Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91982 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijack This [Solved]


  • This topic is locked This topic is locked
47 replies to this topic

#16 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 01 November 2013 - 11:25 AM

Hi vdicaprio,

now we need to do the following:

1. Java
1.1 Uninstall old Java versions:
  • Please go to Start > Control Panel > Programs and Features .
  • Locate all Java Updates
  • Uninstall them all.
1.2 Install latest Java 7 update. Click this link and click on the Free JAVA Download.

1.3 Find here instructions how to clear the java cache.
Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
  • Downloaded Applets
  • Downloaded Applications
  • Installed Applications and Applets
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel.

 

***


2. Malwarebytes' Anti-Malware
Download the free version of Malwarebytes' Anti-Malware and save it to your desktop.
Double-click mbam-setup****.exe and follow the prompts to install the program.
Note to Vista | Windows 7/8 users, please right-click and select Run as Administrator.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware.
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply.
Note 1: The log can also be found via the Logs tab when Malwarebytes' Anti-Malware is started.
Note 2: If you receive a notice that some of the items couldn't be removed and they have been added to the delete on reboot list, please reboot.


***


3. ESET Online Scanner

Connect any existing external hard drives and / or other removable media.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Push the Back button.
  • Select Uninstall application on close check box and push esetFinish.png

Graduate of the WTT Classroom
Cheers,
Jo

    Advertisements

Register to Remove


#17 vdicaprio

vdicaprio

    Authentic Member

  • Authentic Member
  • PipPip
  • 89 posts

Posted 01 November 2013 - 05:02 PM

Jo

 

I removed old versions of Java but could not install the new version.  The installation failed and I received a "getdefaultBrowserError:2" message.

 

I ran the malware bytes and the eset scanner and the logs are below:

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.01.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jeff :: JEFF [administrator]

11/1/2013 5:31:26 PM
mbam-log-2013-11-01 (17-31-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217968
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\RECYCLER\S-1-5-21-3172651036-2704603105-3109081277-1005\Dc1.exe (PUP.Optional.ExpressInstall.A) -> Quarantined and deleted successfully.

(end)

 

ESET SCAN

C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\6.0\57\8eb45b9-7ef58dbd a variant of Java/Exploit.Agent.PTZ trojan
 

 

Thanks



#18 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 02 November 2013 - 03:32 AM

Hi vdicaprio,

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794
    @Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    
    :Files
    C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\6.0\57\8eb45b9-7ef58dbd
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
    
    NOTICE: This script was written specifically for this user, for use on that particular machine.
    Running this on another machine may cause damage to your operating system.
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post Fix OTL log as well as a new OTL log by rerunning it after reboot without custom scans script.

***


Please download JavaRa to your desktop and unzip it to its own folder.
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button.
Download and install the latest Java Runtime Environment (JRE) version for your computer.
 

***


Graduate of the WTT Classroom
Cheers,
Jo

#19 vdicaprio

vdicaprio

    Authentic Member

  • Authentic Member
  • PipPip
  • 89 posts

Posted 02 November 2013 - 07:59 AM

Jo

 

Bad news - i ran the OTL with the fix and then again after the reboot and those logs are below. 

 

However I was unable to get JRE to load again.  When I ran the javara wizard in step 1 it could not find the unintaller.  I ran step 2 which found lots of items associated with JAVA and removed them.  I then ran step 3 (download new JRE) and it never finished.  I closed the wizard and tried to download again mannually and still received the getdefaultbrowsererror 2: message.

 

Now for the bad news, the site you took me to (or the one I ended up on) for down loading the Javara - had malware and it re-infected me.  I ran the AdwCleaner again and it found lots of items.  This log is shown at the end.

 

-------OTLFix Log---------

All processes killed
========== OTL ==========
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794 .
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
========== FILES ==========
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\6.0\57\8eb45b9-7ef58dbd moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Jeff
->Temp folder emptied: 3050725 bytes
->Temporary Internet Files folder emptied: 19509825 bytes
->Java cache emptied: 1334770 bytes
->Flash cache emptied: 933 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3129478 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: NetworkService
->Temp folder emptied: 37918 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 56699 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 78987 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 137823 bytes
 
Total Files Cleaned = 26.00 mb

 

OTL

OTL logfile created on: 11/2/2013 8:14:08 AM - Run 3
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Jeff\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.99 Gb Total Physical Memory | 2.44 Gb Available Physical Memory | 81.75% Memory free
4.83 Gb Paging File | 4.46 Gb Available in Paging File | 92.23% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.25 Gb Total Space | 109.63 Gb Free Space | 78.73% Space Free | Partition Type: NTFS
 
