Solved YAS (yet another sirefef)

G

Gary Chapman

Posts: 8   +0
Hello and thanks (in advance) for all the help you are providing people. I believe I have carefully read the sirefef instructions, and here are the results of FRST (scan then services.exe search from repair cmd window). FYI this infection seemed to come with a "normal" flash update, which is scary if true.

Thank you, very much. FRST.txt and Search.txt attached.
 

Attachments

  • FRST.txt
    18.7 KB · Views: 0
  • Search.txt
    838 bytes · Views: 1
sorry, didn't notice the "paste don't attach" rule ...

FRST.txt
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 31-07-2012 19:28:02
Running from E:\
Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe [36864 2008-03-03] (Creative Technology Ltd.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-03-05] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-03-05] (Intel Corporation)
HKLM\...\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [174872 2007-03-21] (Intel Corporation)
HKLM\...\Run: [] [x]
HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]
HKLM\...\Run: [SKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe [262144 2007-02-09] (LITE-ON TECHNOLOGY CORP.)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [1848648 2008-03-17] (CANON INC.)
HKLM\...\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE [124256 2010-01-18] (CANON INC.)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe [3563520 2008-07-03] (Dell Inc.)
HKLM\...\Run: [Password Keychain] C:\Program Files\Password Keychain\Passkeychain.exe /H [1437696 2003-07-16] (NFX Technologies)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Kelley\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Kelley\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-12-03] (Google Inc.)
HKU\Kelley\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Kelley\...\Run: [Apple] rundll32.exe "C:\Users\Kelley\AppData\Local\Apple Computer\Apple\xugvuplhg.dll",CreateInstance [690176 2012-07-22] (Microsoft Corporation)
HKU\Kelley\...\Run: [pobind] rundll32.exe "C:\Users\Kelley\AppData\Roaming\pobind.dll",GetTextureFormats [136192 2012-07-30] (Crytek)
HKU\Kelley\...\Run: [obine] "C:\Windows\System32\rundll32.exe" "C:\Users\Kelley\AppData\Roaming\obine.dll",ExceptionMatches [436736 2012-07-30] (Andrew Zhezherun)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 167.206.251.129 167.206.251.130 192.168.1.1
Tcpip\..\Interfaces\{6455F280-B22C-40DA-BE2E-BEF3680BBCA5}: [NameServer]9.0.2.1,9.0.3.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\AutorunsDisabled ()

================================ Services (Whitelisted) ==================

2 CSHelper; C:\Windows\system32\CSHelper.exe [266240 2009-02-18] ()
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
2 FreeAgentGoNext Service; "C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe" [189736 2009-09-25] (Seagate Technology LLC)
3 GoogleDesktopManager-110309-193829; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2009-11-28] (Google)
4 gupdate1c9fe96e1e05766; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-07-06] (Google Inc.)
2 LPDSVC; C:\Windows\System32\lpdsvc.dll [35328 2008-01-20] (Microsoft Corporation)
2 NetCfgSvr; C:\Program Files\AT&T Network Client\netcfgsvr.exe [619872 2009-10-07] (AT&T)
2 NetClientSvc; "C:\Program Files\AT&T Network Client\NetClientSvc.exe" [263520 2009-10-07] (AT&T)
4 RoxLiveShare10; "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [309744 2008-05-14] (Sonic Solutions)
4 RoxWatch10; "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe" [166384 2008-05-14] (Sonic Solutions)
2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-07-03] (Skype Technologies)
2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [201968 2008-08-13] (SupportSoft, Inc.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe [102400 2008-02-15] (IDT, Inc.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
4 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]

========================== Drivers (Whitelisted) =============

3 agnfilt; C:\Windows\System32\DRIVERS\agnfilt.sys [219776 2009-10-07] (AT&T)
3 avpnnic; C:\Windows\System32\DRIVERS\avpnnic.sys [11392 2008-12-09] (AT&T)
3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2008-07-03] (Broadcom Corporation)
3 IntcHdmiAddService; C:\Windows\System32\drivers\IntcHdmi.sys [111616 2008-03-05] (Intel(R) Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [23360 2006-10-23] (Primax Electronics Ltd.)
3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [16192 2006-10-23] (Primax Electronics Ltd.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-31 19:27 - 2012-07-31 19:27 - 00000000 ____D C:\FRST
2012-07-30 19:21 - 2012-07-30 19:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-30 18:43 - 2012-07-30 18:43 - 00436736 ____A (Andrew Zhezherun) C:\Users\Kelley\AppData\Roaming\obine.dll
2012-07-30 18:43 - 2012-07-30 18:43 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-30 18:42 - 2012-07-30 19:35 - 00000000 ____D C:\Users\Kelley\AppData\Roaming\xsecva
2012-07-30 18:42 - 2012-07-30 18:42 - 00136192 ____A (Crytek) C:\Users\Kelley\AppData\Roaming\pobind.dll
2012-07-19 17:17 - 2012-07-19 17:17 - 00000344 ____A C:\Windows\PFRO.log
2012-07-19 16:41 - 2012-07-19 16:41 - 00000000 ____D C:\Users\All Users\Cisco Systems
2012-07-10 19:32 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 19:27 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-10 19:27 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-10 19:27 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-10 19:27 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-10 19:27 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-10 19:27 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-10 19:27 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-10 19:27 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-10 19:27 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-10 19:27 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-10 19:27 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-10 19:27 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-10 19:27 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-10 19:27 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-10 18:07 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 18:07 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 18:07 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 18:07 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 18:07 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 18:07 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

