Problem with redirects

Author

All Replies

sirchief
Premium
join:2001-12-14
Cromwell, CT

Hello,

About 4 weeks ago my computer became infected with something telling my hard drive failed and several pop-ups saying disk error, etc. would come up every few minutes. I managed to clean that up with AntiMalwarebytes.

I am now having a problem with IE and firefox loading slowing and the browsers redirect when clicking links on searches and webpages.

I have followed the mandatory steps for posting and am including the logs. The only one I am not including is the MBAM log as nothing was found.

Any help that could be provided would be greatly appreciated.

Thank you,

Steve

LOGS:

OTL:

OTL logfile created on: 11/10/2012 8:42:29 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Steve\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.97 Gb Total Physical Memory | 2.55 Gb Available Physical Memory | 64.41% Memory free
8.10 Gb Paging File | 6.58 Gb Available in Paging File | 81.23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450.71 Gb Total Space | 245.58 Gb Free Space | 54.49% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 7.79 Gb Free Space | 51.94% Space Free | Partition Type: NTFS

Computer Name: STEVE-PC | User Name: Steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2012/11/10 20:41:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Desktop\otl.exe
PRC - [2012/10/23 05:17:40 | 004,297,136 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/10/23 05:17:40 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/02/23 11:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
PRC - [2010/10/29 13:49:28 | 000,505,064 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
PRC - [2009/07/21 16:07:46 | 000,497,496 | ---- | M] (Dell Inc.) -- C:\Program Files (x86)\Dell Remote Access\ezi_ra.exe
PRC - [2009/07/21 16:06:26 | 000,554,224 | ---- | M] (Dell Inc.) -- c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
PRC - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
PRC - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/05/13 21:01:14 | 000,623,888 | ---- | M] (Research In Motion Limited) -- C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2009/03/05 15:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/04 21:26:38 | 000,128,232 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2009/02/04 17:55:38 | 000,548,864 | ---- | M] () -- C:\Windows\Samsung\PanelMgr\SSMMgr.exe
PRC - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/04/11 13:52:30 | 001,081,344 | ---- | M] (Pantone & X-Rite) -- C:\Program Files (x86)\Pantone\hueyPRO\hueyPROTray.exe
PRC - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

[color=#E56717]========== Modules (No Company Name) ==========[/color]

MOD - [2012/05/11 02:34:17 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll
MOD - [2012/05/11 02:32:52 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
MOD - [2012/05/11 02:32:45 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
MOD - [2011/09/27 06:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 06:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/02/04 17:55:38 | 000,548,864 | ---- | M] () -- C:\Windows\Samsung\PanelMgr\SSMMgr.exe

[color=#E56717]========== Services (SafeList) ==========[/color]

SRV:64bit: - [2012/10/23 05:17:40 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2010/05/11 15:05:40 | 000,362,296 | ---- | M] (HP) [Auto | Running] -- C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe -- (HPM1210RcvFaxSrvc)
SRV:64bit: - [2010/04/29 12:10:40 | 000,127,800 | ---- | M] (HP) [Auto | Running] -- C:\Windows\SysNative\HPSIsvc.exe -- (HPSIService)
SRV:64bit: - [2009/03/24 08:47:48 | 000,161,448 | ---- | M] (Samsung Electronics CO., LTD.) [On_Demand | Stopped] -- C:\Windows\SysNative\SUPDSvc.exe -- (Samsung UPD Service)
SRV:64bit: - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV:64bit: - [2008/07/18 07:42:16 | 000,086,016 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/10/24 12:50:38 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/10/12 06:15:55 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/22 19:09:20 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/07/21 16:06:26 | 000,554,224 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe -- (hnmsvc)
SRV - [2009/06/10 10:59:54 | 000,309,744 | ---- | M] (Sonic Solutions) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2009/06/10 10:59:46 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2009/06/10 10:58:46 | 001,124,848 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2009/05/21 20:35:32 | 000,923,136 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV:64bit: - [2012/10/23 05:18:31 | 000,984,144 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2012/10/23 05:18:31 | 000,364,096 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2012/10/23 05:18:31 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2012/10/23 05:18:31 | 000,044,272 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (AswRdr)
DRV:64bit: - [2012/10/23 05:18:30 | 000,071,600 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2012/10/23 05:18:30 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/09 12:42:54 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/02/29 08:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2010/08/25 19:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/04/28 10:49:50 | 000,020,480 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\mvusbews.sys -- (mvusbews)
DRV:64bit: - [2010/04/28 10:49:50 | 000,016,384 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\HPM1210FAX.sys -- (HP1210FAX)
DRV:64bit: - [2009/09/30 19:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/06/10 16:22:14 | 000,034,640 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\packet.sys -- (Packet)
DRV:64bit: - [2009/05/25 05:51:00 | 000,207,872 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2009/05/20 03:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/02/23 04:47:04 | 000,126,464 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV:64bit: - [2009/01/09 14:02:08 | 000,031,744 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\RimSerial_AMD64.sys -- (RimVSerPort)
DRV:64bit: - [2008/11/10 14:01:06 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Running] -- C:\Windows\SysNative\Drivers\SSPORT.sys -- (SSPORT)
DRV:64bit: - [2008/07/21 06:18:30 | 000,026,624 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\RtNdPt60.sys -- (RtNdPt60)
DRV:64bit: - [2008/07/15 07:14:10 | 000,395,288 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\iastor.sys -- (iaStor)
DRV:64bit: - [2008/05/20 17:33:36 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV:64bit: - [2008/01/20 21:49:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\RootMdm.sys -- (ROOTMODEM)
DRV:64bit: - [2008/01/20 21:47:25 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\serscan.sys -- (StillCam)
DRV:64bit: - [2008/01/20 21:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express)
DRV:64bit: - [2006/11/02 02:48:50 | 002,488,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (R300)
DRV - [2009/06/10 16:21:26 | 000,027,472 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\SysWOW64\drivers\packet.sys -- (Packet)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = »g.msn.com/USCON/1
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = »www.bing.com/search?q={searchTer···M=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = »g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = »www.bing.com/search?q={searchTer···M=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = »g.msn.com/USCON/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {105E99FF-8B9A-4492-B155-06194B9056D2}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = »www.bing.com/search?q={searchTer···earchBox
IE - HKCU\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = »www.bing.com/search?FORM=DLCDF7&···source?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\2.0.31005.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/10/22 08:06:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/10/30 18:03:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/11/03 13:43:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/10/22 08:06:35 | 000,000,000 | ---D | M]

[2012/11/03 13:43:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steve\AppData\Roaming\Mozilla\Extensions
[2012/11/03 13:43:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/10/24 12:50:58 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/10/24 12:50:17 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/10/24 12:50:17 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2006/09/18 16:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] Skytel.exe File not found
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKCU..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_13)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_13)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} »support.dell.com/systemprofiler/···oExe.CAB (WMI Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} »www.cvsphoto.com/upload/activex/···trol.cab (Photo Upload Plugin Class)
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} »ediagnostics.lexmark.com/serval.cab (Lexmark eDiagnostics Class)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} »platformdl.adobe.com/NOS/getPlus···6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In »static.garmincdn.com/gcp/ie/2.9.···trol.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FFE8D77B-75C9-4F82-9750-78E503788F5F}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\1600x1200_black.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\1600x1200_black.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{b4ecea9c-d36b-11e1-8fd2-0021705da4bb}\Shell - "" = AutoRun
O33 - MountPoints2\{b4ecea9c-d36b-11e1-8fd2-0021705da4bb}\Shell\AutoRun\command - "" = F:\SISetup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2012/11/10 20:41:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Steve\Desktop\otl.exe
[2012/11/10 20:28:38 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Steve\Desktop\TFC.exe
[2012/11/04 19:57:51 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Macromedia
[2012/11/03 13:43:38 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Mozilla
[2012/11/03 13:43:38 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Mozilla
[2012/11/03 13:43:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/11/03 13:43:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/11/03 13:43:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2012/10/30 19:16:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/10/30 19:16:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/10/30 19:16:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/10/30 17:49:23 | 000,025,232 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2012/10/30 17:49:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2012/10/30 17:49:22 | 000,364,096 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2012/10/30 17:49:05 | 000,044,272 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2012/10/30 17:49:04 | 000,059,728 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2012/10/30 17:49:03 | 000,984,144 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2012/10/30 17:49:00 | 000,071,600 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2012/10/30 17:48:59 | 000,285,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012/10/30 17:47:59 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/10/30 17:47:58 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2012/10/30 17:47:37 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/10/30 17:47:37 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/10/30 16:06:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/10/30 16:06:44 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/10/21 17:20:55 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Malwarebytes
[2012/10/21 17:20:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/10/21 17:20:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/10/19 06:56:34 | 000,000,000 | -H-D | C] -- C:\ProgramData\McAfee