Computer Name: JEFF | User Name: Jeff | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Documents and Settings\Jeff\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - C:\Program Files\DOS2USB\elsvc.exe ()
PRC - C:\WINDOWS\system32\dkabcoms.exe ( )
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\Dell Network Assistant\hnm_svc.exe (SingleClick Systems)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\WINDOWS\system32\pdf995mon.dll ()
MOD - C:\Program Files\DOS2USB\elsvc.exe ()
MOD - C:\WINDOWS\system32\preflib.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (sprtsvc_dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter File not found
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (elAPIsvc) -- C:\Program Files\DOS2USB\elsvc.exe ()
SRV - (dkab_device) -- C:\WINDOWS\system32\dkabcoms.exe ( )
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (DellAMBrokerService) -- C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe ()
SRV - (hnmsvc) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe (SingleClick Systems)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (WDICA) --  File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (PCIDump) --  File not found
DRV - (lbrtfdc) --  File not found
DRV - (Changer) --  File not found
DRV - (catchme) -- C:\DOCUME~1\Jeff\LOCALS~1\Temp\catchme.sys File not found
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation                           )
DRV - (O2SDRDR) -- C:\WINDOWS\system32\drivers\o2sd.sys (O2Micro )
DRV - (O2MDRDR) -- C:\WINDOWS\system32\drivers\o2media.sys (O2Micro )
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (datunidr) -- C:\WINDOWS\system32\drivers\datunidr.sys (Gteko Ltd.)
DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio)
DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio)
DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Roxio)
DRV - (Packet) -- C:\WINDOWS\system32\drivers\packet.sys (SingleClick Systems)
DRV - (PTproct) -- C:\Program Files\DellAutomatedPCTuneUp\GTAction\triggers\PTproct.sys (Gteko Ltd.)
DRV - (APPDRV) -- C:\WINDOWS\system32\drivers\APPDRV.SYS (Dell Inc)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080904
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080904
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {DEC54E9A-A441-4B15-8AFF-FE57F978619F}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6D847C66-4573-4D5D-B07B-F81C8AC872E3}: "URL" = http://delicious.com...?p={searchTerms}
IE - HKCU\..\SearchScopes\{8C80695A-5A4F-4A6F-A826-183C8E3EA926}: "URL" = http://www.flickr.co...?q={searchTerms}
IE - HKCU\..\SearchScopes\{DEC54E9A-A441-4B15-8AFF-FE57F978619F}: "URL" = http://search.yahoo....f-8&fr=chr-yie8
IE - HKCU\..\SearchScopes\{FA17FB25-75B8-4665-B6AA-5F88C81D4CC4}: "URL" = http://rover.ebay.co...le={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
O1 HOSTS File: ([2013/10/30 15:34:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: bxcleve.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: bxohio.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: localhost ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: private-planroom.com ([subs] http in Trusted sites)
O15 - HKCU\..Trusted Domains: private-planroom.com ([www] http in Trusted sites)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternati...x-w32-2.0.1.cab (AlternaTIFF ActiveX)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4A769165-055C-4566-ABBB-3EA82DD4F8AE} http://www.ipinviewe...all/IVSLite.CAB (IVSLite.FastViewer)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1296769982640 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.we...ent/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1335B6E7-E3A1-4A35-B017-7332703EB27C}: DhcpNameServer = 192.168.254.254
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 17:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/11/02 08:02:49 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/11/01 17:50:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2013/11/01 17:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/11/01 17:30:41 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/11/01 17:30:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/11/01 17:28:25 | 010,285,040 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Jeff\Desktop\mbam-setup-1.75.0.1300.exe
[2013/11/01 14:40:22 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/11/01 14:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Java
[2013/11/01 14:40:07 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/11/01 14:40:07 | 000,174,504 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/11/01 07:44:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/11/01 07:44:10 | 001,033,335 | ---- | C] (Thisisu) -- C:\Documents and Settings\Jeff\Desktop\JRT.exe
[2013/10/31 17:42:43 | 000,000,000 | ---D | C] -- C:\RegBackup
[2013/10/31 17:42:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
[2013/10/31 17:42:17 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2013/10/31 12:52:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/10/31 12:51:43 | 000,359,085 | ---- | C] (Farbar) -- C:\Documents and Settings\Jeff\Desktop\FSS.exe
[2013/10/30 15:26:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/10/30 15:26:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/10/30 15:26:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/10/30 15:26:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/10/30 15:26:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/10/30 13:19:11 | 005,137,879 | R--- | C] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
[2013/10/30 07:48:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\mbar
[2013/10/30 07:29:17 | 012,576,792 | ---- | C] (Malwarebytes Corp.) -- C:\Documents and Settings\Jeff\Desktop\mbar-1.07.0.1007.exe
[2013/10/30 07:28:27 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
[2013/10/28 17:55:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Start Menu\Programs\HiJackThis
[2013/10/28 17:55:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2013/10/28 14:53:31 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jeff\Recent
[2013/10/11 18:24:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft Antimalware
[2013/10/10 09:14:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\dpWW3333
[2013/10/10 07:55:37 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidparse.sys
[2013/10/10 07:55:37 | 000,014,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2013/10/10 07:55:08 | 000,032,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2013/10/10 07:55:08 | 000,030,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbehci.sys
[2013/10/10 07:55:08 | 000,005,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbd.sys
 
========== Files - Modified Within 30 Days ==========
 
[2013/11/02 08:13:56 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/11/02 08:04:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/11/02 08:03:53 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/11/02 08:03:50 | 000,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2013/11/02 08:03:48 | 3211,186,176 | -HS- | M] () -- C:\hiberfil.sys
[2013/11/02 08:02:54 | 001,093,646 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/11/02 08:02:54 | 000,343,722 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/11/01 18:49:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/11/01 18:22:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/11/01 17:30:46 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/01 17:28:35 | 010,285,040 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Jeff\Desktop\mbam-setup-1.75.0.1300.exe
[2013/11/01 17:20:46 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/11/01 16:01:40 | 000,000,422 | ---- | M] () -- C:\WINDOWS\tasks\SystemToolsDailyTest.job
[2013/11/01 14:40:07 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/11/01 14:40:07 | 000,174,504 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/11/01 07:44:14 | 001,033,335 | ---- | M] (Thisisu) -- C:\Documents and Settings\Jeff\Desktop\JRT.exe
[2013/10/31 17:54:48 | 000,359,085 | ---- | M] (Farbar) -- C:\Documents and Settings\Jeff\Desktop\FSS.exe
[2013/10/31 17:43:39 | 000,023,596 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\RemoteAccess.reg
[2013/10/31 17:42:19 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Tweaking.com - Registry Backup.lnk
[2013/10/31 17:41:17 | 003,859,661 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\tweaking.com_registry_backup_setup.exe
[2013/10/31 12:11:07 | 001,060,070 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\AdwCleaner.exe
[2013/10/30 15:34:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/10/30 13:19:15 | 005,137,879 | R--- | M] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
[2013/10/30 08:46:38 | 000,000,124 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Control Panel.lnk
[2013/10/30 07:29:31 | 012,576,792 | ---- | M] (Malwarebytes Corp.) -- C:\Documents and Settings\Jeff\Desktop\mbar-1.07.0.1007.exe
[2013/10/30 07:28:29 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
[2013/10/30 07:28:12 | 000,891,172 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\SecurityCheck.exe
[2013/10/29 18:06:43 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\HiJackThis.lnk
[2013/10/29 12:41:24 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/10/28 17:48:26 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\HiJackThis.msi
[2013/10/26 13:59:01 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013/10/23 08:14:02 | 000,000,564 | ---- | M] () -- C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
[2013/10/16 08:00:07 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/10/11 15:25:51 | 000,409,488 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/10/11 14:11:03 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Microsoft Word.lnk
[2013/10/11 12:59:29 | 000,000,102 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\mbam.context.scan
[2013/10/09 10:22:53 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/10/09 10:22:53 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
 