============ 3 Months Modified Files ========================

2012-07-31 15:23 - 2008-12-25 10:18 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-07-31 15:23 - 2006-11-02 05:01 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-31 15:23 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-31 15:23 - 2006-11-02 04:47 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-31 15:23 - 2006-11-02 04:47 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-31 15:21 - 2009-06-27 08:47 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-30 19:23 - 2011-08-09 10:58 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-30 19:22 - 2008-12-02 21:37 - 01347841 ____A C:\Windows\WindowsUpdate.log
2012-07-30 19:21 - 2006-11-02 02:33 - 00722118 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-30 18:43 - 2012-07-30 18:43 - 00436736 ____A (Andrew Zhezherun) C:\Users\Kelley\AppData\Roaming\obine.dll
2012-07-30 18:42 - 2012-07-30 18:42 - 00136192 ____A (Crytek) C:\Users\Kelley\AppData\Roaming\pobind.dll
2012-07-30 18:22 - 2012-04-15 02:28 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-30 18:22 - 2011-05-18 14:39 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-19 17:17 - 2012-07-19 17:17 - 00000344 ____A C:\Windows\PFRO.log
2012-07-13 18:28 - 2012-04-15 11:47 - 00002377 ____A C:\Users\Kelley\Desktop\Skype.lnk
2012-07-11 18:21 - 2006-11-02 04:47 - 00436152 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-10 19:31 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-10 19:27 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-13 05:40 - 2012-07-10 19:32 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:47 - 2012-07-10 18:07 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 08:47 - 2012-07-10 18:07 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-10 18:07 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-10 18:07 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-25 18:11 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-25 18:11 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-25 18:11 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-25 18:10 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-25 18:10 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-25 18:11 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-25 18:10 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-25 18:10 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-25 18:10 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-10 19:27 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-10 19:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-10 19:27 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-10 19:27 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-10 19:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-10 19:27 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-10 19:27 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-10 19:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-10 19:27 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-10 19:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-10 19:27 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-10 19:27 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-10 19:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-10 19:27 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 16:04 - 2012-07-10 18:07 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-10 18:07 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

ZeroAccess:
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\n
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\00000004.@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\201d3dde

ZeroAccess:
C:\Users\Kelley\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}
C:\Users\Kelley\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
C:\Users\Kelley\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L
C:\Users\Kelley\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 3061.31 MB
Available physical RAM: 2740.62 MB
Total Pagefile: 2959.98 MB
Available Pagefile: 2820.23 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.31 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:220.58 GB) (Free:114.61 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (My Public) (Removable) (Total:0.49 GB) (Free:0.46 GB) FAT32
4 Drive x: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:4.13 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 Online 30 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 10 GB 40 MB
Partition 3 Primary 221 GB 10 GB
Partition 0 Extended 2559 MB 230 GB
Partition 4 Logical 2558 MB 230 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 X RECOVERY NTFS Partition 10 GB Healthy Boot

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 221 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : DD
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 500 MB 32 KB
Partition 0 Primary 30 GB 500 MB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E My Public FAT32 Removable 500 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-30 18:26

======================= End Of Log ==========================

Search.txt
Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-31 19:30:04
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-06-27 08:47] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2009-06-27 08:47] - [2012-07-31 15:21] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

=== End Of Search ===
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

============================================

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally.


Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 

Attachments

  • fixlist.txt
    817 bytes · Views: 3
Fixlog.txt
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-31 21:44:43 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_USERS\Kelley\Software\Microsoft\Windows\CurrentVersion\Run\\pobind Value deleted successfully.
C:\Users\Kelley\AppData\Roaming\pobind.dll moved successfully.
HKEY_USERS\Kelley\Software\Microsoft\Windows\CurrentVersion\Run\\obine Value deleted successfully.
C:\Users\Kelley\AppData\Roaming\obine.dll moved successfully.
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b} moved successfully.
C:\Users\Kelley\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Downloaded ComboFix to desktop, shut off MSE real time protection, ran ComboFix (no problems starting or running, did not need to use Rkill), observed it complete 50 stages, deleted files, rebooted, prepare log report ... "SED: can't read catchlog: No such file or directory" (twice) then completed, presented log ... elapsed time about 25 min

