\OTL.exe
[2012/11/23 19:20:49 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/11/23 19:18:17 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/11/23 19:09:27 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/11/23 19:09:27 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/11/23 19:09:27 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/11/23 19:09:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/23 19:09:04 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/11/23 18:59:58 | 005,005,971 | R--- | C] (Swearware) -- C:\Users\jah\Desktop\ComboFix.exe
[2012/11/23 15:11:38 | 000,000,000 | ---D | C] -- C:\FRST
[2012/11/23 12:49:27 | 000,000,000 | ---D | C] -- C:\Users\jah\Desktop\RK_Quarantine
[2012/11/23 12:46:45 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\jah\Desktop\aswMBR.exe
[2012/11/23 12:17:33 | 000,152,392 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamswissarmy.sys
[2012/11/23 00:19:41 | 000,000,000 | ---D | C] -- C:\Users\jah\Desktop\MBAR
[2012/11/22 20:00:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/11/22 20:00:38 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/11/22 19:23:52 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\jah\Desktop\dds.com
[2012/11/22 19:14:42 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Roaming\Malwarebytes
[2012/11/22 19:13:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/11/22 19:13:30 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/11/22 19:13:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/11/22 19:13:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/11/03 19:42:00 | 000,000,000 | ---D | C] -- C:\ProgramData\VirtualizedApplications
[2012/11/03 17:31:47 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Roaming\SoftGrid Client
[2012/11/03 17:31:47 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Local\SoftGrid Client
[2012/11/03 17:31:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)
[2012/11/03 17:31:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2012/11/03 17:31:04 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2012/11/03 17:31:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Application Virtualization Client
[2012/11/03 17:30:55 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Roaming\TP
[2012/11/03 12:46:29 | 000,000,000 | ---D | C] -- C:\Users\jah\Desktop\From Phone
[2012/10/31 16:01:02 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Roaming\JungleDisk
[2012/10/31 15:59:55 | 000,000,000 | ---D | C] -- C:\ProgramData\JungleDisk
[2012/10/31 15:59:52 | 000,188,696 | ---- | C] (EldoS Corporation) -- C:\Windows\SysNative\CbFsMntNtf3.dll
[2012/10/31 15:59:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Jungle Disk Desktop
[2012/10/31 15:59:50 | 000,216,856 | ---- | C] (EldoS Corporation) -- C:\Windows\SysWow64\CbFsNetRdr3.dll
[2012/10/31 15:59:50 | 000,155,416 | ---- | C] (EldoS Corporation) -- C:\Windows\SysWow64\CbFsMntNtf3.dll
[2012/10/31 15:59:50 | 000,139,032 | ---- | C] (EldoS Corporation) -- C:\Windows\SysNative\CbFsNetRdr3.dll
[2012/10/31 15:59:48 | 000,321,424 | ---- | C] (EldoS Corporation) -- C:\Windows\SysNative\drivers\cbfs3.sys
[2012/10/31 15:59:47 | 000,000,000 | ---D | C] -- C:\Program Files\Jungle Disk Desktop
[2012/10/31 12:16:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/10/31 12:16:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2012/10/29 19:01:11 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Local\Adobe
[2012/10/29 15:52:08 | 000,000,000 | ---D | C] -- C:\Users\jah\Documents\Misc
[2012/10/29 15:45:09 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Local\Macromedia
[2012/10/29 15:44:38 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2012/10/29 15:33:41 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Roaming\Mozilla
[2012/10/29 15:33:41 | 000,000,000 | ---D | C] -- C:\Users\jah\AppData\Local\Mozilla
[2012/10/27 22:49:52 | 000,015,360 | ---- | C] (June Fabrics Technology Inc.) -- C:\Windows\SysNative\drivers\pneteth.sys
[2012/10/27 22:49:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PdaNet for Android
[2012/10/27 22:49:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PdaNet for Android
[2012/10/27 22:49:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2012/10/27 20:19:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/23 19:33:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/23 19:33:14 | 3061,202,944 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/23 19:28:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\jah\Desktop\OTL.exe
[2012/11/23 19:06:33 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/23 19:06:33 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/23 19:02:49 | 005,005,971 | R--- | M] (Swearware) -- C:\Users\jah\Desktop\ComboFix.exe
[2012/11/23 18:32:51 | 000,714,754 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/11/23 18:32:51 | 000,615,804 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/11/23 18:32:51 | 000,103,888 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/11/23 16:18:36 | 438,689,050 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/11/23 14:43:43 | 000,000,512 | ---- | M] () -- C:\Users\jah\Desktop\MBR.dat
[2012/11/23 12:48:32 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\jah\Desktop\aswMBR.exe
[2012/11/23 12:46:28 | 000,752,128 | ---- | M] () -- C:\Users\jah\Desktop\RogueKiller.exe
[2012/11/23 12:17:33 | 000,152,392 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamswissarmy.sys
[2012/11/23 12:17:32 | 000,036,680 | ---- | M] () -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2012/11/22 20:02:40 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/11/22 19:24:35 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\jah\Desktop\dds.com
[2012/11/22 19:13:31 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/20 21:28:41 | 000,035,420 | ---- | M] () -- C:\Users\jah\Desktop\2938632.jpg
[2012/11/03 17:31:16 | 000,731,106 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/10/31 15:59:52 | 000,001,077 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Jungle Disk Desktop.lnk
[2012/10/27 22:51:42 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2012/10/27 22:51:41 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2012/10/27 22:49:52 | 000,001,115 | ---- | M] () -- C:\Users\jah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk
[2012/10/27 22:49:08 | 000,001,149 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/23 19:09:27 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/11/23 19:09:27 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/11/23 19:09:27 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/11/23 19:09:27 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/11/23 19:09:27 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/11/23 14:43:43 | 000,000,512 | ---- | C] () -- C:\Users\jah\Desktop\MBR.dat
[2012/11/23 12:45:52 | 000,752,128 | ---- | C] () -- C:\Users\jah\Desktop\RogueKiller.exe
[2012/11/23 12:17:32 | 000,036,680 | ---- | C] () -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2012/11/22 20:02:40 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/11/22 20:00:46 | 000,002,119 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/11/22 19:13:31 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/20 21:28:40 | 000,035,420 | ---- | C] () -- C:\Users\jah\Desktop\2938632.jpg
[2012/11/03 17:31:16 | 000,731,106 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/10/31 15:59:52 | 000,001,077 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Jungle Disk Desktop.lnk
[2012/10/27 22:51:42 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2012/10/27 22:51:41 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2012/10/27 22:49:52 | 000,001,115 | ---- | C] () -- C:\Users\jah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk
[2012/10/27 22:49:08 | 000,001,161 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/10/27 22:49:08 | 000,001,149 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/02/07 17:29:32 | 000,005,243 | ---- | C] () -- C:\Users\jah\AppData\Roaming\UserTile.png