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2012/11/10 20:43:05 | 000,707,520 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/11/10 20:43:05 | 000,607,406 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/11/10 20:43:05 | 000,105,046 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/11/10 20:41:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Desktop\otl.exe
[2012/11/10 20:40:28 | 000,000,256 | ---- | M] () -- C:\Windows\SysWow64\pool.bin
[2012/11/10 20:36:10 | 000,002,497 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
[2012/11/10 20:36:08 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/10 20:36:07 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/10 20:36:03 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\RtlNICDiagVistaStart.job
[2012/11/10 20:35:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/10 20:35:57 | 4258,455,552 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/10 20:28:04 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Desktop\TFC.exe
[2012/11/03 13:43:35 | 000,000,914 | ---- | M] () -- C:\Users\Steve\Desktop\Mozilla Firefox.lnk
[2012/11/03 13:43:35 | 000,000,890 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/10/31 18:54:42 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/10/31 18:54:42 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/10/31 18:49:49 | 000,002,341 | ---- | M] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2012/10/30 19:56:19 | 000,007,728 | ---- | M] () -- C:\Users\Steve\AppData\Local\d3d9caps.dat
[2012/10/30 19:16:06 | 000,001,123 | ---- | M] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/10/30 19:16:06 | 000,001,099 | ---- | M] () -- C:\Users\Steve\Desktop\Spybot - Search & Destroy.lnk
[2012/10/30 18:03:18 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2012/10/30 17:49:23 | 000,001,787 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/10/30 17:40:14 | 000,736,033 | ---- | M] () -- C:\Users\Steve\AppData\Local\census.cache
[2012/10/30 17:39:37 | 000,161,595 | ---- | M] () -- C:\Users\Steve\AppData\Local\ars.cache
[2012/10/30 17:32:19 | 000,000,036 | ---- | M] () -- C:\Users\Steve\AppData\Local\housecall.guid.cache
[2012/10/30 16:06:48 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/23 05:18:31 | 000,984,144 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2012/10/23 05:18:31 | 000,364,096 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2012/10/23 05:18:31 | 000,059,728 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2012/10/23 05:18:31 | 000,044,272 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2012/10/23 05:18:30 | 000,071,600 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2012/10/23 05:18:30 | 000,025,232 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2012/10/23 05:17:48 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/10/23 05:17:38 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2012/10/23 05:17:13 | 000,285,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012/10/21 15:46:37 | 000,000,368 | -H-- | M] () -- C:\ProgramData\ZQJa3wHRBzOJpL
[2012/10/21 15:41:32 | 000,000,144 | -H-- | M] () -- C:\ProgramData\-ZQJa3wHRBzOJpLr
[2012/10/21 15:41:32 | 000,000,120 | -H-- | M] () -- C:\ProgramData\-ZQJa3wHRBzOJpL

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2012/11/10 20:12:27 | 4258,455,552 | -HS- | C] () -- C:\hiberfil.sys
[2012/11/03 13:43:35 | 000,000,914 | ---- | C] () -- C:\Users\Steve\Desktop\Mozilla Firefox.lnk
[2012/11/03 13:43:35 | 000,000,902 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/11/03 13:43:35 | 000,000,890 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/10/30 19:16:06 | 000,001,123 | ---- | C] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/10/30 19:16:06 | 000,001,099 | ---- | C] () -- C:\Users\Steve\Desktop\Spybot - Search & Destroy.lnk
[2012/10/30 17:49:23 | 000,001,787 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/10/30 17:48:59 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2012/10/30 17:40:14 | 000,736,033 | ---- | C] () -- C:\Users\Steve\AppData\Local\census.cache
[2012/10/30 17:39:37 | 000,161,595 | ---- | C] () -- C:\Users\Steve\AppData\Local\ars.cache
[2012/10/30 17:32:19 | 000,000,036 | ---- | C] () -- C:\Users\Steve\AppData\Local\housecall.guid.cache
[2012/10/30 16:06:48 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/21 15:41:32 | 000,000,144 | -H-- | C] () -- C:\ProgramData\-ZQJa3wHRBzOJpLr
[2012/10/21 15:41:32 | 000,000,120 | -H-- | C] () -- C:\ProgramData\-ZQJa3wHRBzOJpL
[2012/10/21 15:41:15 | 000,000,368 | -H-- | C] () -- C:\ProgramData\ZQJa3wHRBzOJpL
[2012/07/21 15:57:08 | 000,064,000 | ---- | C] () -- C:\Windows\unleap.exe
[2011/04/13 19:50:05 | 000,000,378 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\wklnhst.dat
[2010/08/03 19:24:15 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/02/25 19:39:50 | 000,020,992 | ---- | C] () -- C:\Users\Steve\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/28 20:14:59 | 000,007,728 | ---- | C] () -- C:\Users\Steve\AppData\Local\d3d9caps.dat

[color=#E56717]========== ZeroAccess Check ==========[/color]

[2012/10/21 19:26:43 | 000,002,048 | -HS- | M] () -- C:\$Recycle.Bin\S-1-5-18\$92a7947ee725bfec0f086ef3d83e9601\@
[2012/10/21 19:26:59 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$92a7947ee725bfec0f086ef3d83e9601\L
[2012/10/30 17:17:23 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$92a7947ee725bfec0f086ef3d83e9601\U
[2012/10/22 07:10:08 | 000,000,804 | ---- | M] () -- C:\$Recycle.Bin\S-1-5-18\$92a7947ee725bfec0f086ef3d83e9601\L\00000004.@
[2006/11/02 10:30:40 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 12:59:03 | 012,899,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/04/11 02:11:14 | 000,891,392 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2008/01/20 21:50:58 | 000,513,024 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

[color=#E56717]========== LOP Check ==========[/color]

[2010/01/18 20:01:51 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Doblon
[2010/01/01 16:12:45 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\GARMIN
[2012/10/22 08:07:37 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\IrfanView
[2010/12/05 09:21:26 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\MyPublisher
[2010/04/29 18:53:37 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Pantone
[2009/10/17 06:44:12 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Research In Motion
[2011/04/13 19:50:08 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Template

[color=#E56717]========== Purity Check ==========[/color]

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 76 bytes -> C:\Users\Steve\Documents\Slideshow.dmsm:Roxio EMC Stream

to forum · permalink · 2012-11-11 08:59:46 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

More Logs:

EXTRAS:

OTL Extras logfile created on: 11/10/2012 8:42:29 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Steve\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.97 Gb Total Physical Memory | 2.55 Gb Available Physical Memory | 64.41% Memory free
8.10 Gb Paging File | 6.58 Gb Available in Paging File | 81.23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450.71 Gb Total Space | 245.58 Gb Free Space | 54.49% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 7.79 Gb Free Space | 51.94% Space Free | Partition Type: NTFS

Computer Name: STEVE-PC | User Name: Steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]

[color=#E56717]========== File Associations ==========[/color]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]
"VistaSp2" = 11 8D 18 51 CA 87 CA 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

[color=#E56717]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[color=#E56717]========== Vista Active Open Ports Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03C32BC7-18FC-4F0B-95DB-8743C5A18CBF}" = rport=139 | protocol=6 | dir=out | app=system |
"{157ED84B-BCEB-45DD-935B-23A4D5AA70A2}" = lport=139 | protocol=6 | dir=in | app=system |
"{1AB76DDD-B3B1-45E1-98B0-BAC977E4474B}" = lport=9100 | protocol=6 | dir=in | name=advanced tcp/ip printer port |
"{2B3E8DA0-CAAD-42AA-9F0C-4234E4366CF8}" = lport=138 | protocol=17 | dir=in | app=system |
"{2E00630D-7374-41E1-9709-E3DAD975929A}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{31461DFD-21BA-413E-B946-D346DCEE5E93}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{46D3A353-02DE-43E6-B232-217FDF920FD5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{5313E91E-6231-4E7F-8DDB-76BD6E8A0AAB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{56E3AFFA-9250-4019-ABC4-86C1EA9A8C2A}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5908A115-B077-416D-88D5-CB3B5E3BC384}" = lport=2869 | protocol=6 | dir=in | app=system |
"{627BF85E-9E66-414B-809D-60AA19106A45}" = lport=161 | protocol=6 | dir=in | name=advanced tcp/ip snmp port |
"{772FF94D-F948-49CA-A225-21F73F11F438}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |
"{80B2BF60-16AF-4804-B6EB-DF8BDF5D5108}" = rport=138 | protocol=17 | dir=out | app=system |
"{95C2B92B-6F16-4283-8D01-AADD24603563}" = rport=137 | protocol=17 | dir=out | app=system |
"{B92B3C94-0702-4377-9ACE-72E5C791CAC4}" = lport=445 | protocol=6 | dir=in | app=system |
"{BAF4A8E2-4BC0-4970-8543-B6F88C91A5B5}" = lport=427 | protocol=6 | dir=in | name=advanced tcp/ip slp port |
"{BE8F24FD-083B-43AE-BEE0-B28F7BB0C9E9}" = rport=445 | protocol=6 | dir=out | app=system |
"{C4199CD8-21CD-48B6-8C88-C1F6F274812E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CD6B3E69-447F-4239-A09E-BFC794174A73}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D3B11C26-7579-4711-B6C2-C9C8EE041704}" = lport=137 | protocol=17 | dir=in | app=system |
"{DC6CB4CA-A5F1-4C32-A187-986AECE839B3}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{E9D31572-0F27-428E-A86D-AE99EF62C95E}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{F27BE4D5-A368-42A6-8697-72485A5A8093}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{F5D14D63-3B8D-49BF-BB22-A3394F37E1ED}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