========== Files Created - No Company Name ==========
 
[2013/11/01 17:30:46 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/10/31 17:43:39 | 000,023,596 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\RemoteAccess.reg
[2013/10/31 17:42:19 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Tweaking.com - Registry Backup.lnk
[2013/10/31 17:41:13 | 003,859,661 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\tweaking.com_registry_backup_setup.exe
[2013/10/31 12:11:04 | 001,060,070 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\AdwCleaner.exe
[2013/10/30 15:26:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/10/30 15:26:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/10/30 15:26:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/10/30 15:26:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/10/30 15:26:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/10/30 08:46:38 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\Control Panel.lnk
[2013/10/30 07:28:07 | 000,891,172 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\SecurityCheck.exe
[2013/10/28 17:55:52 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\HiJackThis.lnk
[2013/10/28 17:48:25 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\HiJackThis.msi
[2013/10/14 14:01:27 | 000,337,928 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2013/10/11 12:59:29 | 000,000,102 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\mbam.context.scan
[2013/06/10 08:13:59 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/06/10 08:13:44 | 000,413,738 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2012/02/16 11:08:43 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/10/14 17:08:43 | 000,010,534 | ---- | C] () -- C:\Documents and Settings\All Users\snddrv.sys
[2010/10/14 17:08:42 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jeff\dos2usb.spl
[2009/02/12 17:38:57 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/29 10:55:42 | 000,080,592 | ---- | C] () -- C:\Documents and Settings\Jeff\Gwbasic.exe
[2008/10/29 10:54:23 | 000,054,310 | -H-- | C] () -- C:\Documents and Settings\Jeff\F95dbj.bas
[2008/10/29 10:54:23 | 000,000,040 | ---- | C] () -- C:\Documents and Settings\Jeff\FWH.BAT
[2008/10/29 10:54:23 | 000,000,039 | ---- | C] () -- C:\Documents and Settings\Jeff\ccbw.bat
[2008/10/29 10:54:23 | 000,000,029 | ---- | C] () -- C:\Documents and Settings\Jeff\cend.bat
[2008/10/17 10:19:54 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\fusioncache.dat
 
========== ZeroAccess Check ==========
 
[2008/04/25 17:34:35 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/06/26 04:15:29 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 08:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

 

 

-----AdwCleaner log-------------

# AdwCleaner v3.010 - Report created 02/11/2013 at 09:36:28
# Updated 20/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Jeff - JEFF
# Running from : C:\Documents and Settings\Jeff\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : CltMngSvc
[#] Service Deleted : dealplylive
[#] Service Deleted : dealplylivem
[#] Service Deleted : IBUpdaterService

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\All Users\Application Data\DealPlyLive
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\DealPly
Folder Deleted : C:\Program Files\DealPlyLive
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\Program Files\Wajam
Folder Deleted : C:\Program Files\SweetPacks
Folder Deleted : C:\WINDOWS\system32\ARFC
Folder Deleted : C:\WINDOWS\system32\jmdp
Folder Deleted : C:\WINDOWS\system32\WNLT
Folder Deleted : C:\Documents and Settings\Jeff\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Jeff\Local Settings\Application Data\DealPlyLive
Folder Deleted : C:\Documents and Settings\Jeff\Local Settings\Application Data\SweetPacks
Folder Deleted : C:\Documents and Settings\Jeff\Application Data\DealPly
Folder Deleted : C:\Documents and Settings\Jeff\Application Data\Searchprotect
Folder Deleted : C:\Documents and Settings\Jeff\Start Menu\Programs\Wajam
Folder Deleted : C:\Documents and Settings\Jeff\My Documents\PC Health Kit
File Deleted : C:\END
File Deleted : C:\WINDOWS\system32\dmwu.exe
File Deleted : C:\WINDOWS\system32\ImhxxpComm.dll
File Deleted : C:\WINDOWS\Tasks\DealPlyLiveUpdateTaskMachineCore.job
File Deleted : C:\WINDOWS\Tasks\DealPlyLiveUpdateTaskMachineUA.job

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\DealPly
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchProtect]
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dealplylive.exe
Key Deleted : HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLive.OneClickCtrl.9
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLive.OneClickProcessLauncherMachine
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLive.OneClickProcessLauncherMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLive.Update3WebControl.3
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.CoCreateAsync
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.CoCreateAsync.1.0
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.coreclass
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.CoreClass.1
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.CoreMachineClass
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.CoreMachineClass.1
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.credentialdialogmachine
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.credentialdialogmachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.ondemandcomclassmachine
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.OnDemandCOMClassMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.ondemandcomclassmachinefallback
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.ondemandcomclassmachinefallback.1.0
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.OnDemandCOMClassSvc
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.ondemandcomclasssvc.1.0
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.ProcessLauncher
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.ProcessLauncher.1.0
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.Update3COMClassService
Key Deleted : HKLM\SOFTWARE\Classes\DealPlyLiveUpdate.Update3COMClassService.1.0
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.update3webmachine
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.update3webmachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.update3webmachinefallback
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.update3webmachinefallback.1.0
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.update3websvc
Key Deleted : HKLM\SOFTWARE\Classes\dealplyliveupdate.update3websvc.1.0
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dealplylive.exe
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@tools.dpliveupdate.com/DealPlyLive Update;version=3
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@tools.dpliveupdate.com/DealPlyLive Update;version=9
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3153924
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3310511
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{80FABB17-63AF-4655-9F07-B6509EE37AF2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{F48FC5B2-094A-44C7-B48C-289738C9582D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0D89DE71-3D99-4288-84DC-F18F1047A7D8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1E0C9B2A-6447-452C-B012-2314A0C29412}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{34A8CEB6-89BB-49F1-B5E4-0D0D6C21F3B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3A4DBD3A-98CC-41CE-AD21-352D42B6F754}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4F8A50F6-69DE-4BE3-A33A-A1079B9AC0DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{501CB57A-D4E2-4855-96AD-EDB0A9083395}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6FF2C4DD-77A4-4BB5-BA4C-B42DEFBF9137}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80FABB17-63AF-4655-9F07-B6509EE37AF2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{83ABA270-8390-4CA6-AE48-FC089F55629E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8B218A5F-1A3D-4347-94EF-A79575EB8094}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8C338DDB-19FC-4C1F-B74D-6931EE55F7A1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9BDB5E09-4BBA-4422-8C2B-529B281C32B8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C536F080-57B7-46D6-8894-C647553F2889}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CA5D945F-E738-4D0B-A0B5-25AC51C64659}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F48FC5B2-094A-44C7-B48C-289738C9582D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F7698761-4ABA-45C2-A5BB-D2163922C725}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFCC53E6-2655-47FC-A89B-54E8D7F305D1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E8A1050-CF67-4575-92DF-DCC60E7D952D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5E6C03E0-D368-4690-8168-9848D4C0F587}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE48ED75-5A56-4C5F-BBCE-6F1AC3875F66}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D77AA852-DEF3-43CB-A3F5-BD679DE72F32}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE48ED75-5A56-4C5F-BBCE-6F1AC3875F66}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D77AA852-DEF3-43CB-A3F5-BD679DE72F32}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7E8A1050-CF67-4575-92DF-DCC60E7D952D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F1796B2-BEC6-427B-B734-F9C75ED94A80}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8C338DDB-19FC-4C1F-B74D-6931EE55F7A1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5E6C03E0-D368-4690-8168-9848D4C0F587}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{7E8A1050-CF67-4575-92DF-DCC60E7D952D}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{7E8A1050-CF67-4575-92DF-DCC60E7D952D}]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\WINDOWS\system32\ARFC\wrtc.exe]
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\DealPlyLive
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\smartbar
Key Deleted : HKCU\Software\SweetPacks
Key Deleted : HKCU\Software\Wajam
Key Deleted : HKCU\Software\wnlt
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DealPlyLive
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\SweetPacks
Key Deleted : HKLM\Software\Wajam
Key Deleted : HKLM\Software\wnlt
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wnlt
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\wnlt