ComboFix.txt
ComboFix 12-07-30.03 - Kelley 07/31/2012 22:03:02.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.1952 [GMT -4:00]
Running from: c:\users\Kelley\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Kelley\AppData\Local\Apple Computer\Apple\xugvuplhg.dll
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2012-08-01 03:27 . 2012-08-01 03:28--------d-----w-C:\FRST
2012-07-31 03:25 . 2012-02-09 18:17713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-07-31 03:25 . 2012-02-09 18:17713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{47A6CFF1-5239-40B3-872B-B26255878B85}\gapaengine.dll
2012-07-31 03:23 . 2012-07-16 06:416891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D711E386-1B9B-405F-86D2-C8DEBC833618}\mpengine.dll
2012-07-31 03:21 . 2012-07-31 03:21--------d-----w-c:\program files\Microsoft Security Client
2012-07-31 02:43 . 2012-07-31 02:43--------d-sh--w-c:\windows\system32\%APPDATA%
2012-07-31 02:42 . 2012-07-31 03:35--------d-----w-c:\users\Kelley\AppData\Roaming\xsecva
2012-07-20 00:41 . 2012-07-20 00:41--------d-----w-c:\programdata\Cisco Systems
2012-07-11 03:32 . 2012-06-13 13:402047488----a-w-c:\windows\system32\win32k.sys
2012-07-11 02:07 . 2012-06-05 16:47708608----a-w-c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 02:07 . 2012-06-05 16:471401856----a-w-c:\windows\system32\msxml6.dll
2012-07-11 02:07 . 2012-06-05 16:471248768----a-w-c:\windows\system32\msxml3.dll
2012-07-11 02:07 . 2012-06-04 15:26440704----a-w-c:\windows\system32\drivers\ksecdd.sys
2012-07-11 02:07 . 2012-06-02 00:04278528----a-w-c:\windows\system32\schannel.dll
2012-07-11 02:07 . 2012-06-02 00:03204288----a-w-c:\windows\system32\ncrypt.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-31 02:39 . 2012-07-31 02:39111104----a-w-c:\programdata\Microsoft\Windows\DRM\5CEE.tmp
2012-07-31 02:22 . 2012-04-15 10:28426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-07-31 02:22 . 2011-05-18 22:3970344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-26 02:1153784----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-26 02:1145080----a-w-c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-26 02:1035864----a-w-c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-26 02:10577048----a-w-c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-26 02:111933848----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-26 02:112422272----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-26 02:1088576----a-w-c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-26 02:10171904----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-26 02:1033792----a-w-c:\windows\system32\wuapp.exe
2009-11-28 15:33 . 2009-11-28 15:33119808----a-w-c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-03 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Mouse Suite 98 Daemon"="ICO.EXE" [2008-01-28 81920]
"SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2007-02-09 262144]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2010-01-19 124256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-07-03 3563520]
"Password Keychain"="c:\program files\Password Keychain\Passkeychain.exe" [2003-07-17 1437696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
AT&T Network Client Monitor.lnk - c:\windows\Installer\{3FE002CF-E709-4CCB-82EF-966B6C911D6A}\NetGM1_89563E53ECF44E868145468A128BDC83.exe [2010-4-16 58672]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-3 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcsREG_MULTI_SZ BthServ
WindowsMobileREG_MULTI_SZ wcescomm rapimgr
LocalServiceRestrictedREG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
LPDServiceREG_MULTI_SZ LPDSVC
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 00:07]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 00:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130 192.168.1.1
TCP: Interfaces\{6455F280-B22C-40DA-BE2E-BEF3680BBCA5}: NameServer = 9.0.2.1,9.0.3.1
DPF: {A6616B31-4860-41E2-98E3-CA7649AF172F} - file:///E:/launch.ocx
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Apple - c:\users\Kelley\AppData\Local\Apple Computer\Apple\xugvuplhg.dll
MSConfigStartUp-PCMService - c:\program files\Dell\MediaDirect\PCMService.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\CSHelper.exe
c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\AT&T Network Client\netcfgsvr.exe
c:\program files\AT&T Network Client\NetClientSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-07-31 22:20:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-01 02:17
.
Pre-Run: 122,856,386,560 bytes free
Post-Run: 123,033,292,800 bytes free
.
- - End Of File - - A4FB8D4A297E132566F50762E000FCD2

rebooted, enabled MSE real-time protection (but did not scan) ... Attempted to update MSE ... FAILS (tried 3 times) ... it seems to start downloading, then looses internet connection and says to "check it". Basic browsing in IE seems to work well.
 
Combofix log looks good.

Reinstall MSE.

Then....

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer IF MBAM asks you to do so.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

======================================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
(thank you again for all this help)
MSE reinstalled, updated
MBAM surprisingly clean
OTL Extras is NOT clean
------------------------------------------------------------------------------------------
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.02.01
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Kelley :: KELLEY-PC [administrator]
8/1/2012 9:47:10 PM
mbam-log-2012-08-01 (21-47-10).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193543
Time elapsed: 10 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-------------------------------------------------------------------------------------------------------------

OTL.txt
------------------------------------------------------------------------------------------------------------
OTL logfile created on: 8/1/2012 10:05:10 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Kelley\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 55.99% Memory free
6.17 Gb Paging File | 4.78 Gb Available in Paging File | 77.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.58 Gb Total Space | 114.74 Gb Free Space | 52.02% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 4.13 Gb Free Space | 42.26% Space Free | Partition Type: NTFS

