WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Computer infected [Solved]

Started by HMH22 , Feb 26 2014 09:08 AM

This topic is locked

20 replies to this topic

#1 HMH22

Authentic Member

Authentic Member
169 posts

Posted 26 February 2014 - 09:08 AM

OTL logfile created on: 2/26/2014 9:14:05 AM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Family.User-PC\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 2.16 Gb Available Physical Memory | 78.59% Memory free
5.70 Gb Paging File | 5.26 Gb Available in Paging File | 92.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 119.70 Gb Total Space | 64.80 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
Drive D: | 103.42 Gb Total Space | 103.33 Gb Free Space | 99.91% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Family.User-PC\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\System32\Macromed\Flash\FlashUtil32_11_6_602_171_ActiveX.exe (Adobe Systems Incorporated)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - (ActivControl) -- C:\Program Files\Activ Software\ActivDriver\ActivControlsvc.exe (Promethean)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (Acer HomeMedia Connect Service) -- C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe (CyberLink)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (eDataSecurity Service) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (eSettingsService) -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
SRV - (AcerMemUsageCheckService) -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe ()
SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)

========== Driver Services (SafeList) ==========

DRV - (SymIMMP) -- system32\DRIVERS\SymIM.sys File not found
DRV - (SymIM) -- system32\DRIVERS\SymIM.sys File not found
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (FAMv4) -- C:\Windows\System32\drivers\FAMv4.sys (FAMv4)
DRV - (nvstor32) -- C:\Windows\System32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (nvrd32) -- C:\Windows\System32\drivers\nvrd32.sys (NVIDIA Corporation)
DRV - (zntport) -- C:\Windows\System32\drivers\zntport.sys (Zeal SoftStudio)
DRV - (tvicport) -- C:\Windows\System32\drivers\TVicPort.sys (EnTech Taiwan)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys (Acer, Inc.)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...referrer:source?}
IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....ms}&fr=chr-acer
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_171.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Users\Guest\AppData\Local\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Users\Guest\AppData\Local\Mozilla Firefox\plugins

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - Extension: Google Docs = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Gmail = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe ()
O4 - HKLM..\Run: [Acer Product Registration] C:\Program Files\Acer Registration\ACE1.exe (Leader Technologies)
O4 - HKLM..\Run: [ActivManager] C:\Program Files\Activ Software\ActivDriver\ActivMgr.exe ()
O4 - HKLM..\Run: [Apanel] C:\ACERSW\config\SetApanel.cmd File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [NVRaidService] C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [top] C:\Users\User\AppData\Roaming\top1.exe ()
O4 - HKCU..\Run: [top2] 㩃啜敳獲啜敳屲灁䑰瑡屡潒浡湩屧潴ㅰ攮數 File not found
O4 - HKLM..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [*WerKernelReporting] C:\Windows\System32\WerFault.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://zone.msn.com/...inematycoon.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{429534DA-931A-4D7E-8EC3-75992BA2B5E7}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\User\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\User\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.mkdmp3enc - C:\PROGRA~1\ACERAR~1\ACERDV~2\Kernel\Burner\MKDMP3Enc.ACM File not found
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.tscc - C:\Windows\System32\tsccvid.dll (TechSmith Corporation)
Drivers32: wave2 - C:\Windows\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Unable to start System Restore Service. Error code 1084

========== Files/Folders - Created Within 30 Days ==========

[2014/02/11 17:32:15 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\The Movies
[2014/02/11 17:32:15 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Lionhead Studios

========== Files - Modified Within 30 Days ==========

[2014/02/26 09:03:37 | 000,603,516 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/02/26 09:03:37 | 000,103,586 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/02/26 08:59:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/02/26 08:10:58 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/02/26 08:08:55 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/02/26 08:08:51 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2014/02/26 08:08:51 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2014/02/25 15:14:46 | 000,001,975 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2014/02/20 14:27:27 | 287,718,172 | ---- | M] () -- C:\Windows\MEMORY.DMP

========== Files Created - No Company Name ==========

[2013/02/28 04:15:27 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2013/02/28 04:15:27 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2013/02/27 10:53:06 | 000,186,192 | ---- | C] () -- C:\Windows\libactivboardex.dll
[2013/02/21 16:27:13 | 000,044,391 | ---- | C] () -- C:\Users\User\AppData\Roaming\top1.exe
[2013/02/21 16:27:06 | 000,044,391 | ---- | C] () -- C:\Users\User\5136535.exe
[2012/10/12 11:14:53 | 000,000,044 | ---- | C] () -- C:\Windows\Acer(Normal).ini
[2012/10/12 11:14:53 | 000,000,042 | ---- | C] () -- C:\Windows\Acer(Wide).ini
[2012/10/12 11:12:32 | 000,077,824 | ---- | C] () -- C:\Windows\System32\drivers\INT15_DETECT.EXE
[2012/10/12 11:11:32 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2012/10/12 11:11:32 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe

========== ZeroAccess Check ==========

[2006/11/02 07:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2011/01/21 10:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/03/02 23:36:24 | 000,615,424 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/01/20 21:24:03 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/02/17 16:49:59 | 000,000,000 | -HSD | M] -- C:\Users\User\AppData\Roaming\.#
[2012/10/12 11:17:05 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Acer
[2008/02/05 14:54:28 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Acer GameZone Console
[2013/05/23 17:34:19 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\ACTIV Software
[2013/02/17 16:36:53 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\eSobi
[2012/10/12 11:17:04 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Leadertech
[2014/02/11 17:32:15 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Lionhead Studios
[2013/04/29 18:39:56 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\MusE
[2014/02/14 12:37:02 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Promethean

========== Purity Check ==========

========== Custom Scans ==========

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %temp%\smtmp\*.* /s > >

< MD5 for: EXPLORER.EXE >
[2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 22:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 21:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008/01/20 21:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: EXPLORER.EXE.HU.KDMP >
[2014/02/12 08:04:54 | 052,402,949 | ---- | M] () MD5=907072276C31F7B51E28F3642F55D04D -- C:\Users\Family\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report132dbebc\Explorer.EXE.hu.kdmp

< MD5 for: EXPLORER.EXE.MUI >
[2006/11/02 07:41:18 | 000,036,864 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\en-US\explorer.exe.mui
[2006/11/02 07:41:18 | 000,036,864 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-explorer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_03bbc52176b6ba20\explorer.exe.mui