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

*************************

AdwCleaner[R0].txt - [842 octets] - [28/09/2013 12:10:55]
AdwCleaner[R1].txt - [1048 octets] - [31/10/2013 12:14:29]
AdwCleaner[R2].txt - [1109 octets] - [01/11/2013 07:32:19]
AdwCleaner[R3].txt - [10945 octets] - [02/11/2013 09:35:42]
AdwCleaner[S0].txt - [908 octets] - [28/09/2013 12:11:48]
AdwCleaner[S1].txt - [1179 octets] - [01/11/2013 07:33:09]
AdwCleaner[S2].txt - [10965 octets] - [02/11/2013 09:36:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [11026 octets] ##########

 

 

Thanks again for all the help
 



#20 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 02 November 2013 - 10:02 AM

Hi vdicaprio,

I'm so sorry to hear about that.

Run Junkware Removal Tool again.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Run OTL again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • don't check the boxes beside LOP Check and Purity Check this time.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad window OTL.Txt.
  • Please copy (Edit->Select All, Edit->Copy) the content of the file and post it with your next reply.

Graduate of the WTT Classroom
Cheers,
Jo

#21 vdicaprio

vdicaprio

    Authentic Member

  • Authentic Member
  • PipPip
  • 89 posts

Posted 02 November 2013 - 11:23 AM

Jo

 

JRT and OTL logs below:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Microsoft Windows XP x86
Ran by Jeff on Sat 11/02/2013 at 12:58:05.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{77CE90E1-267F-45CE-BDE4-0F7BA49D2EB9}