Computer Name: KELLEY-PC | User Name: Kelley | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/01 21:49:53 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\Kelley\Desktop\OTL.exe
PRC - [2012/07/30 22:22:30 | 000,686,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_3_300_268_ActiveX.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/02/28 21:14:46 | 000,307,824 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2009/10/07 12:36:20 | 000,263,520 | ---- | M] (AT&T) -- C:\Program Files\AT&T Network Client\NetClientSvc.exe
PRC - [2009/10/07 12:36:18 | 000,619,872 | ---- | M] (AT&T) -- C:\Program Files\AT&T Network Client\netcfgsvr.exe
PRC - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/02/18 21:57:47 | 000,266,240 | ---- | M] () -- C:\Windows\System32\CSHelper.exe
PRC - [2008/08/14 01:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/03/04 01:05:24 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2008/02/15 18:25:34 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\stacsv.exe
PRC - [2008/01/28 18:45:58 | 000,081,920 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe
PRC - [2007/11/12 07:07:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/03/21 15:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 15:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/02/09 16:00:54 | 000,262,144 | ---- | M] (LITE-ON TECHNOLOGY CORP.) -- C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/17 21:59:56 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\508b444db523c5cf20ff12c7f440837b\System.Web.ni.dll
MOD - [2012/05/10 15:16:23 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll
MOD - [2012/05/10 14:52:48 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
MOD - [2012/05/10 14:52:35 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
MOD - [2008/07/03 09:42:04 | 000,055,808 | ---- | M] () -- C:\Windows\System32\bcmwlrmt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe -- (SessionLauncher)
SRV - [2012/07/03 13:19:28 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2009/10/07 12:36:20 | 000,263,520 | ---- | M] (AT&T) [Auto | Running] -- C:\Program Files\AT&T Network Client\NetClientSvc.exe -- (NetClientSvc)
SRV - [2009/10/07 12:36:18 | 000,619,872 | ---- | M] (AT&T) [Auto | Running] -- C:\Program Files\AT&T Network Client\netcfgsvr.exe -- (NetCfgSvr)
SRV - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2009/02/18 21:57:47 | 000,266,240 | ---- | M] () [Auto | Running] -- C:\Windows\System32\CSHelper.exe -- (CSHelper)
SRV - [2008/08/14 01:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter)
SRV - [2008/05/14 12:32:18 | 000,309,744 | ---- | M] (Sonic Solutions) [Disabled | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2008/05/14 12:32:10 | 000,166,384 | ---- | M] (Sonic Solutions) [Disabled | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2008/05/14 12:31:38 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2008/02/15 18:25:34 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\stacsv.exe -- (STacSV)
SRV - [2008/01/20 22:25:27 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\lpdsvc.dll -- (LPDSVC)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/12 07:07:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/05/31 10:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 10:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2007/03/21 15:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2009/10/07 12:40:44 | 000,219,776 | R--- | M] (AT&T) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agnfilt.sys -- (agnfilt)
DRV - [2008/12/09 12:13:08 | 000,011,392 | ---- | M] (AT&T) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\avpnnic.sys -- (avpnnic)
DRV - [2008/07/03 09:41:54 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
DRV - [2008/06/23 08:45:44 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2008/05/04 05:25:24 | 000,164,400 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/03/06 03:58:44 | 000,111,616 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV - [2008/03/04 01:05:34 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2008/03/04 01:05:18 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2008/02/15 18:27:02 | 000,330,752 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2008/01/20 22:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2008/01/20 22:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/09/06 12:35:16 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/09/06 12:35:14 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/09/06 12:35:12 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/10/23 14:56:56 | 000,016,192 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PELUSBLF.SYS -- (pelusblf)
DRV - [2006/10/23 14:55:26 | 000,023,360 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PELMOUSE.SYS -- (pelmouse)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...&oe={outputEncoding}&sourceid=ie7&rlz=1I7DMUS


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=d9InZprGHecCXNHmXC_cpvj4K5o?q={searchTerms}
IE - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/07/01 09:19:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/08/18 20:17:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kelley\AppData\Roaming\Mozilla\Extensions
[2010/06/21 18:54:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kelley\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/01/02 12:21:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kelley\AppData\Roaming\Mozilla\Sunbird\Profiles\2w1w70u5.default\extensions
[2011/08/18 20:17:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/02 13:14:34 | 000,000,000 | ---D | M] (No name found) -- C:\PROGRAM FILES\MOZILLA SUNBIRD\EXTENSIONS\{E2FDA1A4-762B-4020-B5AD-A41DF1933103}
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA SUNBIRD\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA SUNBIRD\EXTENSIONS\TALKBACK@MOZILLA.ORG