[color=#E56717]========== Vista Active Application Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00E31119-1E88-4D20-A131-576DBE62E973}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{02A7CE99-6F44-4412-A918-FA1F56C69715}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe |
"{0A9EBD33-0848-4FA2-85C1-F6AA3B5B1AAA}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{164346F7-DA72-47C8-8A7B-184873645E2C}" = dir=in | app=c:\program files (x86)\windows live\messenger\wlcsdk.exe |
"{1F943C65-6D86-4C8C-8F7C-7FB780D0C4F3}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{20A57887-6542-40B7-9D24-93D4F8158819}" = protocol=17 | dir=in | app=c:\program files (x86)\sonos\sonos.exe |
"{2323E304-0FBF-49E7-87CB-2B917041220F}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqusgh.exe |
"{251F1E70-9DF1-4BFC-A4B5-666E49294464}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{258C14DF-04D6-4EFD-9A30-80141F62C702}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpoews01.exe |
"{2A7DE0E8-CF00-444F-A450-5B035A1ED3B7}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\powerdvd.exe |
"{322CDCF6-FCCB-4E23-808E-7862B5098D5E}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpiscnapp.exe |
"{33E88FAA-6F1B-481D-8D4B-BF75E78F994E}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{34E21271-9622-4917-89B1-6498E3A7DB29}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\dell\advanced networking service\hnm_svc.exe |
"{3AF70531-EF63-4082-A207-E6C329D536DF}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpfccopy.exe |
"{3E3C6ABB-41C0-4965-96B4-4179DBDDD30E}" = dir=in | app=c:\program files (x86)\hp\hp software update\hpwucli.exe |
"{4C4FF86B-15EA-404C-94AC-81877B00FD54}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\dell\vlc\vlc.exe |
"{5009D325-4A55-4FD4-A407-799132A2EDEA}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{50295DF2-17C1-49D7-9155-7220CBF5FD8D}" = protocol=6 | dir=in | app=c:\windows\system32\supdsvc.exe |
"{5107F5F0-148D-41C7-8701-92F193E7B190}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe |
"{522D2052-244A-434B-BFDD-FC96004C7FA0}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{62CF9E9A-2F9A-4CDD-9700-BD8304F5A6D0}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{669D4AB1-D9BA-4DB5-97FB-9B1F293C6439}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgpc01.exe |
"{74EFE35B-029F-481F-A87B-FE6D8B073331}" = protocol=17 | dir=in | app=c:\users\steve\appdata\local\temp\7zs5dd8.tmp\easyinst64.exe |
"{89FA366A-276E-4EB2-9A44-B7F4359F7E2F}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqkygrp.exe |
"{8EFB3095-3D4D-4E6D-A2B5-950608448687}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{9150B0F2-1530-49FF-B9BA-CE2851E30929}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{958AD924-6348-4545-8104-6C18D6A0B67E}" = protocol=17 | dir=in | app=c:\windows\system32\supdsvc.exe |
"{96990188-4BC2-45A0-868B-51036521C95E}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\dell\vlc\vlc.exe |
"{9E094719-DD80-419C-A229-842C825188FE}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgplgtupl.exe |
"{A522A276-7CD6-4A54-9B86-957871F2B086}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{AD2104E7-88DD-4D8A-9E61-E3A1AB7EB57B}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{AE018A5C-025A-4140-B2FC-2AFB851FAE48}" = dir=in | app=c:\program files (x86)\hp\digital imaging\{2012d762-5dca-455a-b5fe-edf79bc93e18}\setup\hpznui40.exe |
"{BC28E47A-3734-4B26-AEE0-A89442E300DE}" = dir=in | app=c:\program files (x86)\common files\hp\digital imaging\bin\hpqphotocrm.exe |
"{C23560D2-38AC-491C-AF09-A06C1123EE0A}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{C416EC0D-4B67-4221-A136-6EE3EF17505B}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqusgm.exe |
"{C6271043-A254-41E8-8835-38E623861F0A}" = dir=in | app=c:\program files (x86)\windows live\sync\windowslivesync.exe |
"{C82A344A-496F-4293-BA3A-AC205725EF4F}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposid01.exe |
"{D13FB354-7A6A-4982-B4BC-2A09D44ADC30}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\dell\advanced networking service\hnm_svc.exe |
"{D3657FDC-2420-4D30-BF73-7E7B3BC9D74B}" = protocol=6 | dir=in | app=c:\users\steve\appdata\local\temp\7zs5dd8.tmp\easyinst64.exe |
"{E939B72A-4185-4EC7-8864-BAD1567782A3}" = dir=in | app=c:\program files (x86)\hp\digital imaging\smart web printing\smartwebprintexe.exe |
"{EBBBCC74-FC43-4909-86C2-5430A9ACF3DB}" = protocol=6 | dir=in | app=c:\program files (x86)\dell remote access\ezi_ra.exe |
"{EC4C76A6-D746-4363-8CB2-561EFF515CFB}" = protocol=6 | dir=in | app=c:\program files (x86)\sonos\sonos.exe |
"{F319131C-925F-4331-9387-99D3229ED067}" = protocol=17 | dir=in | app=c:\program files (x86)\dell remote access\ezi_ra.exe |
"{F3C76EE3-CEC5-4385-AA75-FDD6CC00753B}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{FBD0860C-06CB-44F7-B3B8-DEF92F649CD9}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqste08.exe |
"TCP Query User{03769DE1-E0B0-4338-9F8A-8EC579F6BD20}C:\program files (x86)\leapftp\leapftp.exe" = protocol=6 | dir=in | app=c:\program files (x86)\leapftp\leapftp.exe |
"TCP Query User{29FC28DF-C09F-4213-B825-EC28067928CC}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{296E3E20-9B82-406D-929F-3726FCBDB52E}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{7BEDADAF-598D-411B-B7F5-96D0F2E96872}C:\program files (x86)\leapftp\leapftp.exe" = protocol=17 | dir=in | app=c:\program files (x86)\leapftp\leapftp.exe |

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02AD9D20-03D2-4DE0-8793-E8253026AD86}" = EMCGadgets64
"{0DAD4F5C-AE4F-4FE4-AFCA-2C1C557E7BCF}" = HP Unified IO
"{1493B2AE-0261-47D2-B1AA-F4DAD0F6C48B}" = iTunes
"{2012D762-5DCA-455A-B5FE-EDF79BC93E18}" = HP Photosmart C4700 All-In-One Driver Software 13.0 Rel .6
"{22ABA92B-6C1B-46D8-AC2B-C48EEAE172A9}" = VD64Inst
"{26A24AE4-039D-4CA4-87B4-2F86416013FF}" = Java(TM) 6 Update 13 (64-bit)
"{6DD01FF3-63CE-436B-96DB-61363EAA4EB8}" = MobileMe Control Panel
"{6E14E6D6-3175-4E1A-B934-CAB5A86367CD}" = HP Postscript Converter
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}" = Apple Mobile Device Support
"{8B485965-8EFE-464A-842F-CF8F18C3DFD7}" = iCloud
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A4DDB2AB-ECCD-4C3A-8633-77D5A1A0E542}" = Network64
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E60B7350-EA5F-41E0-9D6F-E508781E36D2}" = Dell Dock
"{E65099C4-9110-4C31-BD03-5C17EFB5FE92}" = HP LaserJet Professional M1210 MFP Series Fax Installer
"{E8A34AC8-0137-4515-A94B-0A0946DDC251}" = Scan To
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{FF21C3E6-97FD-474F-9518-8DCBE94C2854}" = 64 Bit HP CIO Components Installer
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP LaserJet Professional M1130-M1210 MFP Series" = HP LaserJet Professional M1130-M1210 MFP Series
"HP Print Projects" = HP Print Projects 1.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"Lexmark_HostCD" = Lexmark Software Uninstall
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Shop for HP Supplies" = Shop for HP Supplies

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{06A1D88C-E102-4527-AF70-29FFD7AF215A}" = Scan
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{095B1DCF-5E8B-47EC-9B18-481918A731DB}" = Microsoft Default Manager
"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{1401311D-3960-4CEB-AC0B-4214F069E5B9}" = Sonos Desktop Controller
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{1FECF5F8-8E75-432C-9FF7-1C04F1956B54}" = Realtek Ethernet Network Card Diagnostic tool for Windows Vista
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 24
"{2794875B-6CCF-48B8-84A5-5B10DB98BEE6}" = HP ePrint
"{299CF645-48C7-4FA1-8BCD-5CE200CF180D}" = Microsoft Search Enhancement Pack
"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{30283233-3BE6-473D-A47C-ED964A2F78B4}_is1" = Inpaint 2.3
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3FB3647F-B6A6-46B4-8613-A09BCFAB80F0}" = Roxio Creator Premier 10
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{469EF13B-4AD0-48D7-AF89-6B92278293E2}" = Roxio Creator Premier
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4D612FB2-1AE7-4E46-9377-35BB2F06A787}" = Roxio Media Manager
"{4F844B00-B138-4E42-89D1-037AD19D8830}_is1" = SMC Karaoke Manager
"{505DF7A3-88D5-4DD6-9AD5-C98C2ED0CEC4}" = Windows Live Sign-in Assistant
"{628EE6C0-EA3F-4F36-B465-8F9D998B3E5C}" = BlackBerry Device Software v4.5.0 for the BlackBerry 8830 smartphone
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BBA9BF8-05DF-47D8-8880-82A9B99505B9}" = Sonos Controller
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{850B123B-4237-4E62-A96F-D6FD4DDFCCFA}" = BlackBerry Desktop Software 5.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Roxio CinePlayer Decoder Pack
"{8E97ABDC-69CF-4F5C-A721-5B1C685782C3}" = HP Unified IO
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A55F4F9F-CCA8-4732-AA1F-0390A4A50947}" = C4700
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{E36F3199-C282-47CA-BAC7-2B77D247E760}" = PS_AIO_06_C4700_SW_Min
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator Premier
"{F012B439-D7B3-41D6-9902-8650E2191F4A}" = E210
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2AF3E5D-9697-485C-A5AC-E2B9468C446A}" = Safari
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F66A31D9-7831-4FBA-BA02-C411C0047CC5}" = Dell Remote Access
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"avast" = avast! Free Antivirus
"BlackBerry_{850B123B-4237-4E62-A96F-D6FD4DDFCCFA}" = BlackBerry Desktop Software 5.0
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"GoToAssist" = GoToAssist 8.0.0.514
"HijackThis" = HijackThis 1.99.1
"huey_is1" = hueyPRO 1.5.1
"IrfanView" = IrfanView (remove only)
"LeapFTP" = LeapFTP
"Magic ISO Maker v5.5 (build 0281)" = Magic ISO Maker v5.5 (build 0281)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Mozilla Firefox 16.0.2 (x86 en-US)" = Mozilla Firefox 16.0.2 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Samsung Universal Print Driver" = Samsung Universal Print Driver
"Web Album Generator_is1" = Web Album Generator 1.8.2
"WinLiveSuite_Wave3" = Windows Live Essentials
"Yahoo! Companion" = Yahoo! Toolbar
"YTdetect" = Yahoo! Detect