========== ZeroAccess Check ==========

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2010/11/17 21:41:24 | 014,162,944 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2010/11/17 21:41:24 | 012,867,584 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 20:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/11/07 11:47:24 | 000,000,000 | ---D | M] -- C:\Users\jah\AppData\Roaming\JungleDisk
[2011/01/15 08:45:39 | 000,000,000 | ---D | M] -- C:\Users\jah\AppData\Roaming\Leadertech
[2012/03/05 22:57:27 | 000,000,000 | ---D | M] -- C:\Users\jah\AppData\Roaming\PCDr
[2012/11/22 18:38:04 | 000,000,000 | ---D | M] -- C:\Users\jah\AppData\Roaming\SoftGrid Client
[2012/11/03 17:31:53 | 000,000,000 | ---D | M] -- C:\Users\jah\AppData\Roaming\TP
[2012/11/11 15:49:09 | 000,000,000 | ---D | M] -- C:\Users\JMS\AppData\Roaming\JungleDisk
[2012/10/27 20:25:44 | 000,000,000 | ---D | M] -- C:\Users\JMS\AppData\Roaming\Leadertech

========== Purity Check ==========



< End of report >
 
OTL Extras logfile created on: 11/23/2012 7:35:41 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\jah\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.80 Gb Total Physical Memory | 2.93 Gb Available Physical Memory | 77.13% Memory free
7.60 Gb Paging File | 6.62 Gb Available in Paging File | 87.03% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 418.10 Gb Free Space | 92.70% Space Free | Partition Type: NTFS