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms},
CHR - homepage: http://my.myway.com/
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.79\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.79\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Facebook = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Extensions\boeajhmfdjldchidhphikilcgdacljfm\1_0\
CHR - Extension: Google Search = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Nice Translator = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Extensions\echdnikijbegadnenjfmhfjflclkjcbp\3_0\
CHR - Extension: AdBlock = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.22_0\
CHR - Extension: Google Calendar (by Google) = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmbgaklkmjakoegficnlkhebmhkjfich\0.7_0\
CHR - Extension: Google Mail Checker = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\3.2_0\
CHR - Extension: Gmail = C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/07/31 22:10:47 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\Windows\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Password Keychain] C:\Program Files\Password Keychain\Passkeychain.exe (NFX Technologies)
O4 - HKLM..\Run: [SKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe (LITE-ON TECHNOLOGY CORP.)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O15 - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {A6616B31-4860-41E2-98E3-CA7649AF172F} file:///E:/launch.ocx (Launch Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.251.129 167.206.251.130 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6455F280-B22C-40DA-BE2E-BEF3680BBCA5}: NameServer = 9.0.2.1,9.0.3.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9528A93C-3D6E-4198-B32E-06D0E5985BF3}: DhcpNameServer = 167.206.251.129 167.206.251.130 192.168.1.1
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Kelley\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kelley\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/01 21:49:40 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Users\Kelley\Desktop\OTL.exe
[2012/08/01 21:46:22 | 000,000,000 | ---D | C] -- C:\Users\Kelley\AppData\Roaming\Malwarebytes
[2012/08/01 21:45:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/01 21:45:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/08/01 21:45:35 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/08/01 21:45:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/08/01 21:39:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/08/01 21:32:46 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Kelley\Desktop\mbam-setup-1.62.0.1300.exe
[2012/07/31 23:27:48 | 000,000,000 | ---D | C] -- C:\FRST
[2012/07/31 22:20:07 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/07/31 22:20:07 | 000,000,000 | ---D | C] -- C:\Users\Kelley\AppData\Local\temp
[2012/07/31 22:11:02 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/07/31 22:01:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/07/31 22:01:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/07/31 22:01:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/07/31 22:00:58 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/07/31 22:00:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/31 22:00:47 | 000,000,000 | R--D | C] -- C:\Users\Kelley\Videos
[2012/07/31 22:00:36 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/07/31 21:57:39 | 004,721,982 | R--- | C] (Swearware) -- C:\Users\Kelley\Desktop\ComboFix.exe
[2012/07/30 22:43:36 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/07/30 22:42:19 | 000,000,000 | ---D | C] -- C:\Users\Kelley\AppData\Roaming\xsecva
[2012/07/19 20:41:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Cisco Systems
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/08/01 21:49:53 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\Kelley\Desktop\OTL.exe
[2012/08/01 21:39:41 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/08/01 21:39:30 | 000,606,880 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/08/01 21:39:30 | 000,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/08/01 21:33:04 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Kelley\Desktop\mbam-setup-1.62.0.1300.exe
[2012/08/01 21:27:12 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/01 21:27:12 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/01 21:26:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/31 22:52:25 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/07/31 22:47:54 | 000,000,161 | ---- | M] () -- C:\Users\Kelley\Desktop\YAS (yet another sirefef).url
[2012/07/31 22:10:47 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/07/31 21:57:33 | 004,721,982 | R--- | M] (Swearware) -- C:\Users\Kelley\Desktop\ComboFix.exe
[2012/07/29 22:42:14 | 000,069,163 | ---- | M] () -- C:\Users\Kelley\Documents\HCRA submission.pdf
[2012/07/28 21:38:34 | 000,004,597 | ---- | M] () -- C:\Users\Kelley\Documents\Greg's Credit card charges.pdf
[2012/07/28 20:59:34 | 000,152,059 | ---- | M] () -- C:\Users\Kelley\Documents\Optimum bill.pdf
[2012/07/18 22:00:11 | 000,086,070 | ---- | M] () -- C:\Users\Kelley\Documents\Panera.pdf
[2012/07/17 22:34:51 | 000,002,193 | ---- | M] () -- C:\Users\Kelley\Documents\Jake dental.pdf
[2012/07/17 22:33:10 | 000,334,154 | ---- | M] () -- C:\Users\Kelley\Documents\Greg dental.pdf
[2012/07/17 19:41:42 | 000,002,401 | ---- | M] () -- C:\Users\Kelley\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2012/07/13 22:28:15 | 000,002,377 | ---- | M] () -- C:\Users\Kelley\Desktop\Skype.lnk
[2012/07/11 22:21:10 | 000,436,152 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/08/01 21:39:33 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/07/31 22:47:54 | 000,000,161 | ---- | C] () -- C:\Users\Kelley\Desktop\YAS (yet another sirefef).url
[2012/07/31 22:01:01 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/07/31 22:01:01 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/07/31 22:01:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/07/31 22:01:01 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/07/31 22:01:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/07/29 22:42:12 | 000,069,163 | ---- | C] () -- C:\Users\Kelley\Documents\HCRA submission.pdf
[2012/07/28 21:38:33 | 000,004,597 | ---- | C] () -- C:\Users\Kelley\Documents\Greg's Credit card charges.pdf
[2012/07/28 20:59:28 | 000,152,059 | ---- | C] () -- C:\Users\Kelley\Documents\Optimum bill.pdf
[2012/07/18 22:00:10 | 000,086,070 | ---- | C] () -- C:\Users\Kelley\Documents\Panera.pdf
[2012/07/17 22:34:28 | 000,002,193 | ---- | C] () -- C:\Users\Kelley\Documents\Jake dental.pdf
[2012/07/17 22:32:54 | 000,334,154 | ---- | C] () -- C:\Users\Kelley\Documents\Greg dental.pdf
[2011/08/18 20:21:29 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2010/11/10 21:31:58 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/06/21 19:17:23 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/05/31 11:06:28 | 000,430,256 | ---- | C] () -- C:\Users\Kelley\AppData\Local\rx_image32.Cache
[2010/05/31 11:06:27 | 000,012,648 | ---- | C] () -- C:\Users\Kelley\AppData\Local\rx_audio.Cache
[2009/10/07 12:05:00 | 000,144,236 | ---- | C] () -- C:\ProgramData\DeviceManager.xml.rc4
[2009/07/04 13:07:06 | 000,024,206 | ---- | C] () -- C:\Users\Kelley\AppData\Roaming\UserTile.png
[2009/02/19 20:16:12 | 000,000,680 | ---- | C] () -- C:\Users\Kelley\AppData\Local\d3d9caps.dat
[2008/12/28 13:47:10 | 000,413,696 | ---- | C] () -- C:\Users\Kelley\AppData\Local\filesync.metadata
[2008/12/11 21:24:50 | 000,044,544 | ---- | C] () -- C:\Users\Kelley\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2009/02/06 23:17:00 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\.purple
[2009/01/01 16:24:49 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\acccore
[2011/08/18 19:32:27 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\Canon
[2010/01/18 23:59:17 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\enchant
[2009/10/08 21:10:29 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\iolo
[2009/02/19 23:54:29 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\LAIM
[2010/01/23 13:35:17 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\Leadertech
[2008/12/12 01:20:53 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\OpenOffice.org
[2009/04/09 00:15:28 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\Opera
[2009/07/04 13:07:06 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\PeerNetworking
[2008/12/12 15:04:21 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\PlayFirst
[2010/11/13 23:20:49 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\Saore
[2010/02/10 17:47:08 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\Sierra Wireless
[2012/03/10 21:24:28 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\TaxCut
[2010/06/21 18:54:57 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\Thunderbird
[2010/08/10 23:41:15 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\WeatherWatcher
[2012/07/30 23:35:36 | 000,000,000 | ---D | M] -- C:\Users\Kelley\AppData\Roaming\xsecva
[2012/07/31 22:52:25 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >
 