[color=#E56717]========== Last 20 Event Log Errors ==========[/color]

[ Application Events ]
Error - 10/29/2012 6:03:56 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1419

Error - 10/29/2012 6:04:00 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/29/2012 6:04:00 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6411

Error - 10/29/2012 6:04:00 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6411

Error - 10/29/2012 6:04:01 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/29/2012 6:04:01 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 7410

Error - 10/29/2012 6:04:01 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 7410

Error - 10/29/2012 6:04:07 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/29/2012 6:04:07 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 12495

Error - 10/29/2012 6:04:07 PM | Computer Name = Steve-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 12495

[ System Events ]
Error - 11/10/2012 9:21:31 PM | Computer Name = Steve-PC | Source = netbt | ID = 4321
Description = The name "STEVEINSPIRON :0" could not be registered on the interface
with IP address 192.168.1.65. The computer with the IP address 192.168.1.81 did
not allow the name to be claimed by this computer.

Error - 11/10/2012 9:24:07 PM | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7031
Description =

Error - 11/10/2012 9:29:20 PM | Computer Name = Steve-PC | Source = netbt | ID = 4321
Description = The name "DELL6000 :0" could not be registered on the interface
with IP address 192.168.1.65. The computer with the IP address 192.168.1.68 did
not allow the name to be claimed by this computer.

Error - 11/10/2012 9:30:53 PM | Computer Name = Steve-PC | Source = netbt | ID = 4321
Description = The name "STEVEINSPIRON :0" could not be registered on the interface
with IP address 192.168.1.65. The computer with the IP address 192.168.1.81 did
not allow the name to be claimed by this computer.

Error - 11/10/2012 9:31:49 PM | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 11/10/2012 9:33:44 PM | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 11/10/2012 9:37:53 PM | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 11/10/2012 9:37:53 PM | Computer Name = Steve-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 11/10/2012 9:41:56 PM | Computer Name = Steve-PC | Source = netbt | ID = 4321
Description = The name "DELL6000 :0" could not be registered on the interface
with IP address 192.168.1.65. The computer with the IP address 192.168.1.68 did
not allow the name to be claimed by this computer.

Error - 11/10/2012 9:43:33 PM | Computer Name = Steve-PC | Source = netbt | ID = 4321
Description = The name "STEVEINSPIRON :0" could not be registered on the interface
with IP address 192.168.1.65. The computer with the IP address 192.168.1.81 did
not allow the name to be claimed by this computer.

317:

Results of screen317's Security Check version 0.99.54
Windows Vista Service Pack 2 x64 [color=red](UAC is disabled!)[/color]
Internet Explorer 9
[u]``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date! (On Access scanning disabled!)
[u]`````````Anti-malware/Other Utilities Check:`````````[/u]
[color=red]Out of date HijackThis installed![/color]
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.1.1000
HijackThis 1.99.1
Java(TM) 6 Update 24
[color=red]Java version out of Date![/color]
Adobe Flash Player 11.4.402.287
Adobe Reader 9 [color=red]Adobe Reader out of Date![/color]
Mozilla Firefox (16.0.2)
[u]````````Process Check: objlist.exe by Laurent````````[/u]
AVAST Software Avast AvastUI.exe
AVAST Software Avast AvastSvc.exe
[u]`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 0 %
[u]````````````````````End of Log``````````````````````[/u]

ESET:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=99ca9c6643fd8d4cb07f5d3334cd8066
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-11-11 03:45:11
# local_time=2012-11-10 10:45:11 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 56 0 189199203 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=218523
# found=0
# cleaned=0
# scan_time=5014

to forum · permalink · 2012-11-11 09:02:12 ·

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

Reviews:

·Comcast

reply to sirchief
First:
Please post the MBAM log as well...

Second:
Download and run TDSS Killer, posting the log in this thread. Please post the log, even if nothing is detected.

You'll find the link(s) and instruction(s) here:
»Security Cleanup FAQ »Rootkit Detection Applications
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2012-11-11 10:03:00 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

Hello, Thank you for the reply.

Here is the MBAM log. I couldn't get TDSSKILLER to run even after renaming the file to a different name with a .com extension, per the instructions.

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.11.03

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Steve :: STEVE-PC [administrator]

11/11/2012 9:46:05 AM
mbam-log-2012-11-11 (09-46-05).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 404610
Time elapsed: 1 hour(s), 4 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

to forum · permalink · 2012-11-11 16:50:05 ·

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

Reviews:

·Comcast

reply to sirchief

Download ComboFix from one of these locations:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.infospyware.net/antimalware/combofix/

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2012-11-11 19:27:05 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

ComboFix log, thank you:

ComboFix 12-11-10.03 - Steve 11/11/2012 20:16:46.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.2613 [GMT -5:00]
Running from: c:\users\Steve\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ZQJa3wHRBzOJpL
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2012-10-12 to 2012-11-12 )))))))))))))))))))))))))))))))
.
.
2012-11-12 01:51 . 2012-11-12 01:51 -------- d-----w- c:\users\Steve\AppData\Local\temp
2012-11-12 01:51 . 2012-11-12 01:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-11 14:18 . 2012-11-11 21:42 -------- d-----r- c:\users\Steve\Dropbox
2012-11-11 14:14 . 2012-11-11 14:14 -------- d-----w- c:\program files (x86)\Dropbox
2012-11-11 14:13 . 2012-11-11 21:43 -------- d-----w- c:\users\Steve\AppData\Roaming\Dropbox
2012-11-11 02:18 . 2012-11-11 02:18 -------- d-----w- c:\program files (x86)\ESET
2012-11-05 00:57 . 2012-11-05 00:57 -------- d-----w- c:\users\Steve\AppData\Local\Macromedia
2012-11-03 18:43 . 2012-11-03 18:43 -------- d-----w- c:\users\Steve\AppData\Local\Mozilla
2012-11-03 18:43 . 2012-11-03 18:43 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-10-31 00:16 . 2012-10-31 08:25 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-10-31 00:16 . 2012-10-31 00:17 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-10-30 22:49 . 2012-10-23 10:18 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 22:49 . 2012-10-23 10:18 364096 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-30 22:49 . 2012-10-23 10:18 44272 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-30 22:49 . 2012-10-23 10:18 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-30 22:49 . 2012-10-23 10:18 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 22:49 . 2012-10-23 10:18 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-10-30 22:48 . 2012-10-23 10:17 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-30 22:47 . 2012-10-23 10:17 41224 ----a-w- c:\windows\avastSS.scr
2012-10-30 22:47 . 2012-10-23 10:17 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-10-30 22:47 . 2012-10-30 22:47 -------- d-----w- c:\programdata\AVAST Software
2012-10-30 22:47 . 2012-10-30 22:47 -------- d-----w- c:\program files\AVAST Software
2012-10-30 21:06 . 2012-09-29 23:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-27 06:10 . 2012-10-17 06:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{62D910DF-57E3-4F17-9B87-C6B1D7BECF00}\mpengine.dll
2012-10-21 22:20 . 2012-10-21 22:20 -------- d-----w- c:\users\Steve\AppData\Roaming\Malwarebytes
2012-10-21 22:20 . 2012-10-21 22:20 -------- d-----w- c:\programdata\Malwarebytes
2012-10-21 22:20 . 2012-10-30 21:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-10-19 11:56 . 2012-10-19 11:56 -------- d--h--w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-31 23:54 . 2012-04-08 18:56 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-31 23:54 . 2011-05-21 11:14 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-31 08:28 . 2006-11-02 12:35 65309168 ----a-w- c:\windows\system32\mrt.exe
2012-09-13 13:45 . 2012-10-10 03:56 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-13 13:28 . 2012-10-10 03:56 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-08-29 11:40 . 2012-10-10 03:55 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 16:07 . 2012-10-10 03:56 218624 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 15:53 . 2012-10-10 03:56 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-08-24 11:15 . 2012-09-23 07:00 17810944 ----a-w- c:\windows\system32\mshtml.dll
2012-08-24 10:39 . 2012-09-23 07:00 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-08-24 10:31 . 2012-09-23 07:00 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 10:22 . 2012-09-23 07:00 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-08-24 10:21 . 2012-09-23 07:00 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 10:20 . 2012-09-23 07:00 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 10:18 . 2012-09-23 07:00 237056 ----a-w- c:\windows\system32\url.dll
2012-08-24 10:17 . 2012-09-23 07:00 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-08-24 10:14 . 2012-09-23 07:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 10:14 . 2012-09-23 07:00 816640 ----a-w- c:\windows\system32\jscript.dll
2012-08-24 10:13 . 2012-09-23 07:00 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 10:12 . 2012-09-23 07:00 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-08-24 10:11 . 2012-09-23 07:00 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-08-24 10:10 . 2012-09-23 07:00 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-08-24 10:09 . 2012-09-23 07:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-24 10:04 . 2012-09-23 07:00 248320 ----a-w- c:\windows\system32\ieui.dll
2012-08-24 06:59 . 2012-09-23 07:00 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-08-24 06:51 . 2012-09-23 07:00 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-08-24 06:51 . 2012-09-23 07:00 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-08-24 06:47 . 2012-09-23 07:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-08-24 06:47 . 2012-09-23 07:00 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-08-24 06:43 . 2012-09-23 07:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-08-21 17:01 . 2012-09-16 14:26 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 17:01 . 2009-09-29 00:53 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 17:01 . 2009-09-29 00:53 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 94208 ----a-w- c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 94208 ----a-w- c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 94208 ----a-w- c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 94208 ----a-w- c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ISUSPM"="c:\program files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"BlackBerryAutoUpdate"="c:\program files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-02-04 548864]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-23 4297136]
.
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
Dropbox.lnk - c:\users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-11-5 26619512]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2009-9-22 53248]
Desktop Manager.lnk - c:\program files (x86)\Research In Motion\BlackBerry\DesktopMgr.exe [2009-5-13 1701136]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
hueyPROTray.lnk - c:\program files (x86)\Pantone\hueyPRO\hueyPROTray.exe [2010-4-29 1081344]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [2008-07-18 86016]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-11 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files (x86)\Realtek\RTNICDiag\RTNICDiag.exe [2009-09-22 11:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-23 10:17 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 97792 ----a-w- c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 97792 ----a-w- c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 97792 ----a-w- c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 97792 ----a-w- c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-18 6431232]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
FF - ProfilePath - c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\oyw7jngb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - ExtSQL: 2012-10-22 09:06; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - ExtSQL: 2012-10-22 09:08; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2012-10-30 19:03; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: !HIDDEN! 2012-10-22 09:06; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run- - (no file)
HKLM-Run-Skytel - Skytel.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-11-11 21:13:45
ComboFix-quarantined-files.txt 2012-11-12 02:13
.
Pre-Run: 257,754,193,920 bytes free
Post-Run: 257,653,407,744 bytes free
.
- - End Of File - - 1D61A4C7BDA95D579AC40AD88DD762A3