< MD5 for: EXPLORER.EXE.XML >
[2014/02/12 08:04:54 | 000,003,412 | ---- | M] () MD5=5F8C3516EF389D5AE78BF3624503E7EA -- C:\Users\Family\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report132dbebc\Explorer.EXE.xml

< MD5 for: EXPLORER.EXE-A80E4F97.PF >
[2014/02/17 18:17:25 | 000,230,112 | ---- | M] () MD5=A45A7238681FC7E4AA3BC85690676268 -- C:\Windows\Prefetch\EXPLORER.EXE-A80E4F97.pf

< MD5 for: IEXPLORE.EXE >
[2009/04/11 01:27:44 | 000,636,080 | ---- | M] (Microsoft Corporation) MD5=2C5168C856455CC43C4B4E1CC1920001 -- C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_314d791517204c15\iexplore.exe
[2008/01/20 21:23:50 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=5B92133D3E7FB2644677686305E29E81 -- C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\iexplore.exe
[2011/04/21 09:34:57 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=6C93AC7C0A8718E2A1543DB1B1B3B19F -- C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22905_none_2ff0ad763317887e\iexplore.exe
[2011/04/21 10:02:30 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=77B9A891222FB46B13E414B99E1AF842 -- C:\Program Files\Internet Explorer\iexplore.exe
[2011/04/21 10:02:30 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=77B9A891222FB46B13E414B99E1AF842 -- C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18639_none_2f4a9e431a0ea795\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2006/11/02 07:41:15 | 000,016,384 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2006/11/02 07:41:15 | 000,016,384 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-i..texplorer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_3b55b11a57da5590\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-908C99F8.PF >
[2014/02/25 14:07:11 | 000,187,030 | ---- | M] () MD5=8A848E6D8319CA69F62FAE77E5054AE3 -- C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf

< MD5 for: SERVICES >
[2006/09/18 16:41:30 | 000,017,244 | ---- | M] () MD5=9F534244B7F8F55D5C0BB498D8D481E7 -- C:\Windows\System32\drivers\etc\services
[2006/09/18 16:41:30 | 000,017,244 | ---- | M] () MD5=9F534244B7F8F55D5C0BB498D8D481E7 -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.0.6000.16386_none_024e4071fa6fea95\services

< MD5 for: SERVICES.EXE >
[2008/01/20 21:24:48 | 000,279,040 | ---- | M] (Microsoft Corporation) MD5=2B336AB6286D6C81FA02CBAB914E3C6C -- C:\Windows\System32\services.exe
[2008/01/20 21:24:48 | 000,279,040 | ---- | M] (Microsoft Corporation) MD5=2B336AB6286D6C81FA02CBAB914E3C6C -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2009/04/11 01:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

< MD5 for: SERVICES.EXE.MUI >
[2006/11/02 07:40:53 | 000,017,920 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\en-US\services.exe.mui
[2006/11/02 07:40:53 | 000,017,920 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\x86_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.0.6000.16386_en-us_67c6851b290a1ced\services.exe.mui

< MD5 for: SERVICES.LNK >
[2008/01/20 21:42:58 | 000,001,688 | ---- | M] () MD5=C50AE46E57C3F3FB61A3B3A1E5D9C412 -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
[2008/01/20 21:42:58 | 000,001,688 | ---- | M] () MD5=C50AE46E57C3F3FB61A3B3A1E5D9C412 -- C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk

< MD5 for: SERVICES.MOF >
[2006/09/18 16:46:11 | 000,002,866 | ---- | M] () MD5=26A11C895A7F0B6D32105EBE127D8500 -- C:\Windows\System32\wbem\services.mof
[2006/09/18 16:46:11 | 000,002,866 | ---- | M] () MD5=26A11C895A7F0B6D32105EBE127D8500 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.mof
[2006/09/18 16:46:11 | 000,002,866 | ---- | M] () MD5=26A11C895A7F0B6D32105EBE127D8500 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.mof

< MD5 for: SERVICES.MSC >
[2006/11/02 07:41:29 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\System32\en-US\services.msc
[2006/09/18 16:29:40 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\System32\services.msc
[2006/11/02 07:41:29 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\winsxs\x86_microsoft-windows-s..cessnapin.resources_31bf3856ad364e35_6.0.6000.16386_en-us_a2085506ff73b6e0\services.msc
[2006/09/18 16:29:40 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\winsxs\x86_microsoft-windows-servicessnapin_31bf3856ad364e35_6.0.6001.18000_none_cf63e2a445bae4e3\services.msc

< MD5 for: WINLOGON.EXE >
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 21:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\System32\winlogon.exe
[2008/01/20 21:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< MD5 for: WINLOGON.EXE.MUI >
[2008/01/20 21:25:40 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=26AC28BF50DC112BAA794A83E08588F0 -- C:\Windows\System32\en-US\winlogon.exe.mui
[2008/01/20 21:25:40 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=26AC28BF50DC112BAA794A83E08588F0 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.0.6001.18000_en-us_caf8918b0416723a\winlogon.exe.mui
[2006/11/02 07:40:50 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=A1D2856F3EC3C86EBBF1442B0245A8B3 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.0.6000.16386_en-us_c8c1cf8f072b6166\winlogon.exe.mui

< MD5 for: WINLOGON.EXE-B020DC41.PF >
[2014/02/25 13:24:56 | 000,029,914 | ---- | M] () MD5=BA59ECC98426FDDD2B1BB62E48AF4FA0 -- C:\Windows\Prefetch\WINLOGON.EXE-B020DC41.pf

< MD5 for: WINLOGON.MOF >
[2006/09/18 16:41:56 | 000,002,794 | ---- | M] () MD5=545C578F290B9CDD280966939935B9EA -- C:\Windows\System32\wbem\winlogon.mof
[2006/09/18 16:41:56 | 000,002,794 | ---- | M] () MD5=545C578F290B9CDD280966939935B9EA -- C:\Windows\winsxs\x86_microsoft-windows-winlogon-mof_31bf3856ad364e35_6.0.6000.16386_none_7e0207d478fccc94\winlogon.mof