OTL Extras.Txt is NOT CLEAN:

OTL Extras logfile created on: 8/1/2012 10:05:10 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Kelley\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.67 Gb Available Physical Memory | 55.99% Memory free
6.17 Gb Paging File | 4.78 Gb Available in Paging File | 77.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.58 Gb Total Space | 114.74 Gb Free Space | 52.02% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 4.13 Gb Free Space | 42.26% Space Free | Partition Type: NTFS

Computer Name: KELLEY-PC | User Name: Kelley | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-2075852643-1379254224-2315044420-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03CAB33F-D1C2-48C6-8766-DAE84DFC25FE}" = Microsoft Sync Framework Services v1.0 (x86)
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP980_series" = Canon MP980 series MP Drivers
"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{294EAADF-E50F-4DD8-AD8D-19587EA10512}" = Modem Diagnostic Tool
"{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D8F9830-D6A3-413A-9A54-993827A73E47}" = DELL0604
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FB3647F-B6A6-46B4-8613-A09BCFAB80F0}" = Roxio Creator Premier 10
"{3FE002CF-E709-4CCB-82EF-966B6C911D6A}" = AT&T Network Client – IBM
"{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}" = Banctec Service Agreement
"{469EF13B-4AD0-48D7-AF89-6B92278293E2}" = Roxio Creator Premier
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B6AD248-D3BF-426A-8D64-847288154F13}" = QuickSet
"{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009
"{56F59702-1BB9-4C1B-BB8A-FB5F84A90378}" = H&R Block New York 2009
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{6C434B52-8D0F-4080-9649-7497445DDCD4}" = H&R Block New York 2011
"{6D3963B0-E13B-4FC3-B0FF-506A304BB043}" = Cisco EAP-FAST Module
"{70469C1D-DDF0-44A0-B873-9F28B354256C}" = H&R Block Basic + Efile + State 2011
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Roxio CinePlayer Decoder Pack
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 3.81
"{989DC5D9-A776-430D-9E16-D36E5B81CD86}" = USB Enhanced Performance Keyboard Software
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A8BD5A60-E843-46DC-8271-ABF20756BE0F}" = Microsoft Sync Framework Runtime v1.0 (x86)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{AFDFC350-C142-4790-BE12-8357AECD028F}" = SyncToy 2.0 (x86)
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator Premier
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{FD2B3CFD-AFBD-4944-A79D-407CB3C24110}" = H&R Block Basic + Efile 2010
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"AIM Lite" = AIM Lite 0.33
"ArtistScope Plugin IE 424.2.0.0" = ArtistScope Plugin IE 42
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card Utility
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-PhotoPrint Pro" = Canon Utilities Easy-PhotoPrint Pro
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"GTK 2.0" = GTK+ Runtime 2.12.12 rev a (remove only)
"InstallShield_{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"MouseSuite98" = Mouse Suite
"MozBackup" = MozBackup 1.5.1
"Mozilla Thunderbird 14.0 (x86 en-US)" = Mozilla Thunderbird 14.0 (x86 en-US)
"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
"Password Keychain_is1" = Password Keychain 1.0
"Quick Search Box" = Google Quick Search Box
"VLC media player" = VLC media player 1.0.5

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2075852643-1379254224-2315044420-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/31/2012 12:03:21 AM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2012 12:06:35 AM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2012 12:11:06 AM | Computer Name = Kelley-PC | Source = Application Error | ID = 1000
Description = Faulting application msseces.exe, version 4.0.1526.0, time stamp 0x4f710276,
faulting module msseces.exe, version 4.0.1526.0, time stamp 0x4f710276, exception
code 0xc0000005, fault offset 0x000712af, process id 0xbc0, application start time
0x01cd6ed2585ecb64.