 

~~~ Files

Successfully deleted: [File] "C:\Documents and Settings\Jeff\appdata\locallow\SkwConfig.bin"

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 11/02/2013 at 13:01:09.46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

OTL logfile created on: 11/2/2013 1:15:40 PM - Run 4
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Jeff\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.99 Gb Total Physical Memory | 2.49 Gb Available Physical Memory | 83.29% Memory free
4.83 Gb Paging File | 4.55 Gb Available in Paging File | 94.09% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.25 Gb Total Space | 109.43 Gb Free Space | 78.59% Space Free | Partition Type: NTFS
 
Computer Name: JEFF | User Name: Jeff | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\WINDOWS\Installer\MSI40.tmp ()
PRC - C:\Documents and Settings\Jeff\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - C:\Program Files\DOS2USB\elsvc.exe ()
PRC - C:\WINDOWS\system32\dkabcoms.exe ( )
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\Dell Network Assistant\hnm_svc.exe (SingleClick Systems)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\WINDOWS\Installer\MSI40.tmp ()
MOD - C:\WINDOWS\system32\pdf995mon.dll ()
MOD - C:\Program Files\DOS2USB\elsvc.exe ()
MOD - C:\WINDOWS\system32\preflib.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (WajamUpdaterV3) -- C:\Program Files\Wajam\Updater\WajamUpdaterV3.exe File not found
SRV - (sprtsvc_dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter File not found
SRV - (Level Quality Watcher) -- C:\WINDOWS\Installer\MSI40.tmp ()
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (elAPIsvc) -- C:\Program Files\DOS2USB\elsvc.exe ()
SRV - (dkab_device) -- C:\WINDOWS\system32\dkabcoms.exe ( )
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (DellAMBrokerService) -- C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe ()
SRV - (hnmsvc) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe (SingleClick Systems)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (WDICA) --  File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (PCIDump) --  File not found
DRV - (lbrtfdc) --  File not found
DRV - (Changer) --  File not found
DRV - (catchme) -- C:\DOCUME~1\Jeff\LOCALS~1\Temp\catchme.sys File not found
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation                           )
DRV - (O2SDRDR) -- C:\WINDOWS\system32\drivers\o2sd.sys (O2Micro )
DRV - (O2MDRDR) -- C:\WINDOWS\system32\drivers\o2media.sys (O2Micro )
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (datunidr) -- C:\WINDOWS\system32\drivers\datunidr.sys (Gteko Ltd.)
DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio)
DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio)
DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Roxio)
DRV - (Packet) -- C:\WINDOWS\system32\drivers\packet.sys (SingleClick Systems)
DRV - (PTproct) -- C:\Program Files\DellAutomatedPCTuneUp\GTAction\triggers\PTproct.sys (Gteko Ltd.)
DRV - (APPDRV) -- C:\WINDOWS\system32\drivers\APPDRV.SYS (Dell Inc)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080904
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080904
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {77CE90E1-267F-45CE-BDE4-0F7BA49D2EB9}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6D847C66-4573-4D5D-B07B-F81C8AC872E3}: "URL" = http://delicious.com...?p={searchTerms}
IE - HKCU\..\SearchScopes\{8C80695A-5A4F-4A6F-A826-183C8E3EA926}: "URL" = http://www.flickr.co...?q={searchTerms}
IE - HKCU\..\SearchScopes\{DEC54E9A-A441-4B15-8AFF-FE57F978619F}: "URL" = http://search.yahoo....f-8&fr=chr-yie8
IE - HKCU\..\SearchScopes\{FA17FB25-75B8-4665-B6AA-5F88C81D4CC4}: "URL" = http://rover.ebay.co...le={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
O1 HOSTS File: ([2013/10/30 15:34:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: bxcleve.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: bxohio.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: localhost ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: private-planroom.com ([subs] http in Trusted sites)
O15 - HKCU\..Trusted Domains: private-planroom.com ([www] http in Trusted sites)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternati...x-w32-2.0.1.cab (AlternaTIFF ActiveX)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4A769165-055C-4566-ABBB-3EA82DD4F8AE} http://www.ipinviewe...all/IVSLite.CAB (IVSLite.FastViewer)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1296769982640 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.we...ent/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1335B6E7-E3A1-4A35-B017-7332703EB27C}: DhcpNameServer = 192.168.254.254
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 17:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/11/02 08:33:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\AppData
[2013/11/02 08:32:58 | 000,773,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr100.dll
[2013/11/02 08:32:58 | 000,632,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr80.dll
[2013/11/02 08:32:58 | 000,554,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp80.dll
[2013/11/02 08:32:58 | 000,479,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcm80.dll
[2013/11/02 08:32:58 | 000,421,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp100.dll
[2013/11/02 08:32:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\JavaRa23zip
[2013/11/02 08:32:15 | 000,000,000 | ---D | C] -- C:\Program Files\Level Quality Watcher
[2013/11/02 08:02:49 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/11/01 17:50:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2013/11/01 17:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/11/01 17:30:41 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/11/01 17:30:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/11/01 17:28:25 | 010,285,040 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Jeff\Desktop\mbam-setup-1.75.0.1300.exe
[2013/11/01 14:40:22 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/11/01 14:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Java
[2013/11/01 14:40:07 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/11/01 14:40:07 | 000,174,504 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/11/01 07:44:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/11/01 07:44:10 | 001,033,335 | ---- | C] (Thisisu) -- C:\Documents and Settings\Jeff\Desktop\JRT.exe
[2013/10/31 17:42:43 | 000,000,000 | ---D | C] -- C:\RegBackup
[2013/10/31 17:42:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
[2013/10/31 17:42:17 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2013/10/31 12:52:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/10/31 12:51:43 | 000,359,085 | ---- | C] (Farbar) -- C:\Documents and Settings\Jeff\Desktop\FSS.exe
[2013/10/30 15:26:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/10/30 15:26:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/10/30 15:26:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/10/30 15:26:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/10/30 15:26:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/10/30 13:19:11 | 005,137,879 | R--- | C] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
[2013/10/30 07:48:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\mbar
[2013/10/30 07:29:17 | 012,576,792 | ---- | C] (Malwarebytes Corp.) -- C:\Documents and Settings\Jeff\Desktop\mbar-1.07.0.1007.exe
[2013/10/30 07:28:27 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
[2013/10/28 17:55:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Start Menu\Programs\HiJackThis
[2013/10/28 17:55:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2013/10/28 14:53:31 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jeff\Recent
[2013/10/11 18:24:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft Antimalware
[2013/10/10 09:14:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\dpWW3333
[2013/10/10 07:55:37 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidparse.sys
[2013/10/10 07:55:37 | 000,014,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2013/10/10 07:55:08 | 000,032,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2013/10/10 07:55:08 | 000,030,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbehci.sys
[2013/10/10 07:55:08 | 000,005,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbd.sys
 
========== Files - Modified Within 30 Days ==========
 
[2013/11/02 12:49:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/11/02 12:22:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/11/02 09:47:48 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/11/02 09:38:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/11/02 09:37:51 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/11/02 09:37:44 | 000,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2013/11/02 09:37:42 | 3211,186,176 | -HS- | M] () -- C:\hiberfil.sys
[2013/11/02 09:02:33 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/11/02 08:41:57 | 000,000,410 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/11/02 08:30:12 | 000,596,840 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\javara-setup.exe
[2013/11/02 08:02:54 | 001,093,646 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/11/02 08:02:54 | 000,343,722 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/11/01 17:30:46 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/01 17:28:35 | 010,285,040 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Jeff\Desktop\mbam-setup-1.75.0.1300.exe
[2013/11/01 16:01:40 | 000,000,422 | ---- | M] () -- C:\WINDOWS\tasks\SystemToolsDailyTest.job
[2013/11/01 14:40:07 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/11/01 14:40:07 | 000,174,504 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/11/01 07:44:14 | 001,033,335 | ---- | M] (Thisisu) -- C:\Documents and Settings\Jeff\Desktop\JRT.exe
[2013/10/31 17:54:48 | 000,359,085 | ---- | M] (Farbar) -- C:\Documents and Settings\Jeff\Desktop\FSS.exe
[2013/10/31 17:43:39 | 000,023,596 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\RemoteAccess.reg
[2013/10/31 17:42:19 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Tweaking.com - Registry Backup.lnk
[2013/10/31 17:41:17 | 003,859,661 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\tweaking.com_registry_backup_setup.exe
[2013/10/31 12:11:07 | 001,060,070 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\AdwCleaner.exe
[2013/10/30 15:34:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/10/30 13:19:15 | 005,137,879 | R--- | M] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
[2013/10/30 08:46:38 | 000,000,124 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Control Panel.lnk
[2013/10/30 07:29:31 | 012,576,792 | ---- | M] (Malwarebytes Corp.) -- C:\Documents and Settings\Jeff\Desktop\mbar-1.07.0.1007.exe
[2013/10/30 07:28:29 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
[2013/10/30 07:28:12 | 000,891,172 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\SecurityCheck.exe
[2013/10/29 18:06:43 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\HiJackThis.lnk
[2013/10/29 12:41:24 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/10/28 17:48:26 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\HiJackThis.msi
[2013/10/26 13:59:01 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013/10/23 08:14:02 | 000,000,564 | ---- | M] () -- C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
[2013/10/16 08:00:07 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/10/11 15:25:51 | 000,409,488 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/10/11 14:11:03 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Microsoft Word.lnk
[2013/10/11 12:59:29 | 000,000,102 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\mbam.context.scan
[2013/10/09 10:22:53 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/10/09 10:22:53 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
 
========== Files Created - No Company Name ==========
 
[2013/11/02 08:41:57 | 000,000,410 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2013/11/02 08:30:10 | 000,596,840 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\javara-setup.exe
[2013/11/01 17:30:46 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/10/31 17:43:39 | 000,023,596 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\RemoteAccess.reg
[2013/10/31 17:42:19 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Tweaking.com - Registry Backup.lnk
[2013/10/31 17:41:13 | 003,859,661 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\tweaking.com_registry_backup_setup.exe
[2013/10/31 12:11:04 | 001,060,070 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\AdwCleaner.exe
[2013/10/30 15:26:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/10/30 15:26:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/10/30 15:26:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/10/30 15:26:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/10/30 15:26:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/10/30 08:46:38 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\Control Panel.lnk
[2013/10/30 07:28:07 | 000,891,172 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\SecurityCheck.exe
[2013/10/28 17:55:52 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\HiJackThis.lnk
[2013/10/28 17:48:25 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\HiJackThis.msi
[2013/10/14 14:01:27 | 000,337,928 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2013/10/11 12:59:29 | 000,000,102 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\mbam.context.scan
[2013/06/10 08:13:59 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/06/10 08:13:44 | 000,413,738 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2012/02/16 11:08:43 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/10/14 17:08:43 | 000,010,534 | ---- | C] () -- C:\Documents and Settings\All Users\snddrv.sys
[2010/10/14 17:08:42 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jeff\dos2usb.spl
[2009/02/12 17:38:57 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/29 10:55:42 | 000,080,592 | ---- | C] () -- C:\Documents and Settings\Jeff\Gwbasic.exe
[2008/10/29 10:54:23 | 000,054,310 | -H-- | C] () -- C:\Documents and Settings\Jeff\F95dbj.bas
[2008/10/29 10:54:23 | 000,000,040 | ---- | C] () -- C:\Documents and Settings\Jeff\FWH.BAT
[2008/10/29 10:54:23 | 000,000,039 | ---- | C] () -- C:\Documents and Settings\Jeff\ccbw.bat
[2008/10/29 10:54:23 | 000,000,029 | ---- | C] () -- C:\Documents and Settings\Jeff\cend.bat
[2008/10/17 10:19:54 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\fusioncache.dat
 
========== ZeroAccess Check ==========
 
[2008/04/25 17:34:35 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/06/26 04:15:29 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 08:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D346F792

< End of report >

 

Thanks Vdicaprio



#22 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 04 November 2013 - 04:49 AM

Hi vdicaprio,

Run Security Check again.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


Download and run SUPERAntiSpyware Portable Scanner Personal Edition
Do not remove found threats and post the log.
 

***


ESET Online Scanner

Connect any existing external hard drives and / or other removable media.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Push the Back button.
  • Select Uninstall application on close check box and push esetFinish.png

Graduate of the WTT Classroom
Cheers,
Jo

#23 vdicaprio

vdicaprio

    Authentic Member

  • Authentic Member
  • PipPip
  • 89 posts

Posted 04 November 2013 - 08:25 AM

Jo

 

I ran the scans and the logs are below:

 

SECURITY CHECK

 

 Results of screen317's Security Check version 0.99.75 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 4.6   
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Adobe Reader 10.1.8 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 7%
````````````````````End of Log``````````````````````