< %SYSTEMDRIVE%\*.* >
[2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2008/01/20 21:24:42 | 000,333,203 | RHS- | M] () -- C:\bootmgr
[2008/02/05 13:07:22 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/06/28 03:44:50 | 000,000,512 | ---- | M] () -- C:\MDR.iss
[2014/02/26 08:59:01 | 3265,802,240 | -HS- | M] () -- C:\pagefile.sys
[2008/02/05 14:27:11 | 000,000,426 | ---- | M] () -- C:\RHDSetup.log

< %systemroot%\Fonts\*.com >
[2006/11/02 07:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 07:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 07:37:12 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 16:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/11/02 07:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll
[2006/10/26 22:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2006/10/19 09:00:56 | 000,187,392 | ---- | M] () -- C:\Windows\Acer(Normal).scr
[2006/10/19 09:00:56 | 000,187,392 | ---- | M] () -- C:\Windows\Acer(Wide).scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/01/20 21:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< dir "%systemdrive%\*" /S /A:L /C >
Volume in drive C is ACER
Volume Serial Number is 2021-A846
Directory of C:\
11/02/2006 08:02 AM    <JUNCTION>     Documents and Settings [C:\Users]
               0 File(s)              0 bytes
Directory of C:\ProgramData
11/02/2006 08:02 AM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006 08:02 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006 08:02 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006 08:02 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006 08:02 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006 08:02 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
Directory of C:\Users
11/02/2006 08:02 AM    <SYMLINKD>     All Users [C:\ProgramData]
11/02/2006 08:02 AM    <JUNCTION>     Default User [C:\Users\Default]
               0 File(s)              0 bytes
Directory of C:\Users\All Users
11/02/2006 08:02 AM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006 08:02 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006 08:02 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006 08:02 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006 08:02 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006 08:02 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
Directory of C:\Users\Default
11/02/2006 08:02 AM    <JUNCTION>     Application Data [C:\Users\Default\AppData\Roaming]
11/02/2006 08:02 AM    <JUNCTION>     Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
11/02/2006 08:02 AM    <JUNCTION>     Local Settings [C:\Users\Default\AppData\Local]
11/02/2006 08:02 AM    <JUNCTION>     My Documents [C:\Users\Default\Documents]
11/02/2006 08:02 AM    <JUNCTION>     NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
11/02/2006 08:02 AM    <JUNCTION>     PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
11/02/2006 08:02 AM    <JUNCTION>     Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
11/02/2006 08:02 AM    <JUNCTION>     SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
11/02/2006 08:02 AM    <JUNCTION>     Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
11/02/2006 08:02 AM    <JUNCTION>     Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
Directory of C:\Users\Default\AppData\Local
11/02/2006 08:02 AM    <JUNCTION>     Application Data [C:\Users\Default\AppData\Local]
11/02/2006 08:02 AM    <JUNCTION>     History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
11/02/2006 08:02 AM    <JUNCTION>     Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes
Directory of C:\Users\Default\Documents
11/02/2006 08:02 AM    <JUNCTION>     My Music [C:\Users\Default\Music]
11/02/2006 08:02 AM    <JUNCTION>     My Pictures [C:\Users\Default\Pictures]
11/02/2006 08:02 AM    <JUNCTION>     My Videos [C:\Users\Default\Videos]
               0 File(s)              0 bytes
Directory of C:\Users\Family.User-PC
02/14/2014 12:50 PM    <JUNCTION>     Application Data [C:\Users\Family.User-PC\AppData\Roaming]
02/14/2014 12:50 PM    <JUNCTION>     Cookies [C:\Users\Family.User-PC\AppData\Roaming\Microsoft\Windows\Cookies]
02/14/2014 12:50 PM    <JUNCTION>     Local Settings [C:\Users\Family.User-PC\AppData\Local]
02/14/2014 12:50 PM    <JUNCTION>     My Documents [C:\Users\Family.User-PC\Documents]
02/14/2014 12:50 PM    <JUNCTION>     NetHood [C:\Users\Family.User-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
02/14/2014 12:50 PM    <JUNCTION>     PrintHood [C:\Users\Family.User-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
02/14/2014 12:50 PM    <JUNCTION>     Recent [C:\Users\Family.User-PC\AppData\Roaming\Microsoft\Windows\Recent]
02/14/2014 12:50 PM    <JUNCTION>     SendTo [C:\Users\Family.User-PC\AppData\Roaming\Microsoft\Windows\SendTo]
02/14/2014 12:50 PM    <JUNCTION>     Start Menu [C:\Users\Family.User-PC\AppData\Roaming\Microsoft\Windows\Start Menu]
02/14/2014 12:50 PM    <JUNCTION>     Templates [C:\Users\Family.User-PC\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
Directory of C:\Users\Family.User-PC\AppData\Local
02/14/2014 12:50 PM    <JUNCTION>     Application Data [C:\Users\Family.User-PC\AppData\Local]
02/14/2014 12:50 PM    <JUNCTION>     History [C:\Users\Family.User-PC\AppData\Local\Microsoft\Windows\History]
02/14/2014 12:50 PM    <JUNCTION>     Temporary Internet Files [C:\Users\Family.User-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes
Directory of C:\Users\Family.User-PC\Documents
02/14/2014 12:50 PM    <JUNCTION>     My Music [C:\Users\Family.User-PC\Music]
02/14/2014 12:50 PM    <JUNCTION>     My Pictures [C:\Users\Family.User-PC\Pictures]
02/14/2014 12:50 PM    <JUNCTION>     My Videos [C:\Users\Family.User-PC\Videos]
               0 File(s)              0 bytes
Directory of C:\Users\Guest
02/21/2013 06:49 PM    <JUNCTION>     Application Data [C:\Users\Guest\AppData\Roaming]
02/21/2013 06:49 PM    <JUNCTION>     Cookies [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies]
02/21/2013 06:49 PM    <JUNCTION>     Local Settings [C:\Users\Guest\AppData\Local]
02/21/2013 06:49 PM    <JUNCTION>     My Documents [C:\Users\Guest\Documents]
02/21/2013 06:49 PM    <JUNCTION>     NetHood [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
02/21/2013 06:49 PM    <JUNCTION>     PrintHood [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
02/21/2013 06:49 PM    <JUNCTION>     Recent [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent]