Error - 7/31/2012 12:11:08 AM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2012 7:21:15 PM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2012 9:47:09 PM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2012 10:11:15 PM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2012 10:26:16 PM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

Error - 7/31/2012 10:34:51 PM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

Error - 8/1/2012 9:27:51 PM | Computer Name = Kelley-PC | Source = WinMgmt | ID = 10
Description =

[ Broadcom Wireless LAN Events ]
Error - 7/7/2012 4:34:48 PM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 16:34:48, Sat, Jul 07, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/7/2012 6:45:19 PM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 18:45:19, Sat, Jul 07, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/7/2012 8:47:06 PM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 20:47:06, Sat, Jul 07, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/9/2012 7:03:51 PM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 19:03:51, Mon, Jul 09, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/20/2012 11:49:10 PM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 23:49:10, Fri, Jul 20, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/21/2012 11:13:40 AM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 11:13:40, Sat, Jul 21, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/23/2012 7:03:34 AM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 07:03:34, Mon, Jul 23, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/23/2012 11:48:50 PM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 23:48:50, Mon, Jul 23, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/27/2012 3:44:25 PM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 15:44:25, Fri, Jul 27, 12 Error - User "" does not have administrative
privileges on this system

Error - 7/28/2012 1:10:44 AM | Computer Name = Kelley-PC | Source = WLAN-Tray | ID = 0
Description = 01:10:44, Sat, Jul 28, 12 Error - User "" does not have administrative
privileges on this system

[ Media Center Events ]
Error - 12/31/2008 10:49:16 AM | Computer Name = Kelley-PC | Source = Mcx2Dvcs | ID = 401
Description =

Error - 12/31/2008 10:50:29 AM | Computer Name = Kelley-PC | Source = Mcx2Svc | ID = 301
Description =

Error - 12/31/2008 10:56:01 AM | Computer Name = Kelley-PC | Source = McrMgr | ID = 109
Description =

Error - 12/31/2008 11:00:31 AM | Computer Name = Kelley-PC | Source = McrMgr | ID = 109
Description =

Error - 12/31/2008 11:12:04 AM | Computer Name = Kelley-PC | Source = McrMgr | ID = 109
Description =

Error - 12/31/2008 11:15:58 AM | Computer Name = Kelley-PC | Source = McrMgr | ID = 109
Description =

Error - 12/31/2008 11:20:20 AM | Computer Name = Kelley-PC | Source = McrMgr | ID = 109
Description =

Error - 4/30/2009 7:29:23 PM | Computer Name = Kelley-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 8/1/2012 9:35:22 PM | Computer Name = Kelley-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 8/1/2012 9:39:53 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%859 Update Stage: %%853

Source
Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80240022 Error description:
The program can't check for definition updates.

Error - 8/1/2012 9:39:53 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%859 Update Stage: %%853

Source
Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80240022 Error description:
The program can't check for definition updates.

Error - 8/1/2012 9:40:38 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%859 Update Stage: %%853

Source
Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80240022 Error description:
The program can't check for definition updates.

Error - 8/1/2012 9:40:38 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%859 Update Stage: %%853

Source
Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80240022 Error description:
The program can't check for definition updates.

Error - 8/1/2012 9:42:24 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.131.1201.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.8601.0 Error code: 0x8050a003 Error description: This
package does not contain up-to-date definition files for this program. For more
information, see Help and Support.

Error - 8/1/2012 9:42:24 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.131.1201.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.8601.0 Error code: 0x8050a003 Error description: This
package does not contain up-to-date definition files for this program. For more
information, see Help and Support.

Error - 8/1/2012 9:42:24 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.131.1201.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.8601.0 Error code: 0x8050a003 Error description: This
package does not contain up-to-date definition files for this program. For more
information, see Help and Support.

Error - 8/1/2012 9:42:24 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.131.1201.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.8601.0 Error code: 0x8050a003 Error description: This
package does not contain up-to-date definition files for this program. For more
information, see Help and Support.

Error - 8/1/2012 9:42:24 PM | Computer Name = Kelley-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.131.1201.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.8601.0 Error code: 0x8050a003 Error description: This
package does not contain up-to-date definition files for this program. For more
information, see Help and Support.