to forum · permalink · 2012-11-11 21:16:03 ·

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

Reviews:

·Comcast

reply to sirchief
First:
Are you still being redirected on search links?

Second:
Please go to »www.virustotal.com/

Press the 'Browse' button to the right of the yellow box.

Navigate to the file(s) listed below, one at a time (if more than one file). Press the 'Open' button in the file dialog box or double click on the file name. The file name and path should appear in the yellow box.

C:\Windows\unleap.exe

Click on the Send File button

Note: If you can't find the file, let me know in your next post.

Once the Scan is completed, a Web page will open with the scan results. Copy and paste the address of that webpage from the address bar of your browser into your next post in this thread. Note that you can also copy and paste the contents of the webpage if you find that easier.

If the file has been previously scanned, the results webpage will show:
"File has already been submitted:"

Press the "View Last Report" button then copy and paste the address of that webpage from the address bar of your browser into your next post in this thread.

If there is more than one file listed for scanning, press the Another File button at the bottom of the page. Repeat this procedure until all files listed have been scanned.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2012-11-12 10:46:23 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

1 edit

Hello,

Thank you for the continued support. The computer doesn't seem to be redirecting any longer, however, after clicking a link to go to it seems to take a little longer than normal to connect.

I scanned the file you asked to scan. The URL is here:

»www.virustotal.com/file/9ce18e39···nalysis/

If I didn't do that properly, please let me know.

Thank you again,

Steve

EDIT: YES, the computer is still redirecting.

to forum · permalink · 2012-11-12 17:04:13 ·

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

Reviews:

·Comcast

reply to sirchief
Download and run Sophos AntiRootkit. Post the log in this thread, even if nothing is found.

You find link(s) and instructions here:
»Security Cleanup FAQ »Rootkit Detection Applications
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2012-11-13 10:20:48 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

Sophos Anti-Rootkit Version 1.5.20 (c) 2009 Sophos Plc
Started logging on 11/13/2012 at 17:05:24 PM
User "Steve" on computer "STEVE-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\JusticeSystem;en=OrangeNewHavenConnecticut;at=JusticeSystem;at=CrimeLawandJustice;at=Lawyers;at=Judges;at=OrangeNewHavenConnecticut;u=sz%7C728x90!;ord=67631944[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\=728x90;tile=1;ca=MedicalResearch;en=Stress;at=MedicalResearch;at=HealthandSafetyatSchool;at=Family;at=Stress;at=BehavioralConditions;u=sz_728x90!;ord=60304306[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\80%5ED70010%5ED70024%5ED70094%5ED70112%5ED70116%5ED70195%5ED70513%5ED70675%5ED70758%5ED72008%5ED70688%5ED71585%5ED71622%5ED71628%5ED72297%5ED72665;ord=63825988[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=43689542;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=43689542;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=18514894;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=18514894;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=57183217;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=57183217;[1].js
Info: Starting disk scan of D: (NTFS).
Stopped logging on 11/13/2012 at 18:09:02 PM

Sophos Anti-Rootkit Version 1.5.20 (c) 2009 Sophos Plc
Started logging on 11/13/2012 at 18:18:52 PM
User "Steve" on computer "STEVE-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\JusticeSystem;en=OrangeNewHavenConnecticut;at=JusticeSystem;at=CrimeLawandJustice;at=Lawyers;at=Judges;at=OrangeNewHavenConnecticut;u=sz%7C728x90!;ord=67631944[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\=728x90;tile=1;ca=MedicalResearch;en=Stress;at=MedicalResearch;at=HealthandSafetyatSchool;at=Family;at=Stress;at=BehavioralConditions;u=sz_728x90!;ord=60304306[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\errorPageStrings[1]
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\80%5ED70010%5ED70024%5ED70094%5ED70112%5ED70116%5ED70195%5ED70513%5ED70675%5ED70758%5ED72008%5ED70688%5ED71585%5ED71622%5ED71628%5ED72297%5ED72665;ord=63825988[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=43689542;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=43689542;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=18514894;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=18514894;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=57183217;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=57183217;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\ErrorPageTemplate[1]
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\errorPageStrings[2]
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\httpErrorPagesScripts[1]
Info: Starting disk scan of D: (NTFS).
Stopped logging on 11/13/2012 at 19:22:58 PM

I couldn't select the "Running processes" at the beginning of the scan as it was greyed out.

Thank you again.

to forum · permalink · 2012-11-13 19:33:16 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

Another log after another scan:

Sophos Anti-Rootkit Version 1.5.20 (c) 2009 Sophos Plc
Started logging on 11/13/2012 at 17:05:24 PM
User "Steve" on computer "STEVE-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\JusticeSystem;en=OrangeNewHavenConnecticut;at=JusticeSystem;at=CrimeLawandJustice;at=Lawyers;at=Judges;at=OrangeNewHavenConnecticut;u=sz%7C728x90!;ord=67631944[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\=728x90;tile=1;ca=MedicalResearch;en=Stress;at=MedicalResearch;at=HealthandSafetyatSchool;at=Family;at=Stress;at=BehavioralConditions;u=sz_728x90!;ord=60304306[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\80%5ED70010%5ED70024%5ED70094%5ED70112%5ED70116%5ED70195%5ED70513%5ED70675%5ED70758%5ED72008%5ED70688%5ED71585%5ED71622%5ED71628%5ED72297%5ED72665;ord=63825988[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=43689542;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=43689542;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=18514894;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=18514894;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=57183217;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=57183217;[1].js
Info: Starting disk scan of D: (NTFS).
Stopped logging on 11/13/2012 at 18:09:02 PM