02/21/2013 06:49 PM    <JUNCTION>     SendTo [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\SendTo]
02/21/2013 06:49 PM    <JUNCTION>     Start Menu [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu]
02/21/2013 06:49 PM    <JUNCTION>     Templates [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
Directory of C:\Users\Guest\AppData\Local
02/21/2013 06:49 PM    <JUNCTION>     Application Data [C:\Users\Guest\AppData\Local]
02/21/2013 06:49 PM    <JUNCTION>     History [C:\Users\Guest\AppData\Local\Microsoft\Windows\History]
02/21/2013 06:49 PM    <JUNCTION>     Temporary Internet Files [C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes
Directory of C:\Users\Guest\Documents
02/21/2013 06:49 PM    <JUNCTION>     My Music [C:\Users\Guest\Music]
02/21/2013 06:49 PM    <JUNCTION>     My Pictures [C:\Users\Guest\Pictures]
02/21/2013 06:49 PM    <JUNCTION>     My Videos [C:\Users\Guest\Videos]
               0 File(s)              0 bytes
Directory of C:\Users\Public\Documents
11/02/2006 08:02 AM    <JUNCTION>     My Music [C:\Users\Public\Music]
11/02/2006 08:02 AM    <JUNCTION>     My Pictures [C:\Users\Public\Pictures]
11/02/2006 08:02 AM    <JUNCTION>     My Videos [C:\Users\Public\Videos]
               0 File(s)              0 bytes
Directory of C:\Users\UpdatusUser
04/13/2013 02:05 AM    <JUNCTION>     Application Data [C:\Users\UpdatusUser\AppData\Roaming]
04/13/2013 02:05 AM    <JUNCTION>     Cookies [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Cookies]
04/13/2013 02:05 AM    <JUNCTION>     Local Settings [C:\Users\UpdatusUser\AppData\Local]
04/13/2013 02:05 AM    <JUNCTION>     My Documents [C:\Users\UpdatusUser\Documents]
04/13/2013 02:05 AM    <JUNCTION>     NetHood [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
04/13/2013 02:05 AM    <JUNCTION>     PrintHood [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
04/13/2013 02:05 AM    <JUNCTION>     Recent [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Recent]
04/13/2013 02:05 AM    <JUNCTION>     SendTo [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\SendTo]
04/13/2013 02:05 AM    <JUNCTION>     Start Menu [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu]
04/13/2013 02:05 AM    <JUNCTION>     Templates [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
Directory of C:\Users\UpdatusUser\AppData\Local
04/13/2013 02:05 AM    <JUNCTION>     Application Data [C:\Users\UpdatusUser\AppData\Local]
04/13/2013 02:05 AM    <JUNCTION>     History [C:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\History]
04/13/2013 02:05 AM    <JUNCTION>     Temporary Internet Files [C:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes
Directory of C:\Users\UpdatusUser\Documents
04/13/2013 02:05 AM    <JUNCTION>     My Music [C:\Users\UpdatusUser\Music]
04/13/2013 02:05 AM    <JUNCTION>     My Pictures [C:\Users\UpdatusUser\Pictures]
04/13/2013 02:05 AM    <JUNCTION>     My Videos [C:\Users\UpdatusUser\Videos]
               0 File(s)              0 bytes
Directory of C:\Users\User
10/12/2012 11:09 AM    <JUNCTION>     Application Data [C:\Users\User\AppData\Roaming]
10/12/2012 11:09 AM    <JUNCTION>     Cookies [C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies]
10/12/2012 11:09 AM    <JUNCTION>     Local Settings [C:\Users\User\AppData\Local]
10/12/2012 11:09 AM    <JUNCTION>     My Documents [C:\Users\User\Documents]
10/12/2012 11:09 AM    <JUNCTION>     NetHood [C:\Users\User\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
10/12/2012 11:09 AM    <JUNCTION>     PrintHood [C:\Users\User\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
10/12/2012 11:09 AM    <JUNCTION>     Recent [C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent]
10/12/2012 11:09 AM    <JUNCTION>     SendTo [C:\Users\User\AppData\Roaming\Microsoft\Windows\SendTo]
10/12/2012 11:09 AM    <JUNCTION>     Start Menu [C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu]
10/12/2012 11:09 AM    <JUNCTION>     Templates [C:\Users\User\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
Directory of C:\Users\User\AppData\Local
10/12/2012 11:09 AM    <JUNCTION>     Application Data [C:\Users\User\AppData\Local]
10/12/2012 11:09 AM    <JUNCTION>     History [C:\Users\User\AppData\Local\Microsoft\Windows\History]
10/12/2012 11:09 AM    <JUNCTION>     Temporary Internet Files [C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes
Directory of C:\Users\User\Documents
10/12/2012 11:09 AM    <JUNCTION>     My Music [C:\Users\User\Music]
10/12/2012 11:09 AM    <JUNCTION>     My Pictures [C:\Users\User\Pictures]
10/12/2012 11:09 AM    <JUNCTION>     My Videos [C:\Users\User\Videos]
               0 File(s)              0 bytes
Directory of C:\Windows\System32\config\systemprofile
10/12/2012 11:12 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Roaming]
10/12/2012 11:12 AM    <JUNCTION>     Cookies [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies]
10/12/2012 11:12 AM    <JUNCTION>     Local Settings [C:\Windows\system32\config\systemprofile\AppData\Local]
10/12/2012 11:12 AM    <JUNCTION>     My Documents [C:\Windows\system32\config\systemprofile\Documents]
10/12/2012 11:12 AM    <JUNCTION>     NetHood [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
10/12/2012 11:12 AM    <JUNCTION>     PrintHood [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
10/12/2012 11:12 AM    <JUNCTION>     Recent [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent]
10/12/2012 11:12 AM    <JUNCTION>     SendTo [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo]
10/12/2012 11:12 AM    <JUNCTION>     Start Menu [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu]
10/12/2012 11:12 AM    <JUNCTION>     Templates [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local
10/12/2012 11:12 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
10/12/2012 11:12 AM    <JUNCTION>     History [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History]
10/12/2012 11:12 AM    <JUNCTION>     Temporary Internet Files [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes
Directory of C:\Windows\System32\config\systemprofile\Documents
10/12/2012 11:12 AM    <JUNCTION>     My Music [C:\Windows\system32\config\systemprofile\Music]
10/12/2012 11:12 AM    <JUNCTION>     My Pictures [C:\Windows\system32\config\systemprofile\Pictures]
10/12/2012 11:12 AM    <JUNCTION>     My Videos [C:\Windows\system32\config\systemprofile\Videos]
               0 File(s)              0 bytes
     Total Files Listed:
               0 File(s)              0 bytes
             114 Dir(s) 69,561,597,952 bytes free