Computer Name: JAH-PC | User Name: jah | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4169508272-3924329090-955796134-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2F1D85F8-1D48-4195-86B2-04A2EFE4D897}" = lport=2869 | protocol=6 | dir=in | app=system |
"{75B73040-49F9-41EB-BE38-A7D2D44AA94B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{542BE32F-CA59-4156-8D35-19378EE6120A}" = dir=in | name=core networking - system ip core |
"{5AC8F8B5-4DEA-4C9C-A6CA-064CA9D11209}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{AA127FD9-BE17-4B1E-9111-B6B3223F0FD1}" = dir=in | app=c:\program files (x86)\windows live\sync\windowslivesync.exe |
"{B22AFEE8-F383-4EB3-BCC1-2A268BFD9E9C}" = dir=in | app=c:\program files (x86)\windows live\messenger\wlcsdk.exe |
"{DAEE2EDA-F1EA-4000-8A2F-FC50BEF7D69E}" = dir=out | name=core networking - system ip core |
"TCP Query User{855A2F18-92EF-4652-991F-798DB7E6231D}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{031DE03F-70A5-4082-8246-E90DC0CA1C16}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F86416021FF}" = Java(TM) 6 Update 21 (64-bit)
"{4837C529-3700-5555-95FC-80C653003160}" = Jungle Disk Desktop
"{87CF757E-C1F1-4D22-865C-00C6950B5258}" = Quickset64
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{C73A3942-84C8-4597-9F9B-EE227DCBA758}" = Dell Dock
"{C78D3032-9DFD-41D0-9DE9-58EAE750CBA4}" = Microsoft Security Client
"{FBBC4667-2521-4E78-B1BD-8706F774549B}" = Best Buy pc app
"DW WLAN Card" = DW WLAN Card
"Microsoft Security Client" = Microsoft Security Essentials
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}" = Microsoft Visual C++ 2005 Redistributable
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216037FF}" = Java(TM) 6 Update 37
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6B9C32DB-DBCD-45A8-B901-3A92A99A2474}" = InstallVC90Support
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{A33E7B0C-B99C-4EC9-B702-8A328B161AF9}" = Roxio Burn
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AA31EA7B-7917-4000-949B-38E91F848A25}" = Internet Explorer
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{B2E47DE7-800B-40BB-BD1F-9F221C3AEE87}" = Roxio Burn
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FBBC4667-2521-4E78-B1BD-8706F774549B}" = Best Buy pc app
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Dell Dock" = Dell Dock
"Dell Webcam Central" = Dell Webcam Central
"GoToAssist" = GoToAssist 8.0.0.514
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Mozilla Firefox 16.0.2 (x86 en-US)" = Mozilla Firefox 16.0.2 (x86 en-US)
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"PdaNet_is1" = PdaNet for Android 3.50
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/15/2012 12:22:16 PM | Computer Name = jah-PC | Source = VSS | ID = 8194
Description =

Error - 11/15/2012 12:24:55 PM | Computer Name = jah-PC | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.


Error - 11/16/2012 3:21:31 PM | Computer Name = jah-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: mshtml.dll, version: 8.0.7600.16625, time
stamp: 0x4c2ae0bb Exception code: 0xc00000fd Fault offset: 0x0010a51f Faulting process
id: 0xe1c Faulting application start time: 0x01cdc42f5131b17f Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: C:\Windows\SysWOW64\mshtml.dll
Report
Id: d35e75e2-3022-11e2-b376-f04da25654bb

Error - 11/17/2012 2:36:58 PM | Computer Name = jah-PC | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: The server name or address could not be resolved

Error - 11/18/2012 2:49:37 PM | Computer Name = jah-PC | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 11/18/2012 2:49:43 PM | Computer Name = jah-PC | Source = SideBySide | ID = 16842811
Description = Activation context generation failed for "c:\program files (x86)\microsoft\search
enhancement pack\search helper\searchhelper.dll".Error in manifest or policy file
"c:\program files (x86)\microsoft\search enhancement pack\search helper\searchhelper.dll"
on line 2. Invalid Xml syntax.

Error - 11/19/2012 3:25:02 PM | Computer Name = jah-PC | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed:

Error - 11/19/2012 3:31:49 PM | Computer Name = jah-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: mshtml.dll, version: 8.0.7600.16625, time
stamp: 0x4c2ae0bb Exception code: 0xc00000fd Fault offset: 0x000dbfeb Faulting process
id: 0x1058 Faulting application start time: 0x01cdc68bd1fee053 Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: C:\Windows\SysWOW64\mshtml.dll
Report
Id: c28a25bd-327f-11e2-b376-f04da25654bb

Error - 11/21/2012 5:14:57 PM | Computer Name = jah-PC | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.


Error - 11/22/2012 7:00:44 PM | Computer Name = jah-PC | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.


[ Media Center Events ]
Error - 4/4/2012 2:07:16 AM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:07:15 AM - Error connecting to the internet. 12:07:15 AM - Unable
to contact server..

Error - 4/4/2012 2:22:15 PM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:22:15 PM - Error connecting to the internet. 12:22:15 PM - Unable
to contact server..

Error - 4/4/2012 2:22:21 PM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:22:20 PM - Error connecting to the internet. 12:22:20 PM - Unable
to contact server..

Error - 4/5/2012 2:08:41 AM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:08:41 AM - Error connecting to the internet. 12:08:41 AM - Unable
to contact server..

Error - 4/5/2012 2:08:47 AM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:08:46 AM - Error connecting to the internet. 12:08:46 AM - Unable
to contact server..

Error - 4/5/2012 2:39:49 PM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:39:49 PM - Error connecting to the internet. 12:39:49 PM - Unable
to contact server..

Error - 4/5/2012 2:39:55 PM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:39:54 PM - Error connecting to the internet. 12:39:54 PM - Unable
to contact server..

Error - 4/6/2012 2:05:36 AM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:05:36 AM - Error connecting to the internet. 12:05:36 AM - Unable
to contact server..