Sophos Anti-Rootkit Version 1.5.20 (c) 2009 Sophos Plc
Started logging on 11/13/2012 at 18:18:52 PM
User "Steve" on computer "STEVE-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\JusticeSystem;en=OrangeNewHavenConnecticut;at=JusticeSystem;at=CrimeLawandJustice;at=Lawyers;at=Judges;at=OrangeNewHavenConnecticut;u=sz%7C728x90!;ord=67631944[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\=728x90;tile=1;ca=MedicalResearch;en=Stress;at=MedicalResearch;at=HealthandSafetyatSchool;at=Family;at=Stress;at=BehavioralConditions;u=sz_728x90!;ord=60304306[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\errorPageStrings[1]
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\80%5ED70010%5ED70024%5ED70094%5ED70112%5ED70116%5ED70195%5ED70513%5ED70675%5ED70758%5ED72008%5ED70688%5ED71585%5ED71622%5ED71628%5ED72297%5ED72665;ord=63825988[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=43689542;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=43689542;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=18514894;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=18514894;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=57183217;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\der=coed;age=14u;skill=other;siteid=3061940;org=littleleaguebaseballandsoftball;fldr=cromwelllittleleague;stemp=rugbymatch;scat=league;stype=plus;ord=57183217;[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\ErrorPageTemplate[1]
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\errorPageStrings[2]
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\httpErrorPagesScripts[1]
Info: Starting disk scan of D: (NTFS).
Stopped logging on 11/13/2012 at 19:22:58 PM

Sophos Anti-Rootkit Version 1.5.20 (c) 2009 Sophos Plc
Started logging on 11/13/2012 at 20:56:48 PM
User "Steve" on computer "STEVE-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\aturette%252F%253Futm_source%253Dad_114403_23951_23951%2526utm_medium%253Dcpc%2526utm_campaign%253DAONdlUS_567665_279361%2526req%253D50a2f59e3b86101eb4c66e8b.1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\aturette%252F%253Futm_source%253Dad_114403_23951_23951%2526utm_medium%253Dcpc%2526utm_campaign%253DAONdlUS_567665_279361%2526req%253D50a2f59e3b86101eb4c66e8b.1[1].js
Hidden: file C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\O3APR9U8.txt
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\ADTECH;loc=100;cookie=info;target=_blank;key=;grp=[group];misc=7261ee7b78b34f69bad309fb84260781;rdclick=;kvuniqimp=7261ee7b78b34f69bad309fb84260781;kvafseq=1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5O0656Y\ADTECH;loc=100;cookie=info;target=_blank;key=;grp=[group];misc=47dcdc56353b4f98bcafcd9bc1720420;rdclick=;kvuniqimp=47dcdc56353b4f98bcafcd9bc1720420;kvafseq=1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\ADTECH;loc=100;cookie=info;target=_blank;key=;grp=[group];misc=1b28e40c59aa4438b50086263b459f62;rdclick=;kvuniqimp=1b28e40c59aa4438b50086263b459f62;kvafseq=1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\ADTECH;loc=100;cookie=info;target=_blank;key=;grp=[group];misc=00b2188448bf44ef8737968d016340f7;rdclick=;kvuniqimp=00b2188448bf44ef8737968d016340f7;kvafseq=1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\dref=http%253A%252F%252Fwww.chinaontv.com%252Fcityfocus_videoplayer.php%253Fvid%253D6422%2526utm_source%253DADK%2526utm_medium%253DCPC%2526utm_campaign%253DADK[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\AAAAQAAAAAAVVNEAKAAWAJSXAAAAAAAAgIAAQUAAIQABBLXnwAAAAA.%2526vpid%253D252%2526referrer%253Dhttp%25253A%25252F%25252Fwww.chinaontv.com%25252Fads%25252Far_160_600[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\alm%2526beacon%253D1%2526guid%253D1352857681248b4a3a328b64d%2526ref%253Dhttp%25253A%25252F%25252Fapr.lijit.com%25252F%25252F%25252Fwww%25252Fdelivery%25252Ffpi[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5O0656Y\alm%2526beacon%253D1%2526guid%253D1352857681232b4e1412c8a82%2526ref%253Dhttp%25253A%25252F%25252Fapr.lijit.com%25252F%25252F%25252Fwww%25252Fdelivery%25252Ffpi[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\dref=http%253A%252F%252Fwww.chinaontv.com%252Fcityfocus_videoplayer.php%253Fvid%253D6422%2526utm_source%253DADK%2526utm_medium%253DCPC%2526utm_campaign%253DADK[2].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\dref=http%253A%252F%252Fwww.chinaflix.com%252Fvideoplayer_cuisine.php%253Fpid%253D4884%2526utm_source%253DADK%2526utm_medium%253DCPC%2526utm_campaign%253DADK[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\dref=http%253A%252F%252Fwww.chinaflix.com%252Fvideoplayer_cuisine.php%253Fpid%253D4884%2526utm_source%253DADK%2526utm_medium%253DCPC%2526utm_campaign%253DADK[2].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\QUAAIQADhPnAAAAAAA.%2526vpid%253D45%2526referrer%253Dhttp%25253A%25252F%25252Fmenshealthbase.com%25252Fwp-content%25252Fthemes%25252Fmenshealthbase%25252Fffiad[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X2X4NI84\tm_source%253D65687978%2526utm_medium%253Dcpc%2526utm_campaign%253D65687978_574778_277603_%257B113643%257D_142300_none%2526click%253D50a2fab22ab6101eb4cdd2d1.1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HX1AA653\dref=http%253A%252F%252Fwww.chinaflix.com%252Fvideoplayer_cuisine.php%253Fpid%253D4884%2526utm_source%253DADK%2526utm_medium%253DCPC%2526utm_campaign%253DADK[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X2X4NI84\d_wAAAAA.%2526vpid%253D45%2526referrer%253Dhttp%25253A%25252F%25252Fmenshealthbase.com%25252Fwp-content%25252Fthemes%25252Fmenshealthbase%25252Flib%25252Fffiad[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\878QGNFY\QUAAIQADhJKlQAAAAA.%2526vpid%253D45%2526referrer%253Dhttp%25253A%25252F%25252Fmenshealthbase.com%25252Fwp-content%25252Fthemes%25252Fmenshealthbase%25252Fffiad[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\gCWgAkSAAAAAAAAgIAAQUAAIQAWhLboQAAAAA.%2526vpid%253D45%2526referrer%253Dhttp%25253A%25252F%25252Fapr.lijit.com%25252F%25252F%25252Fwww%25252Fdelivery%25252Ffpi[1].js
Hidden: file C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\N715JPFT.txt
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X2X4NI84\like[1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLGWZX96\![1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5O0656Y\like[1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5O0656Y\like[2].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LW3CKR9\like[1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LW3CKR9\like[2].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\like[1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\like[2].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\like[3].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X2X4NI84\like[2].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X2X4NI84\de[1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MPQHGZE\like[4].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LW3CKR9\fpi[1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\beacon[2].htm
Hidden: file C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\5ZTIQM4U.txt
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5O0656Y\ddc[1].htm
Hidden: file C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\8BZJ86H9.txt
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LW3CKR9\![1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LW3CKR9\ddc[1].htm
Hidden: file C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\DY97OW69.txt
Hidden: file C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\37ARWVRO.txt
Hidden: file C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Cookies\HMAV4BQ8.txt
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LW3CKR9\likebox[1].htm
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\52854036;loc=100;cookie=info;target=_blank;key=;grp=[group];misc=cb904f4a67da471c9fb79f99a0fddbe1;rdclick=;kvuniqimp=cb904f4a67da471c9fb79f99a0fddbe1;kvafseq=1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\52854037;loc=100;cookie=info;target=_blank;key=;grp=[group];misc=f60f92a8917c48f18fb86c55de53c4c2;rdclick=;kvuniqimp=f60f92a8917c48f18fb86c55de53c4c2;kvafseq=1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\ADTECH;loc=100;cookie=info;target=_blank;key=;grp=[group];misc=6295390025f04972b7e9566399426f9e;rdclick=;kvuniqimp=6295390025f04972b7e9566399426f9e;kvafseq=1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\ADTECH;loc=100;cookie=info;target=_blank;key=;grp=[group];misc=d2a8c5aeff2d4b9fbed9aef55f51f8a5;rdclick=;kvuniqimp=d2a8c5aeff2d4b9fbed9aef55f51f8a5;kvafseq=1[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\dref=http%253A%252F%252Fwww.chinaflix.com%252Fvideoplayer_cuisine.php%253Fpid%253D4884%2526utm_source%253DADK%2526utm_medium%253DCPC%2526utm_campaign%253DADK[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X2X4NI84\dref=http%253A%252F%252Fwww.chinaflix.com%252Fvideoplayer_cuisine.php%253Fpid%253D4884%2526utm_source%253DADK%2526utm_medium%253DCPC%2526utm_campaign%253DADK[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QWB55JST\krwAAAAA.%2526vpid%253D45%2526referrer%253Dhttp%25253A%25252F%25252Fmenshealthbase.com%25252Fwp-content%25252Fthemes%25252Fmenshealthbase%25252Flib%25252Fffiad[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X2X4NI84\IMQAAAAA.%2526vpid%253D45%2526referrer%253Dhttp%25253A%25252F%25252Fmenshealthbase.com%25252Fwp-content%25252Fthemes%25252Fmenshealthbase%25252Flib%25252Fffiad[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LW3CKR9\ttp%25253A%25252F%25252Fwww.filmannex.com%25252Fchannels%2526width%253D300%2526height%253D250%2526informer%253D7395367%2526uri%253Dhttp%253A%252F%252Fwww.lijit[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LW3CKR9\_kQAAAAA.%2526vpid%253D45%2526referrer%253Dhttp%25253A%25252F%25252Fmenshealthbase.com%25252Fwp-content%25252Fthemes%25252Fmenshealthbase%25252Flib%25252Fffiad[1].js
Hidden: file C:\Users\Steve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5O0656Y\dref=http%253A%252F%252Fwww.chinaontv.com%252Fcityfocus_videoplayer.php%253Fvid%253D6422%2526utm_source%253DADK%2526utm_medium%253DCPC%2526utm_campaign%253DADK[1].js
Info: Starting disk scan of D: (NTFS).
Stopped logging on 11/13/2012 at 22:09:24 PM

to forum · permalink · 2012-11-14 05:44:41 ·

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

Reviews:

·Comcast

reply to sirchief
Strange, the logs are negative. It is possible the redirects are coming from installed software/addons. I'll get to that later. Right now I want to scan one more time for rootkits with a new program from the makers of MalwareBytes

First:
Please download and run MalwareByhtes AntiRootKit program.