 

 

SUPERANTI SPYWARE

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/04/2013 at 08:40 AM

Application Version : 5.6.1040

Core Rules Database Version : 10871
Trace Rules Database Version: 8683

Scan type       : Quick Scan
Total Scan Time : 00:04:12

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 509
Memory threats detected   : 0
Registry items scanned    : 32531
Registry threats detected : 0
File items scanned        : 6942
File threats detected     : 2

Adware.Tracking Cookie
 C:\Documents and Settings\Jeff\Cookies\DN3G2Z4L.txt [ /serving-sys.com ]
 C:\Documents and Settings\Jeff\Cookies\UHQH4C25.txt [ /doubleclick.net ]

 

ESET

 

C:\_OTL\MovedFiles\11022013_080249\C_Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\6.0\57\8eb45b9-7ef58dbd a variant of Java/Exploit.Agent.PTZ trojan
 

Thanks Vdicaprio



#24 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 05 November 2013 - 02:56 AM

Hi vdicaprio,

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    @Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D346F792
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
    
    NOTICE: This script was written specifically for this user, for use on that particular machine.
    Running this on another machine may cause damage to your operating system.
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post Fix OTL log as well as a new OTL log by rerunning it after reboot without custom scans script.

***


Uninstall old versions:
Please go to Start > Control Panel > Add Remove Programs.

Locate the following programs:
  • Adobe Reader 10
Uninstall it.

Install Latest Adobe Reader:
  • Go to http://get.adobe.com.../otherversions/
  • Use the drop down menu's to select your operating system
  • Select your language > Select The current version of Adobe Reader for your language
  • Remove the check mark from the box "Install Chrome as standard browser and Google Toolbar for Internet explorer"
  • Click the Download button, and follow the onscreen directions to complete the installation.

Graduate of the WTT Classroom
Cheers,
Jo

#25 vdicaprio

vdicaprio

    Authentic Member

  • Authentic Member
  • PipPip
  • 89 posts

Posted 05 November 2013 - 06:34 AM

Jo

 

I ran OTL but I must have done something different, I can find one of the logs.  The only one I found it below:

 

All processes killed
========== OTL ==========
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D346F792 deleted successfully.
========== FILES ==========
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Jeff
->Temp folder emptied: 49063331 bytes
->Temporary Internet Files folder emptied: 5503802 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 492 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: NetworkService
->Temp folder emptied: 15448 bytes
->Temporary Internet Files folder emptied: 33507 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 39011 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 117607 bytes
 
Total Files Cleaned = 52.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 11052013_071609

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\c[1].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\desktop.ini not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\dt131102[1].jpg not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\editor[1].css not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\esetScanArchives[1].png not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\favicon[1].ico not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\g[1].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\icons[1].png not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\icon_expand_close[1].png not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\icon_users[1].png not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\ifm[1].htm not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\iframe_20101028165000[1].js not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\index[1].php not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\index[2].php not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\ipb[1].js not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\ips_config[1].js not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\ips_emoticon[1].png not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\itxt_1382536355[1].js not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\jquery.min[1].js not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\loading[1].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\loading[2].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\loading[3].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\metrics_1329390699[1].js not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\mia[1].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\nessie_icon_chevron_white[1].png not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\nj-mall_120x48_1383635245[1].jpg not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\p1[1].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\p2[1].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\photo-1153[1].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\pixel[1].gif not found!
File\Folder C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\73PAT3FU\PostComLeft[1].png not found!
C:\WINDOWS\temp\Perflib_Perfdata_f6c.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

Thanks Vdicaprio


    Advertisements

Register to Remove


#26 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 06 November 2013 - 05:23 AM

Hi vdicaprio,

well done. :)

It Appears That Your Pc Is Now Clean!
 

***


Clean up:
We used Combofix.
Deactivate your antivirus software once more.
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

    CF-Uninstall.png
Enable your antivirus software.


***

Double-click AdwCleaner.exe to run the tool.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Files
    C:\Documents and Settings\Jeff\Desktop\JRT.exe
    C:\Documents and Settings\Jeff\Desktop\FSS.exe
    C:\Documents and Settings\Jeff\Desktop\mbar
    C:\Documents and Settings\Jeff\Desktop\mbar-1.07.0.1007.exe
    C:\Documents and Settings\Jeff\Desktop\RemoteAccess.reg
    C:\Documents and Settings\Jeff\Desktop\SecurityCheck.exe
    
    :Commands
    [emptytemp]
    [clearallrestorepoints]
    
  • Close all other programs apart from OTL as this step may require a reboot
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Say Yes to the prompt and then allow the program to reboot your computer.

***


Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.