< %systemroot%\System32\config\*.sav >
[2008/02/05 13:07:13 | 012,820,480 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/02/05 13:07:09 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/02/05 13:07:13 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2008/02/05 13:07:19 | 017,186,816 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2008/02/05 13:07:20 | 006,639,616 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2013/02/16 15:48:55 | 000,000,286 | -HS- | M] () -- C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2014-02-25 19:45:12

========== Alternate Data Streams ==========

@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:131C0EE9
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:4BB26BE9
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:793F316E
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:EC2246A6
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:861A898F
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:9F683177
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:FC420CE6
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:E36F5B57
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:8AB6C1D7
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:C95B63DA
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:FEBEC560
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:9E22BBE8
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:3E7393FC
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:4F636E25
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:4CF61E54
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:580E04D8
@Alternate Data Stream - 106 bytes -> C:\ProgramData\TEMP:2B99FE60
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:8173A019
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:193426B4

< End of report >

Hi I am having a problem with my computer i believe its infected with alot of virus. I have a new computer not the same one in my original profile i brought it last summer from a pawn shop because it took to long for them to fix my old one because the parts were to hard to find they had stopped making them. Anyway here is my new computer info i will copy and paste it here

Acer Aspire M5640

Intel® Pentium® Dual CPU E2160

1.80GHz

32 bit operating system

I am in safe mode with networking here is my OTL log

Advertisements

Register to Remove

#2 HMH22

Authentic Member

Authentic Member
169 posts

Posted 26 February 2014 - 09:10 AM

OTL Extras logfile created on: 2/26/2014 9:14:05 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Family.User-PC\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 2.16 Gb Available Physical Memory | 78.59% Memory free
5.70 Gb Paging File | 5.26 Gb Available in Paging File | 92.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 119.70 Gb Total Space | 64.80 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
Drive D: | 103.42 Gb Total Space | 103.33 Gb Free Space | 99.91% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0F039C34-56E5-4C23-A0F9-241C1F112BA4}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{1BC41A91-5633-402D-BCAE-3694F37BF5E1}" = lport=138 | protocol=17 | dir=in | app=system |
"{2F7F4435-373D-41FF-9663-98332626EF21}" = rport=445 | protocol=6 | dir=out | app=system |
"{34CCA815-67F6-42C9-B07E-BEF569E3D108}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5B5AFB8E-C137-47C4-B1F9-A1DDB3DDD818}" = rport=138 | protocol=17 | dir=out | app=system |
"{5BBDFDC2-5DE4-4E5A-AB8B-025F754897AD}" = lport=139 | protocol=6 | dir=in | app=system |
"{5DC78142-5C3C-4840-81AD-2986D396390F}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{7127F03F-1FCE-48EE-8A8F-8C6B8D7C91F8}" = rport=139 | protocol=6 | dir=out | app=system |
"{7C4CF7C3-01B9-40A6-BEC9-2968CD22D4C4}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7DA809EE-2CDC-44C1-8F11-A17DB6905B1D}" = rport=137 | protocol=17 | dir=out | app=system |
"{89EDA2CB-72B1-4758-AD19-1FB87829AFA1}" = lport=445 | protocol=6 | dir=in | app=system |
"{913528BC-1F95-49C0-8347-51E1F22B6F7F}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{981B21D8-8F14-4D44-9DDA-4A804B7EA378}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{A2F8D20E-B7A7-4FAA-917D-89B25E289259}" = lport=137 | protocol=17 | dir=in | app=system |
"{AD9C1CB7-C5C7-4F0A-AFD5-FE7C3C592441}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{AE53EE72-598E-4E2D-9DC5-7DC336B63662}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DDB40C69-1FD8-4054-A25D-C396F87FA03B}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{E35070D3-E603-42D5-A59C-148156A7845B}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{F69DEC9D-10C9-4287-A8D9-65F875DFBA3D}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00B4998B-5924-450F-AEF9-4BDA12EFD12F}" = dir=in | app=c:\program files\acer arcade live\acer slideshow dvd\acer slideshow dvd.exe |
"{19B4CE13-048A-4191-BD57-D7E32FD79815}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{1D77E521-D2DF-43B7-AE81-574AA49F7CD5}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{1FE901D8-D7A9-4281-9428-AFBF435BFC9D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{2E9A4533-1359-46B6-B326-2B899D73FD10}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{3B669851-018A-4040-9571-5404D19BD764}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{4159B829-1096-46FB-954D-B187B7B0252D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{505ED723-A2BA-473E-AEAE-3BD5181A5754}" = dir=in | app=c:\program files\acer arcade live\acer homemedia trial creator\acer homemedia trial creator.exe |
"{6299EEE5-1856-4B10-9916-798B1C1AEF89}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{6383B295-BB65-4F28-8CE6-87852904AFC6}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{708ABF94-8F1B-4663-99CB-CBDE0C7A8EB0}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{7B6B3B53-9D2B-40C9-B91F-FE85E1D6A25A}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{7BB3097A-3125-4981-9834-679B5636377D}" = dir=in | app=c:\program files\acer arcade live\acer videomagician\acer videomagician.exe |
"{7D1CE16D-8631-458E-8382-54CE0C38BDEB}" = dir=in | app=c:\program files\acer arcade live\acer homemedia connect\kernel\dms\clmsserver.exe |
"{7F51ED0B-81E8-46A6-908E-8C5EA726056F}" = dir=in | app=c:\program files\acer arcade live\acer dvdivine\acer dvdivine.exe |
"{81B6CD0B-8F08-4C12-8532-E56DF5350339}" = dir=in | app=c:\program files\acer arcade live\acer homemedia\acer homemedia.exe |
"{8BCD640B-594A-465F-8A9E-E5A6C07DC081}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{8FFE3A8A-4C75-43A0-BFF3-95FDFDA33BE2}" = dir=in | app=c:\program files\acer arcade live\acer dv magician\acer dv magician.exe |