You'll find it here:
»www.malwarebytes.org/products/mbar/

There is a tutorial on using MBAR here:
»www.bleepingcomputer.com/virus-r···rootkit/

Second:
Run TFC again. (This is the tmep file cleaner listed in the Mandatory Steps. There will be no log for this.

Third:
Please run OTL again, and post the new log in this thread. Note that there will not be a new Extras log this time.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2012-11-14 11:38:50 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

Thanks again for the reply. I will get to this tonight when I am home, at the computer in question. I agree that the redirects/browsing slowness is coming from somewhere. I noticed in IE9 when I download a file I get a yellow bar on the bottom of the screen asking what I want to do with the file.

I should also mention that the computer takes an awful long time to be useable after a reboot.

One other thing, I tried to do a windows update to see if maybe there was an update to IE that was causing some of my problems. I can not do windows updates. I get to where I can scan for updates and error comes up telling me to try again. Error code 80070005 is the error I get.

I've also tried Firefox and that produces the same symptoms as IE.

Thank you again,

Steve

to forum · permalink · 2012-11-14 12:17:25 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

reply to LoPhatPhuud
MBAR has been running for approximately 1 hour and seems to be stuck scanning "forged physical sector"

It's not saying "not responding", it just doesn't seem to be scanning. I will let it run.

to forum · permalink · 2012-11-14 20:05:00 ·

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

If it gets over 2 hours, go ahead and abort.

to forum · permalink · 2012-11-14 21:02:24 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

Did you need the MBAR log? It's rather larger, around 5MB.

Here is the OTL Log:

OTL logfile created on: 11/15/2012 5:26:23 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Steve\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.97 Gb Total Physical Memory | 2.59 Gb Available Physical Memory | 65.29% Memory free
8.10 Gb Paging File | 6.65 Gb Available in Paging File | 82.14% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450.71 Gb Total Space | 233.42 Gb Free Space | 51.79% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 7.79 Gb Free Space | 51.94% Space Free | Partition Type: NTFS

Computer Name: STEVE-PC | User Name: Steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2012/11/10 20:41:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Desktop\otl.exe
PRC - [2012/11/05 18:14:44 | 026,619,512 | ---- | M] (Dropbox, Inc.) -- C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012/02/23 11:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
PRC - [2009/07/21 16:07:46 | 000,497,496 | ---- | M] (Dell Inc.) -- C:\Program Files (x86)\Dell Remote Access\ezi_ra.exe
PRC - [2009/07/21 16:06:26 | 000,554,224 | ---- | M] (Dell Inc.) -- c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
PRC - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
PRC - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/05/13 21:01:14 | 000,623,888 | ---- | M] (Research In Motion Limited) -- C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2009/03/05 15:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/04 21:26:38 | 000,128,232 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2009/02/04 17:55:38 | 000,548,864 | ---- | M] () -- C:\Windows\Samsung\PanelMgr\SSMMgr.exe
PRC - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/04/11 13:52:30 | 001,081,344 | ---- | M] (Pantone & X-Rite) -- C:\Program Files (x86)\Pantone\hueyPRO\hueyPROTray.exe
PRC - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

[color=#E56717]========== Modules (No Company Name) ==========[/color]

MOD - [2012/05/11 02:34:17 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll
MOD - [2012/05/11 02:32:52 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
MOD - [2012/05/11 02:32:45 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
MOD - [2011/09/27 06:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 06:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/02/04 17:55:38 | 000,548,864 | ---- | M] () -- C:\Windows\Samsung\PanelMgr\SSMMgr.exe

[color=#E56717]========== Services (SafeList) ==========[/color]

SRV:64bit: - [2010/05/11 15:05:40 | 000,362,296 | ---- | M] (HP) [Auto | Running] -- C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe -- (HPM1210RcvFaxSrvc)
SRV:64bit: - [2010/04/29 12:10:40 | 000,127,800 | ---- | M] (HP) [Auto | Running] -- C:\Windows\SysNative\HPSIsvc.exe -- (HPSIService)
SRV:64bit: - [2009/03/24 08:47:48 | 000,161,448 | ---- | M] (Samsung Electronics CO., LTD.) [On_Demand | Stopped] -- C:\Windows\SysNative\SUPDSvc.exe -- (Samsung UPD Service)
SRV:64bit: - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV:64bit: - [2008/07/18 07:42:16 | 000,086,016 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/10/24 12:50:38 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/10/12 06:15:55 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/22 19:09:20 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/07/21 16:06:26 | 000,554,224 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe -- (hnmsvc)
SRV - [2009/06/10 10:59:54 | 000,309,744 | ---- | M] (Sonic Solutions) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2009/06/10 10:59:46 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2009/06/10 10:58:46 | 001,124,848 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2009/05/21 20:35:32 | 000,923,136 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/09 12:42:54 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/02/29 08:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/05/12 14:03:12 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\5A8F.tmp -- (MEMSWEEP2)
DRV:64bit: - [2010/08/25 19:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/04/28 10:49:50 | 000,020,480 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\mvusbews.sys -- (mvusbews)
DRV:64bit: - [2010/04/28 10:49:50 | 000,016,384 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\HPM1210FAX.sys -- (HP1210FAX)
DRV:64bit: - [2009/09/30 19:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/06/10 16:22:14 | 000,034,640 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\packet.sys -- (Packet)
DRV:64bit: - [2009/05/25 05:51:00 | 000,207,872 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2009/05/20 03:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/02/23 04:47:04 | 000,126,464 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV:64bit: - [2009/01/09 14:02:08 | 000,031,744 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\RimSerial_AMD64.sys -- (RimVSerPort)
DRV:64bit: - [2008/11/10 14:01:06 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Running] -- C:\Windows\SysNative\Drivers\SSPORT.sys -- (SSPORT)
DRV:64bit: - [2008/07/21 06:18:30 | 000,026,624 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\RtNdPt60.sys -- (RtNdPt60)
DRV:64bit: - [2008/07/15 07:14:10 | 000,395,288 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\iastor.sys -- (iaStor)
DRV:64bit: - [2008/05/20 17:33:36 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV:64bit: - [2008/01/20 21:49:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\RootMdm.sys -- (ROOTMODEM)
DRV:64bit: - [2008/01/20 21:47:25 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\serscan.sys -- (StillCam)
DRV:64bit: - [2008/01/20 21:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express)
DRV:64bit: - [2006/11/02 02:48:50 | 002,488,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (R300)
DRV - [2009/06/10 16:21:26 | 000,027,472 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\SysWOW64\drivers\packet.sys -- (Packet)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = »www.bing.com/search?q={searchTer···M=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = »g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = »www.bing.com/search?q={searchTer···M=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {105E99FF-8B9A-4492-B155-06194B9056D2}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = »www.bing.com/search?q={searchTer···earchBox
IE - HKCU\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = »www.bing.com/search?FORM=DLCDF7&···source?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\2.0.31005.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/10/22 08:06:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/11/03 13:43:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/10/22 08:06:35 | 000,000,000 | ---D | M]