***


Here are some Preventive tips to reduce the potential for spyware infection in the future:

1. Browse more secure2. Enable Protected Mode in Internet Explorer.
  • This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
  • Open Internet Explorer
  • Click on Tools > Internet Options
  • Press Security tab
  • Select Internet zone then place check next to Enable Protected Mode if not already done
  • Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
  • Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
4. Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
5. Use only one anti-virus software and keep it up-to-date.

6. Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

7. Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

8. Use Strong passwords!

9. Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/
Graduate of the WTT Classroom
Cheers,
Jo

#27 vdicaprio

vdicaprio

    Authentic Member

  • Authentic Member
  • PipPip
  • 89 posts

Posted 06 November 2013 - 09:29 AM

Jo

 

Thanks for all your help.  Things are running better but I do have a few more clean up questions:

 

We installed Malwarebytes AntiMalware, SUPER AntiSpyware and Tweaking.com-Registry Backup.  These still reside on the machine and HJT.  Should I keep any or all of these?  If not, what is the best way to remove them?

 

There are a few other antimalware programs that are on the machine that i really dont use,  Spyware Blaster 4.6 and CCleaner, should I update these and use these or remove them, again if remove is the recommendation, what is the best way to do that. 

 

I was never able to restore and update Java - I kept receiving a "getdefaultbrowsererror 2:" message so Java is not on my machine.

 

Lastly, I could not find the "Protected Mode" in IE as you recommended.  We are running IE 8.

 

Thanks

 

Vdicaprio



#28 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 08 November 2013 - 02:53 AM

Hi vdicaprio,

you can remove / uninstall SUPER AntiSpyware and HJT.

Malwarebytes AntiMalware and Tweaking.com-Registry Backup are useful tools which you could leave on this pc.

If you don't use Spyware Blaster 4.6 and CCleaner, you can uninstall them.

Uninstall is always the best way to remove a programm.
 

***


Protected Mode in Internet Explorer is available for Windows Vista, 7 / 8 only!


***


Try Java Uninstall Tool for Windows

Install latest Java 7 update: JAVA Click this link and click on the Free JAVA Download.

 

***


Please post a list with the names or numbers of the other computers, which are part of the network.

Start with these steps for the next pc:
 

***


Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Download OTL to your desktop.
  • Double click on the icon to run it.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL folder on your C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Graduate of the WTT Classroom
Cheers,
Jo

#29 vdicaprio

vdicaprio

    Authentic Member

  • Authentic Member
  • PipPip
  • 89 posts

Posted 09 November 2013 - 11:03 AM

Jo

 

The other computers connected on the network are:

 

M-1

D-1

J-1

A-1

V-1

Accounting Server (old P2 machine running WindowsNT)

 

I ran the Malware root tool kit and OTL one each of the PC's (not the accounting server) and the Malware Root tool Kit found no malware on any of them.

 

I have posted the Rootkit, OTL, & Extras Logs for the first PC (M-1)

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.11.09.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
michael :: MIKE [administrator]

11/9/2013 8:43:13 AM
mbar-log-2013-11-09 (08-43-13).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 229248
Time elapsed: 18 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

OTL logfile created on: 11/9/2013 8:32:54 AM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\michael\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 67.78% Memory free
3.84 Gb Paging File | 3.37 Gb Available in Paging File | 87.66% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.13 Gb Total Space | 83.65 Gb Free Space | 77.36% Space Free | Partition Type: NTFS
 
Computer Name: MIKE | User Name: michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Documents and Settings\michael\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)
PRC - c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - C:\WINDOWS\system32\dkabcoms.exe ( )
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\o2flash.exe ()
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\WINDOWS\system32\pdfmon.dll ()
MOD - C:\WINDOWS\system32\o2flash.exe ()
 
 
========== Services (SafeList) ==========
 
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe (McAfee, Inc.)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
SRV - (dkab_device) -- C:\WINDOWS\system32\dkabcoms.exe ( )
SRV - (SolidWorks Licensing Service) -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe (SolidWorks)
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (O2Flash) -- C:\WINDOWS\system32\o2flash.exe ()
 
 
========== Driver Services (SafeList) ==========
 
DRV - (WDICA) --  File not found
DRV - (w39n51) -- system32\DRIVERS\w39n51.sys File not found
DRV - (s24trans) -- system32\DRIVERS\s24trans.sys File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (PCIDump) --  File not found
DRV - (lbrtfdc) --  File not found
DRV - (i2omgmt) --  File not found
DRV - (Changer) --  File not found
DRV - (catchme) -- C:\DOCUME~1\michael\LOCALS~1\Temp\catchme.sys File not found
DRV - (O2MDRDR) -- C:\WINDOWS\system32\drivers\o2media.sys (O2Micro )
DRV - (O2SDRDR) -- C:\WINDOWS\system32\drivers\o2sd.sys (O2Micro )
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows ® Server 2003 DDK provider)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C1 8B 78 7D 2B DB CE 01  [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\SearchScopes,DefaultScope = {E574DA24-356B-49B5-9800-2B61539E69DB}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...-gb&FORM=IE0000
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{E574DA24-356B-49B5-9800-2B61539E69DB}: "URL" = http://www.google.co...&rlz=1I7GGLL_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://go.microsoft....k/?LinkId=69157"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:25.0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 25.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 25.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/11/06 15:34:02 | 000,000,000 | ---D | M]
 
[2009/06/11 05:57:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\michael\Application Data\Mozilla\Extensions
[2013/09/26 14:55:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\7yhg5te1.default\extensions
[2012/02/06 10:03:31 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\7yhg5te1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2013/11/06 15:34:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/11/06 15:34:39 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
O1 HOSTS File: ([2012/06/06 15:08:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value error. File not found
O15 - HKCU\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab (Opalplayerx5 Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8FB200A1-13F2-43C4-9FF3-468958C1E1F6}: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8FB200A1-13F2-43C4-9FF3-468958C1E1F6}: NameServer = 166.102.165.11,207.91.5.20
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\ps-rc4s.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\ps-rc4s.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/07 02:01:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/11/09 08:31:37 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\michael\Desktop\OTL.exe
[2013/11/09 08:31:00 | 012,576,792 | ---- | C] (Malwarebytes Corp.) -- C:\Documents and Settings\michael\Desktop\mbar-1.07.0.1007.exe
[2013/11/06 15:34:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/10/14 07:04:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
[2013/10/10 13:54:16 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidparse.sys
[2013/10/10 13:54:16 | 000,014,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2013/10/10 13:54:07 | 000,123,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbvideo.sys
[2013/10/10 13:54:07 | 000,060,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbaudio.sys
[2013/10/10 13:54:07 | 000,046,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irbus.sys
[2013/10/10 13:53:59 | 000,144,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbport.sys
[2013/10/10 13:53:59 | 000,032,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2013/10/10 13:53:59 | 000,030,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbehci.sys
[2013/10/10 13:53:59 | 000,005,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbd.sys
 