Error - 4/6/2012 2:05:42 AM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 12:05:41 AM - Error connecting to the internet. 12:05:41 AM - Unable
to contact server..

Error - 7/11/2012 1:20:36 AM | Computer Name = jah-PC | Source = MCUpdate | ID = 0
Description = 11:20:29 PM - Error connecting to the internet. 11:20:29 PM - Unable
to contact server..

[ System Events ]
Error - 11/23/2012 1:18:20 PM | Computer Name = jah-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x8007001f Error description: A device attached to the system is
not functioning. Reason: %%837

Error - 11/23/2012 1:18:20 PM | Computer Name = jah-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%886 Error Code: 0x8007001f Error description: A device attached to the system is
not functioning. Reason: %%837

Error - 11/23/2012 1:19:23 PM | Computer Name = jah-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
MpFilter

Error - 11/23/2012 1:21:25 PM | Computer Name = jah-PC | Source = Service Control Manager | ID = 7023
Description = The Software Protection service terminated with the following error:
%%5

Error - 11/23/2012 1:38:18 PM | Computer Name = jah-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%834 Error Code: 0x8007001f Error description: A device attached to the system is
not functioning. Reason: %%842

Error - 11/23/2012 1:38:18 PM | Computer Name = jah-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x8007001f Error description: A device attached to the system is
not functioning. Reason: %%842

Error - 11/23/2012 1:38:18 PM | Computer Name = jah-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%834 Error Code: 0x8007001f Error description: A device attached to the system is
not functioning. Reason: %%837

Error - 11/23/2012 1:38:18 PM | Computer Name = jah-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x8007001f Error description: A device attached to the system is
not functioning. Reason: %%837

Error - 11/23/2012 1:38:18 PM | Computer Name = jah-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%886 Error Code: 0x8007001f Error description: A device attached to the system is
not functioning. Reason: %%837

Error - 11/23/2012 1:39:22 PM | Computer Name = jah-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
MpFilter


< End of report >
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

==============================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
This topic is marked as abandoned and closed due to inactivity.
This member will NOT be eligible to receive any more help in malware removal forum.
 
Thank you..I am sorry. Here are my logs.

OTL
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: jah
->Temp folder emptied: 19763580 bytes
->Temporary Internet Files folder emptied: 199380275 bytes
->Java cache emptied: 17760 bytes
->FireFox cache emptied: 133554914 bytes
->Flash cache emptied: 88056 bytes

User: JMS
->Temp folder emptied: 66784 bytes
->Temporary Internet Files folder emptied: 28831368 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 93385479 bytes
->Flash cache emptied: 694 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 211301 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 94690707 bytes

Total Files Cleaned = 544.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: jah
->Java cache emptied: 0 bytes

User: JMS
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: jah
->Flash cache emptied: 0 bytes

User: JMS
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12042012_185306

Files\Folders moved on Reboot...
C:\Users\jah\AppData\Local\Temp\13DC.tmp moved successfully.
C:\Users\jah\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\jah\AppData\Local\Temp\~DF435FBE2422B32E4B.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DF6AC7763C287A74A8.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DF6F29F10DBCAAC0E2.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFA0168015862E40D6.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFA69E36B3C8996701.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFBD1169CB6E337804.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFC1A45638AFD1C570.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFE48C5F85AEE04A96.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFE4F81341B72B85C2.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFEA278AB93167C60B.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFEBB078BB67454A85.TMP not found!
File\Folder C:\Users\jah\AppData\Local\Temp\~DFF856DB0ACFA0EBAF.TMP not found!
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\feed[1].css moved successfully.
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\feed[1].js moved successfully.
File\Folder C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\jquery-ui.min[1].js not found!
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\smartmomdeals_com[1].htm moved successfully.
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZUTSVEPX\style_2.1.1[1].css moved successfully.
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\inlinekeywords[1].js moved successfully.
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\jquery-1.4.2.min[1].js moved successfully.
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\pconfig[1].js moved successfully.
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\script_2.1.1[1].js moved successfully.
C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B01IAKAG\styles[1].css moved successfully.
File\Folder C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A099X3PP\all[1].js not found!
File\Folder C:\Users\jah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A099X3PP\google_service[1].js not found!
File move failed. C:\Windows\temp\sndappv2.log scheduled to be moved on reboot.
C:\Windows\temp\~DF5181E2C023A22A4D.TMP moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Security Check
Results of screen317's Security Check version 0.99.56
Windows 7 x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java(TM) 6 Update 37
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.4.402.287 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox 16.0.2 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

FSS
Farbar Service Scanner Version: 04-12-2012
Ran by jah (administrator) on 04-12-2012 at 19:07:29
Running from "C:\Users\jah\Desktop"
Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Waiting on EST...will post when complete...
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
792
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back