[2012/11/03 13:43:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steve\AppData\Roaming\Mozilla\Extensions
[2012/11/03 13:43:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/10/24 12:50:58 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/10/24 12:50:17 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/10/24 12:50:17 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/11/11 20:52:04 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] Skytel.exe File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKCU..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = File not found
O4 - Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_13)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_13)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} »support.dell.com/systemprofiler/···oExe.CAB (WMI Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} »www.cvsphoto.com/upload/activex/···trol.cab (Photo Upload Plugin Class)
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} »ediagnostics.lexmark.com/serval.cab (Lexmark eDiagnostics Class)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} »java.sun.com/update/1.6.0/jinsta···i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} »platformdl.adobe.com/NOS/getPlus···6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In »static.garmincdn.com/gcp/ie/2.9.···trol.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FFE8D77B-75C9-4F82-9750-78E503788F5F}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\1600x1200_black.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\1600x1200_black.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2012/11/14 20:20:53 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/11/14 18:37:52 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\mbar-1.01.0.1009
[2012/11/14 05:56:45 | 000,450,352 | ---- | C] (Microsoft Corporation) -- C:\Users\Steve\Desktop\FixitCenter_Run.exe
[2012/11/14 05:49:05 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\WindowsUpdate
[2012/11/13 17:04:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2012/11/13 17:04:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2012/11/12 21:26:57 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/11/11 21:14:14 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\temp
[2012/11/11 20:08:36 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/11/11 20:08:36 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/11/11 20:08:36 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/11/11 20:07:35 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/11/11 20:06:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/11 20:05:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/11/11 16:47:42 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Steve\Desktop\abc.exe
[2012/11/11 09:18:06 | 000,000,000 | R--D | C] -- C:\Users\Steve\Dropbox
[2012/11/11 09:14:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Dropbox
[2012/11/11 09:14:25 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2012/11/11 09:13:38 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Dropbox
[2012/11/10 21:18:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/11/10 21:17:42 | 002,322,184 | ---- | C] (ESET) -- C:\Users\Steve\Desktop\esetsmartinstaller_enu.exe
[2012/11/10 20:53:05 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\redirect
[2012/11/10 20:41:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Steve\Desktop\otl.exe
[2012/11/10 20:28:38 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Steve\Desktop\TFC.exe
[2012/11/04 19:57:51 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Macromedia
[2012/11/03 13:43:38 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Mozilla
[2012/11/03 13:43:38 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Mozilla
[2012/11/03 13:43:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/11/03 13:43:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/11/03 13:43:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2012/10/30 19:16:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/10/30 19:16:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/10/30 19:16:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/10/30 17:48:59 | 000,285,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012/10/30 17:47:37 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/10/30 17:47:37 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/10/30 16:06:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/10/30 16:06:44 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/10/21 17:20:55 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Malwarebytes
[2012/10/21 17:20:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/10/21 17:20:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/10/19 06:56:34 | 000,000,000 | -H-D | C] -- C:\ProgramData\McAfee
[8 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2012/11/15 05:25:44 | 000,707,520 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/11/15 05:25:44 | 000,607,406 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/11/15 05:25:44 | 000,105,046 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/11/15 05:17:38 | 000,002,497 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
[2012/11/15 05:17:32 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/15 05:17:32 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/15 05:17:30 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\RtlNICDiagVistaStart.job
[2012/11/15 05:17:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/15 05:17:17 | 4258,455,552 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/14 19:05:22 | 000,000,256 | ---- | M] () -- C:\Windows\SysWow64\pool.bin
[2012/11/14 18:37:19 | 012,961,620 | ---- | M] () -- C:\Users\Steve\Desktop\mbar-1.01.0.1009.zip
[2012/11/14 07:09:33 | 000,000,732 | ---- | M] () -- C:\Users\Steve\AppData\Local\d3d9caps64.dat
[2012/11/14 05:56:05 | 000,450,352 | ---- | M] (Microsoft Corporation) -- C:\Users\Steve\Desktop\FixitCenter_Run.exe
[2012/11/13 17:04:03 | 001,410,192 | ---- | M] () -- C:\Users\Steve\Desktop\sar_15_sfx.exe
[2012/11/11 21:21:01 | 000,109,796 | ---- | M] () -- C:\Users\Steve\Desktop\IE_waitingrespone.jpg
[2012/11/11 20:52:04 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/11/11 16:35:19 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Steve\Desktop\abc.exe
[2012/11/11 15:49:46 | 000,431,648 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/11/11 09:18:07 | 000,000,943 | ---- | M] () -- C:\Users\Steve\Desktop\Dropbox.lnk
[2012/11/11 09:14:56 | 000,000,953 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2012/11/10 21:17:26 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Steve\Desktop\esetsmartinstaller_enu.exe
[2012/11/10 20:41:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Desktop\otl.exe
[2012/11/10 20:28:04 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Steve\Desktop\TFC.exe
[2012/11/03 13:43:35 | 000,000,914 | ---- | M] () -- C:\Users\Steve\Desktop\Mozilla Firefox.lnk
[2012/11/03 13:43:35 | 000,000,890 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/10/31 18:54:42 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/10/31 18:54:42 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/10/31 18:49:49 | 000,002,341 | ---- | M] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2012/10/30 19:56:19 | 000,007,728 | ---- | M] () -- C:\Users\Steve\AppData\Local\d3d9caps.dat
[2012/10/30 19:16:06 | 000,001,123 | ---- | M] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/10/30 19:16:06 | 000,001,099 | ---- | M] () -- C:\Users\Steve\Desktop\Spybot - Search & Destroy.lnk
[2012/10/30 18:03:18 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2012/10/30 17:40:14 | 000,736,033 | ---- | M] () -- C:\Users\Steve\AppData\Local\census.cache
[2012/10/30 17:39:37 | 000,161,595 | ---- | M] () -- C:\Users\Steve\AppData\Local\ars.cache
[2012/10/30 17:32:19 | 000,000,036 | ---- | M] () -- C:\Users\Steve\AppData\Local\housecall.guid.cache
[2012/10/30 16:06:48 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/23 05:17:13 | 000,285,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012/10/21 15:41:32 | 000,000,144 | -H-- | M] () -- C:\ProgramData\-ZQJa3wHRBzOJpLr
[2012/10/21 15:41:32 | 000,000,120 | -H-- | M] () -- C:\ProgramData\-ZQJa3wHRBzOJpL
[8 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2012/11/14 20:27:53 | 4258,455,552 | -HS- | C] () -- C:\hiberfil.sys
[2012/11/14 18:37:32 | 012,961,620 | ---- | C] () -- C:\Users\Steve\Desktop\mbar-1.01.0.1009.zip
[2012/11/14 06:05:09 | 000,000,732 | ---- | C] () -- C:\Users\Steve\AppData\Local\d3d9caps64.dat
[2012/11/13 17:04:32 | 001,410,192 | ---- | C] () -- C:\Users\Steve\Desktop\sar_15_sfx.exe
[2012/11/11 21:21:01 | 000,109,796 | ---- | C] () -- C:\Users\Steve\Desktop\IE_waitingrespone.jpg
[2012/11/11 20:08:36 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/11/11 20:08:36 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/11/11 20:08:36 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/11/11 20:08:36 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/11/11 20:08:36 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/11/11 09:18:07 | 000,000,943 | ---- | C] () -- C:\Users\Steve\Desktop\Dropbox.lnk
[2012/11/11 09:14:56 | 000,000,953 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2012/11/03 13:43:35 | 000,000,914 | ---- | C] () -- C:\Users\Steve\Desktop\Mozilla Firefox.lnk
[2012/11/03 13:43:35 | 000,000,902 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/11/03 13:43:35 | 000,000,890 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/10/30 19:16:06 | 000,001,123 | ---- | C] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/10/30 19:16:06 | 000,001,099 | ---- | C] () -- C:\Users\Steve\Desktop\Spybot - Search & Destroy.lnk
[2012/10/30 17:48:59 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2012/10/30 17:40:14 | 000,736,033 | ---- | C] () -- C:\Users\Steve\AppData\Local\census.cache
[2012/10/30 17:39:37 | 000,161,595 | ---- | C] () -- C:\Users\Steve\AppData\Local\ars.cache
[2012/10/30 17:32:19 | 000,000,036 | ---- | C] () -- C:\Users\Steve\AppData\Local\housecall.guid.cache
[2012/10/30 16:06:48 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/21 15:41:32 | 000,000,144 | -H-- | C] () -- C:\ProgramData\-ZQJa3wHRBzOJpLr
[2012/10/21 15:41:32 | 000,000,120 | -H-- | C] () -- C:\ProgramData\-ZQJa3wHRBzOJpL
[2012/07/21 15:57:08 | 000,064,000 | ---- | C] () -- C:\Windows\unleap.exe
[2011/04/13 19:50:05 | 000,000,378 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\wklnhst.dat
[2010/08/03 19:24:15 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/02/25 19:39:50 | 000,020,992 | ---- | C] () -- C:\Users\Steve\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/28 20:14:59 | 000,007,728 | ---- | C] () -- C:\Users\Steve\AppData\Local\d3d9caps.dat

[color=#E56717]========== ZeroAccess Check ==========[/color]

[2006/11/02 10:30:40 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 12:59:03 | 012,899,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/04/11 02:11:14 | 000,891,392 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\SysWow64\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2008/01/20 21:50:58 | 000,513,024 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\SysWow64\wbem\wbemess.dll

[color=#E56717]========== LOP Check ==========[/color]

[2010/01/18 20:01:51 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Doblon
[2012/11/15 05:18:14 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Dropbox
[2010/01/01 16:12:45 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\GARMIN
[2012/10/22 08:07:37 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\IrfanView
[2010/12/05 09:21:26 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\MyPublisher
[2010/04/29 18:53:37 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Pantone
[2009/10/17 06:44:12 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Research In Motion
[2011/04/13 19:50:08 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Template

[color=#E56717]========== Purity Check ==========[/color]

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 76 bytes -> C:\Users\Steve\Documents\Slideshow.dmsm:Roxio EMC Stream

to forum · permalink · 2012-11-15 06:48:01 ·

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

reply to sirchief
Yes, re the MBAR log. Please attach it to your next post in this thread.

to forum · permalink · 2012-11-15 10:41:53 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

OK, I will try to attach it as a zip file later today. I'm not at the computer in question until later today.

Thanks again.

to forum · permalink · 2012-11-15 10:47:59 ·

sirchief
Premium
join:2001-12-14
Cromwell, CT

reply to LoPhatPhuud

system-log.zip 167,819 bytes

MBAR log attached.

to forum · permalink · 2012-11-15 16:48:44 ·

LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

reply to sirchief
Thanks for the log. No adverse software was found, but I am checking out the Forged Physical Sector Notation.

It may take a day or two to chase it down. I want to find out if it's a result of hte infection and the implication going forward.

to forum · permalink · 2012-11-15 21:51:24 ·

Broadband Tech > Security > Security Cleanup > Problem with redirects

Problem with redirects