< End of report >
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
IE - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=d9InZprGHecCXNHmXC_cpvj4K5o?q={searchTerms}
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O15 - HKU\S-1-5-21-2075852643-1379254224-2315044420-1000\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2012/07/31 23:27:48 | 000,000,000 | ---D | C] -- C:\FRST

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

=========================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
thank you some more ...
OTL custom log
======================================================================================
All processes killed
========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-2075852643-1379254224-2315044420-1000\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70D46D94-BF1E-45ED-B567-48701376298E}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2075852643-1379254224-2315044420-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\FRST\Quarantine\{7faaaafa-cf14-2f74-3593-878a94dc601b}\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U folder moved successfully.
C:\FRST\Quarantine\{7faaaafa-cf14-2f74-3593-878a94dc601b}\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L folder moved successfully.
C:\FRST\Quarantine\{7faaaafa-cf14-2f74-3593-878a94dc601b}\{7faaaafa-cf14-2f74-3593-878a94dc601b} folder moved successfully.
C:\FRST\Quarantine\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U folder moved successfully.
C:\FRST\Quarantine\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L folder moved successfully.
C:\FRST\Quarantine\{7faaaafa-cf14-2f74-3593-878a94dc601b} folder moved successfully.
Folder move failed. C:\FRST\Quarantine scheduled to be moved on reboot.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kelley
->Temp folder emptied: 1782375 bytes
->Temporary Internet Files folder emptied: 178518048 bytes
->Java cache emptied: 12092056 bytes
->Google Chrome cache emptied: 356572124 bytes
->Opera cache emptied: 22794 bytes
->Flash cache emptied: 14799 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 105690 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 551308 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 524.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Kelley
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Kelley
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 08022012_064456

Files\Folders moved on Reboot...
File\Folder C:\FRST\Quarantine not found!
C:\Windows\temp\TMP0001C332A9EF34484D5AE279 moved successfully.

PendingFileRenameOperations files...
File C:\FRST\Quarantine not found!
File C:\Windows\temp\TMP0001C332A9EF34484D5AE279 not found!

Registry entries deleted on Reboot...
======================================================================================

Security Check
======================================================================================
Results of screen317's Security Check version 0.99.43
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java(TM) 6 Update 31
Java version out of Date!
Adobe Reader X (10.1.3)
Mozilla Thunderbird (14.0.)
Google Chrome 17.0.963.78
Google Chrome 17.0.963.79
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````
======================================================================================

FSS
======================================================================================
Farbar Service Scanner Version: 26-07-2012
Ran by Kelley (administrator) on 02-08-2012 at 07:00:45
Running from "C:\Users\Kelley\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
======================================================================================

TFC ran, rebooted

ESET online scan
======================================================================================
C:\Users\Kelley\AppData\Local\Google\Chrome\User Data\Default\Default\aadhdjddddgdgcdfgggcdegbdegedbdh\background.htmlWin32/BHO.OEI trojancleaned by deleting - quarantined
C:\_OTL\MovedFiles\08022012_064456\C_\FRST\Quarantine\obine.dlla variant of Win32/Medfos.BQ trojancleaned by deleting - quarantined
C:\_OTL\MovedFiles\08022012_064456\C_\FRST\Quarantine\pobind.dlla variant of Win32/Medfos.BN trojancleaned by deleting - quarantined
C:\_OTL\MovedFiles\08022012_064456\C_\FRST\Quarantine\services.exeWin32/Sirefef.FB.Gen trojandeleted - quarantined
C:\_OTL\MovedFiles\08022012_064456\C_FRST\Quarantine\{7faaaafa-cf14-2f74-3593-878a94dc601b}\nWin32/Sirefef.EV trojancleaned by deleting - quarantined
======================================================================================
 
1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

==========================================

We have one corrupted registry key affecting Windows updates.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on bits.reg file and confirm the prompt.
Restart computer.
Post new FSS log.
 
Java updated, JavaRa removed old versions, bits.reg installed, rebooted

FSS (everything but "other" checked):
Farbar Service Scanner Version: 26-07-2012
Ran by Kelley (administrator) on 02-08-2012 at 23:15:08
Running from "C:\Users\Kelley\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
Things are looking good so far ! Haven't been online much though.
Do you think TFC is better than CCleaner ?
thanks so much for this
OTL run fix log
======================================================================================
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kelley
->Temp folder emptied: 2494052 bytes
->Temporary Internet Files folder emptied: 2165834 bytes
->Java cache emptied: 2027 bytes
->Google Chrome cache emptied: 8054949 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 492 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21106 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 12.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Kelley
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Kelley
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.55.0 log created on 08032012_214530
Files\Folders moved on Reboot...
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\918[1].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\clkurl=;ord=831060263[1].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\clkurl=;ord=831060263[2].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\net[1].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\partner[1].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\partner[2].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\partner[3].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CX807PH9\bizo_multi[1].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5OC3OXD0\yas-yet-another-sirefef[1].htm moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
PendingFileRenameOperations files...
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\918[1].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\clkurl=;ord=831060263[1].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\clkurl=;ord=831060263[2].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\net[1].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\partner[1].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\partner[2].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W08063B2\partner[3].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CX807PH9\bizo_multi[1].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5OC3OXD0\yas-yet-another-sirefef[1].htm not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat not found!
File C:\Users\Kelley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT not found!
Registry entries deleted on Reboot...
 
I prefer TFC over CCleaner because CCleaner includes tempting registry cleaner which shouldn't be used.

Good luck and stay safe :)
 
You must log in or register to reply here.

Similar threads

NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
7K
Broni
Broni
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
8K
Broni
Broni
B
  • Locked
Inactive-A Unknown virus / malware
Replies
13
Views
4K
Broni
Broni

Latest posts

Back