========== Files - Modified Within 30 Days ==========
 
[2013/11/09 08:32:40 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/11/09 08:31:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\michael\Desktop\OTL.exe
[2013/11/09 08:30:58 | 012,576,792 | ---- | M] (Malwarebytes Corp.) -- C:\Documents and Settings\michael\Desktop\mbar-1.07.0.1007.exe
[2013/11/09 08:22:57 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/11/09 08:22:57 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/11/09 08:22:31 | 000,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2013/11/09 08:22:30 | 2138,492,928 | -HS- | M] () -- C:\hiberfil.sys
[2013/11/08 17:01:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/11/08 16:53:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/11/08 16:07:44 | 000,000,433 | ---- | M] () -- C:\Documents and Settings\michael\Desktop\Service folder.lnk
[2013/11/08 16:02:58 | 000,002,090 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\CUSTOMERS - Shortcut.lnk
[2013/11/04 07:36:53 | 000,433,122 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/11/04 07:36:53 | 000,067,952 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/10/26 10:41:43 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/10/15 15:58:12 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/10/14 07:04:59 | 000,001,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2013/10/14 07:04:59 | 000,001,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2013/10/11 06:53:07 | 000,341,032 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/10/10 16:16:43 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
 
========== Files Created - No Company Name ==========
 
[2013/11/08 16:02:58 | 000,002,090 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\CUSTOMERS - Shortcut.lnk
[2013/10/16 07:09:10 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/10/14 07:04:59 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2013/10/14 07:04:56 | 000,001,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2012/06/05 06:59:41 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\michael\Local Settings\Application Data\housecall.guid.cache
[2012/02/16 13:42:31 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2008/10/23 15:11:47 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/09/05 14:24:02 | 000,000,042 | ---- | C] () -- C:\Documents and Settings\michael\default.pls
[2007/09/05 03:50:27 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\michael\regmsg.flg
 
========== ZeroAccess Check ==========
 
[2007/07/07 02:06:46 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2010/09/04 09:43:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Carbonite
[2007/09/07 17:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2007/09/05 04:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2012/06/11 15:38:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/06/08 15:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\michael\Application Data\Auslogics
[2012/06/09 09:08:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\michael\Application Data\Dropbox
[2007/07/09 18:56:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\michael\Application Data\SampleView
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

 

 

OTL Extras logfile created on: 11/9/2013 8:32:54 AM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\michael\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 67.78% Memory free
3.84 Gb Paging File | 3.37 Gb Available in Paging File | 87.66% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.13 Gb Total Space | 83.65 Gb Free Space | 77.36% Space Free | Partition Type: NTFS
 
Computer Name: MIKE | User Name: michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\WINDOWS\system32\dkabcoms.exe" = C:\WINDOWS\system32\dkabcoms.exe:*:Enabled:Dell Enhanced TCP/IP Server -- ( )
"C:\Documents and Settings\michael\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\michael\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{10AB8F68-6962-4ACA-AE28-2600828B62AE}" = Kyocera TWAIN Driver
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3719E5A6-2083-4937-8040-63EEC6A811AA}" = O2Micro Flash Memory Card Windows Driver V2.03
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{4D24F198-A2CB-46B5-BB16-41B69C644B6C}" = Microsoft Security Client
"{6A28AB0B-22B1-494C-AF61-B386EA1736C0}" = LightScribe  1.4.97.1
"{6B8512B9-A3FC-42BB-B782-A77874B87CC2}" = eDrawings 2008
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8B66482D-424F-4610-9DD8-A37FED092F92}" = CBROI_V2_0
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AD3B61-EAE2-11E2-9E72-B8AC6F98CCE3}" = Google Earth
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.8)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem v6081
"Carbonite Backup" = Carbonite
"Dell_HostCD" = Dell Printer Software Uninstall
"ESET Online Scanner" = ESET Online Scanner v3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{10AB8F68-6962-4ACA-AE28-2600828B62AE}" = Kyocera TWAIN Driver
"InstallShield_{3719E5A6-2083-4937-8040-63EEC6A811AA}" = O2Micro Flash Memory Card Windows Driver V2.03
"Kyocera Product Library" = Kyocera Product Library
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 25.0 (x86 en-US)" = Mozilla Firefox 25.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OcaHistoryUpd" = OCA Client history tool install
"OpalPlayerDeInstallKey" = Opal Player 2.12
"Pdf995" = Pdf995
"PROSet" = Intel® PRO Network Connections Drivers
"SpywareBlaster_is1" = SpywareBlaster 4.6
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 7/12/2013 4:51:07 PM | Computer Name = MIKE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 7/19/2013 4:19:09 PM | Computer Name = MIKE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 7/25/2013 11:25:24 AM | Computer Name = MIKE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 7/26/2013 2:46:11 PM | Computer Name = MIKE | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 8/1/2013 1:50:17 PM | Computer Name = MIKE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 8/2/2013 3:32:44 PM | Computer Name = MIKE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 8/8/2013 9:16:52 AM | Computer Name = MIKE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
 module unknown, version 0.0.0.0, fault address 0x161158c8.
 
Error - 10/7/2013 11:28:05 AM | Computer Name = MIKE | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 10/11/2013 11:31:13 AM | Computer Name = MIKE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 11/7/2013 5:21:39 PM | Computer Name = MIKE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
 module mshtml.dll, version 8.0.6001.23532, fault address 0x0014c5ab.
 
[ System Events ]
Error - 10/30/2013 7:40:46 AM | Computer Name = MIKE | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
 period.
 
 
< End of report >

 



#30 Jo*

Jo*

    SuperMember

  • Malware Team
  • 1,197 posts

Posted 10 November 2013 - 11:51 AM

Hi vdicaprio,

all looks good for the first PC (M-1).

Run OTL.exe on the first PC (M-1)
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    @Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    
    :Files
    C:\Documents and Settings\michael\Desktop\mbar-1.07.0.1007.exe
    C:\Documents and Settings\michael\Desktop\mbar
    
    :Commands
    [emptytemp]
    
  • Close all other programs apart from OTL as this step may require a reboot
  • Then click the Run Fix button at the top
  • Let the program run unhindered.
  • Say Yes to the prompt and then allow the program to reboot your computer.

***


Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.




***


On the next pc: Run OTL and post the logs!
Graduate of the WTT Classroom
Cheers,
Jo

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users