"{948000F3-8719-4206-B4C5-6506B663184F}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{ADE9CF49-7A0E-4076-9B85-7648EC5E7736}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{B0FC188F-249E-43D9-859D-89A0F334AEDC}" = dir=in | app=c:\program files\acer arcade live\acer homemedia connect\acer homemedia connect.exe |
"{CB9791DA-21DC-43B2-AB15-F686C82A082C}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{D430641B-178B-4C39-B53C-F6B3221DB01A}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{D487D8E1-D633-424C-A312-3EEAE09D757D}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{EDAD7C9C-2B42-422A-A171-019C0C88A98B}" = dir=in | app=c:\program files\acer arcade live\acer arcade live main page\acer arcade live.exe |
"{F3CFA48D-AE6A-482E-96D7-2390C5C0FDF5}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01358C56-44F4-B8B3-8757-06F2A864A863}" = ATI Catalyst Install Manager
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{132888AE-EF67-41C5-BCA2-7D5D2488AB63}" = Acer HomeMedia Connect
"{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{268278CF-FB69-4D98-B70E-BFEC1CDCA225}" = iTunes
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CC9C896-21C0-4F9F-AEB8-EB3BF9B0AD36}" = ActivInspire v1
"{3D8C96C4-CEB6-4B97-BA4C-9BB7DF083224}" = ActivInspire HWR Resources (ENU) v1
"{41581EF5-45A7-11DA-9D78-000129760D75}" = Acer SlideShow DVD
"{45C56AA7-ED1B-4800-A97F-EDDF3F3520B1}" = Apple Application Support
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700}" = Zuma Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110113233}" = Bookworm Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11029123}" = Bricks of Egypt
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110322783}" = Big Kahuna Reef
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110411970}" = Chuzzle
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111118433}" = Mystery Case Files - Huntsville
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111199750}" = Cake Mania
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743}" = Mahjong Escape Ancient China
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111324990}" = Kick N Rush
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111543617}" = Backspin Billiards
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111692950}" = Mahjongg Artifacts
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111771833}" = Jewel Quest Solitaire
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111796363}" = Mystery Solitaire - Secret Island
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111872660}" = Diner Dash Flo on the Go
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112310577}" = Flip Words 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112531267}" = Chicken Invaders 3
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112615863}" = Agatha Christie Death on the Nile
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113009953}" = Turbo Pizza
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113080210}" = Azada
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARD_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARD_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARD_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA4BF92B-2AAF-11DA-9D78-000129760D75}" = Acer HomeMedia
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{B0CB0468-17F6-4D83-8D44-7B9CB66D4D1B}" = ActivDriver x86 v5.9
"{B0FA2C62-A4DA-4805-96CC-C6B42CBB5CC1}" = ActivInspire Help (USA) v1
"{B145EC69-66F5-11D8-9D75-000129760D75}" = Acer DVDivine
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B580C409-E16F-44FF-904D-3AE94E113BE0}" = Acer HomeMedia Trial Creator
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management
"{D2F260BD-ECA8-4E22-B73F-50399305C335}" = Bee Movie™ Game Demo
"{D462BF9E-0C35-4705-BF9B-3DF9F3816643}" = Acer ePerformance Management
"{E14ADE0E-75F3-4A46-87E5-26692DD626EC}" = Apple Mobile Device Support
"{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}" = Acer Arcade Live Main Page
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6EFFB76-4A07-11DA-9D78-000129760D75}" = Acer DV Magician
"{F79A208D-D929-11D9-9D77-000129760D75}" = Acer VideoMagician
"{FCD243AC-C4FF-48B5-AE57-7B91EDD2EE90}" = ActivInspire Core Resources (ENU) v1
"Acer Assist" = Acer Assist
"Acer GameZone Console_is1" = Acer GameZone Console DTV 2.0.1.1
"Acer Registration" = Acer Registration
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Finale 2012" = Finale 2012
"Google Chrome" = Google Chrome
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{D2F260BD-ECA8-4E22-B73F-50399305C335}" = Bee Movie™ Game Demo
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MuseScore" = MuseScore 1.3
"NTI Open File Manager" = NTI Open File Manager (remove only)
"NVIDIA Drivers" = NVIDIA Drivers
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"STANDARD" = Microsoft Office Standard 2007
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2/14/2014 10:39:40 PM | Computer Name = USER-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 67127

Error - 2/14/2014 10:39:40 PM | Computer Name = USER-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 67127

Error - 2/15/2014 2:27:12 PM | Computer Name = User-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/16/2014 12:28:59 PM | Computer Name = User-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/16/2014 12:39:23 PM | Computer Name = User-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/16/2014 12:44:05 PM | Computer Name = User-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/16/2014 12:47:40 PM | Computer Name = User-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/16/2014 4:40:03 PM | Computer Name = User-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/16/2014 4:52:19 PM | Computer Name = User-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/17/2014 7:16:22 PM | Computer Name = User-PC | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 2/26/2014 9:58:51 AM | Computer Name = User-PC | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 2/26/2014 9:59:38 AM | Computer Name = User-PC | Source = DCOM | ID = 10005
Description =

Error - 2/26/2014 9:59:45 AM | Computer Name = User-PC | Source = DCOM | ID = 10005
Description =

Error - 2/26/2014 9:59:46 AM | Computer Name = User-PC | Source = DCOM | ID = 10005
Description =

Error - 2/26/2014 9:59:48 AM | Computer Name = User-PC | Source = DCOM | ID = 10005
Description =

Error - 2/26/2014 10:00:53 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 2/26/2014 10:00:53 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 2/26/2014 10:08:09 AM | Computer Name = User-PC | Source = DCOM | ID = 10005
Description =

Error - 2/26/2014 10:09:29 AM | Computer Name = User-PC | Source = DCOM | ID = 10005
Description =

Error - 2/26/2014 10:23:30 AM | Computer Name = User-PC | Source = DCOM | ID = 10005
Description =

< End of report >

#3 HMH22

Authentic Member

Authentic Member
169 posts

Posted 26 February 2014 - 09:12 AM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:41:50 AM, on 2/26/2014
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_6_602_171_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Family.User-PC\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\SetApanel.cmd
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ActivManager] C:\Program Files\Activ Software\ActivDriver\ActivMgr.exe
O4 - HKLM\..\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
O4 - HKLM\..\RunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: ActivSDK Flash Extension.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - http://zone.msn.com/...inematycoon.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: ActivControl - Promethean - C:\Program Files\Activ Software\ActivDriver\ActivControlsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7763 bytes

Here is my Hijackthis logfile

#4 HMH22

Authentic Member

Authentic Member
169 posts

Posted 26 February 2014 - 09:13 AM

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 7.0.6001.18639
Run by User at 9:47:27 on 2014-02-26
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2815.1954 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_6_602_171_ActiveX.exe
C:\Users\Family.User-PC\Desktop\OTL.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Family.User-PC\Desktop\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - <orphaned>
BHO: ShowBarObj Class: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.9012.1008\swg.dll
TB: Acer eDataSecurity Management: {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [top] c:\users\user\appdata\roaming\top1.exe
uRun: [top2] ???????????????????
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [Apanel] c:\acersw\config\SetApanel.cmd
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [eRecoveryService] <no file>
mRunOnce: [*Restore] c:\windows\system32\rstrui.exe /runonce
mRunOnce: [*WerKernelReporting] c:\windows\system32\WerFault.exe -k -rq
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\activs~1.lnk - c:\windows\installer\{b0cb0468-17f6-4d83-8d44-7b9cb66d4d1b}\NewShortcut1_31C7358B35944FA781961EEA93A9077C.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/cnma/default/cinematycoon.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{429534DA-931A-4D7E-8EC3-75992BA2B5E7} : DHCPNameServer = 192.168.1.254
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\33.0.1750.117\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
S1 FAMv4;FAMv4;c:\windows\system32\drivers\FAMv4.sys [2007-12-14 132120]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-2-5 269448]
S2 ActivControl;ActivControl;c:\program files\activ software\activdriver\ActivControlsvc.exe [2013-2-27 21328]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2007-12-30 21752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2007-12-30 54520]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2007-12-30 136440]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2014-02-25 19:45:02 7947048 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{545da3c8-a369-40c9-a3a6-b5bd4d5fa72a}\mpengine.dll
2014-02-11 22:32:15 -------- d-----w- c:\users\user\appdata\roaming\Lionhead Studios
.
==================== Find3M ====================
.
2013-12-18 11:13:56 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 9:47:39.83 ===============
Here is the DDS file

#5 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 01 March 2014 - 03:36 PM

Hi HMH22,

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

As we work through your logs. Please remember to run any tools by Right-clicking on the icon and selecting Run As Administrator....

Your logs are a bit unusual. Did you maybe try to do a system restore and then things hung?

Let's try this:

Download ComboFix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#6 HMH22

Authentic Member

Authentic Member
169 posts

Posted 02 March 2014 - 07:07 AM

Hi YomK thamks for the help I have the combo log for you down below. I also had a couple of questions do I need to be in safe mode or am i ok bring in standard mode and do I need to do the logs over again?

ComboFix 14-02-24.02 - User 03/02/2014   7:45.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2815.1719 [GMT -5:00]
Running from: c:\users\Family.User-PC\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Family.User-PC\AppData\Roaming\.#
c:\users\Guest\AppData\Roaming\.#
c:\users\Guest\AppData\Roaming\.#\MBX@11D8@1D02990.###
c:\users\Guest\AppData\Roaming\.#\MBX@11D8@1D029C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@11D8@1D029F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@1F10@1B62990.###
c:\users\Guest\AppData\Roaming\.#\MBX@1F10@1B629C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@1F10@1B629F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@290@17D2990.###
c:\users\Guest\AppData\Roaming\.#\MBX@290@17D29C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@290@17D29F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@2F0@1F82990.###
c:\users\Guest\AppData\Roaming\.#\MBX@2F0@1F829C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@2F0@1F829F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@418@9D2990.###
c:\users\Guest\AppData\Roaming\.#\MBX@418@9D29C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@418@9D29F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@62C@3B2990.###
c:\users\Guest\AppData\Roaming\.#\MBX@62C@3B29C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@62C@3B29F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@820@1D22990.###
c:\users\Guest\AppData\Roaming\.#\MBX@820@1D229C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@820@1D229F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@848@1C52990.###
c:\users\Guest\AppData\Roaming\.#\MBX@848@1C529C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@848@1C529F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@89C@1A92990.###
c:\users\Guest\AppData\Roaming\.#\MBX@89C@1A929C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@89C@1A929F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@8E8@1D82990.###
c:\users\Guest\AppData\Roaming\.#\MBX@8E8@1D829C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@8E8@1D829F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@A34@AB2990.###
c:\users\Guest\AppData\Roaming\.#\MBX@A34@AB29C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@A34@AB29F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@A58@3F2990.###
c:\users\Guest\AppData\Roaming\.#\MBX@A58@3F29C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@A58@3F29F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@AA0@3F2990.###
c:\users\Guest\AppData\Roaming\.#\MBX@AA0@3F29C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@AA0@3F29F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@AF4@382990.###
c:\users\Guest\AppData\Roaming\.#\MBX@AF4@3829C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@AF4@3829F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@B28@1C72990.###
c:\users\Guest\AppData\Roaming\.#\MBX@B28@1C729C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@B28@1C729F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@B84@382990.###
c:\users\Guest\AppData\Roaming\.#\MBX@B84@3829C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@B84@3829F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@BE8@1732990.###
c:\users\Guest\AppData\Roaming\.#\MBX@BE8@17329C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@BE8@17329F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@DC8@1D32990.###
c:\users\Guest\AppData\Roaming\.#\MBX@DC8@1D329C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@DC8@1D329F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@E70@1B52990.###
c:\users\Guest\AppData\Roaming\.#\MBX@E70@1B529C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@E70@1B529F0.###
c:\users\Guest\AppData\Roaming\.#\MBX@F08@1C52990.###
c:\users\Guest\AppData\Roaming\.#\MBX@F08@1C529C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@F10@3B2990.###
c:\users\Guest\AppData\Roaming\.#\MBX@F10@3B29C0.###
c:\users\Guest\AppData\Roaming\.#\MBX@F10@3B29F0.###
c:\users\Hunter\AppData\Roaming\.#
c:\users\Hunter\AppData\Roaming\.#\MBX@12C8@1CD2990.###
c:\users\Hunter\AppData\Roaming\.#\MBX@12C8@1CD29C0.###
c:\users\Hunter\AppData\Roaming\.#\MBX@12C8@1CD29F0.###
c:\users\User\5136535.exe
c:\users\User\AppData\Roaming\.#
c:\users\User\AppData\Roaming\top1.exe
c:\windows\Installer\{B0CB0468-17F6-4D83-8D44-7B9CB66D4D1B}\NewShortcut1_31C7358B35944FA781961EEA93A9077C.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-02 to 2014-03-02 )))))))))))))))))))))))))))))))
.
.
2014-02-28 15:37 . 2014-02-17 06:32 7947048 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AAA6E909-3B8A-4F34-94B5-D1BAC8FE6115}\mpengine.dll
2014-02-12 13:23 . 2014-02-12 13:23 -------- d-----w- c:\users\Hunter
2014-02-12 01:05 . 2014-02-12 01:05 -------- d-----w- c:\users\Family
2014-02-11 22:33 . 2014-02-11 22:33 -------- d-----w- c:\users\Guest\AppData\Roaming\Lionhead Studios
2014-02-11 22:32 . 2014-02-11 22:32 -------- d-----w- c:\users\User\AppData\Roaming\Lionhead Studios
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-18 11:13 . 2013-02-27 22:34 231584 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 10:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"top2"="???????????????????" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-11 4702208]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2007-12-30 34552]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-12-07 196128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"ActivManager"="c:\program files\Activ Software\ActivDriver\ActivMgr.exe" [2013-02-27 683328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*Restore"="c:\windows\System32\rstrui.exe" [2008-02-29 318464]
"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2008-01-21 217088]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe 9999 [2008-2-5 535336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
S2 ActivControl;ActivControl;c:\program files\Activ Software\ActivDriver\ActivControlsvc.exe [2013-02-27 21328]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-25 20:13 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-05 22:13]
.
2014-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-05 22:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-top - c:\users\User\AppData\Roaming\top1.exe
HKLM-Run-Apanel - c:\acersw\config\SetApanel.cmd
HKLM-Run-eRecoveryService - (no file)
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ActivSDK Flash Extension.lnk - (no file)
AddRemove-MuseScore - c:\program files\MuseScore\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-02 07:56
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-03-02 07:58:44
ComboFix-quarantined-files.txt 2014-03-02 12:58
.
Pre-Run: 67,517,628,416 bytes free
Post-Run: 67,544,760,320 bytes free
.
- - End Of File - - DD7663AB6092719D48685C11619CBE4D
A863475757CC50891AA8458C415E4B25

#7 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 02 March 2014 - 10:41 AM

Normal mode is preferable. You did great.

COMBOFIX-Script

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
```
File::

Folder::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"top2"=-
```
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#8 HMH22

Authentic Member

Authentic Member
169 posts

Posted 02 March 2014 - 02:23 PM

Ok I just noticed that I dont have the combofix.exe on my computer anymore is it because i was in safe mode when i ran it the first time? Do i need to run it again or just save it to my computer?

#9 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 02 March 2014 - 04:09 PM

Just save it and then drag the file into it.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#10 HMH22

Authentic Member

Authentic Member
169 posts

Posted 02 March 2014 - 05:04 PM

Ok here you go

ComboFix 14-02-24.02 - User 03/02/2014 17:47:20.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2815.2019 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-02 to 2014-03-02 )))))))))))))))))))))))))))))))
.
.
2014-03-02 22:58 . 2014-03-02 22:58 -------- d-----w- c:\users\User\AppData\Local\temp
2014-03-02 22:58 . 2014-03-02 22:58 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-03-02 22:58 . 2014-03-02 22:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
2014-03-02 22:58 . 2014-03-02 22:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-02 20:51 . 2014-03-02 20:51 -------- d-----w- c:\programdata\WindowsSearch
2014-02-28 15:37 . 2014-02-17 06:32 7947048 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AAA6E909-3B8A-4F34-94B5-D1BAC8FE6115}\mpengine.dll
2014-02-12 13:23 . 2014-02-12 13:23 -------- d-----w- c:\users\Hunter
2014-02-12 01:05 . 2014-02-12 01:05 -------- d-----w- c:\users\Family
2014-02-11 22:33 . 2014-02-11 22:33 -------- d-----w- c:\users\Guest\AppData\Roaming\Lionhead Studios
2014-02-11 22:32 . 2014-02-11 22:32 -------- d-----w- c:\users\User\AppData\Roaming\Lionhead Studios
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-18 11:13 . 2013-02-27 22:34 231584 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 10:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-11 4702208]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2007-12-30 34552]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-12-07 196128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"ActivManager"="c:\program files\Activ Software\ActivDriver\ActivMgr.exe" [2013-02-27 683328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*Restore"="c:\windows\System32\rstrui.exe" [2008-02-29 318464]
"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2008-01-21 217088]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe 9999 [2008-2-5 535336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
S2 ActivControl;ActivControl;c:\program files\Activ Software\ActivDriver\ActivControlsvc.exe [2013-02-27 21328]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-25 20:13 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-05 22:13]
.
2014-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-05 22:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-02 17:58
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4304)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2014-03-02 18:00:44
ComboFix-quarantined-files.txt 2014-03-02 23:00
ComboFix2.txt 2014-03-02 12:58
.
Pre-Run: 66,833,592,320 bytes free
Post-Run: 66,827,952,128 bytes free
.
- - End Of File - - 29E63F495E7BCE9FABF5178596799026
A863475757CC50891AA8458C415E4B25

Advertisements

Register to Remove

#11 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 02 March 2014 - 09:16 PM

Good.

Let's get an online scan. This will take a long, long time.

Go here to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan completes, press the LIST OF THREATS FOUND button
Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
Include the contents of this report in your next reply.
Press the BACK button.
Press Finish

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#12 HMH22

Authentic Member

Authentic Member
169 posts

Posted 03 March 2014 - 07:59 AM

C:\Qoobox\Quarantine\C\Users\User\5136535.exe.vir a variant of Win32/Injector.ADEK trojan
C:\Qoobox\Quarantine\C\Users\User\AppData\Roaming\top1.exe.vir a variant of Win32/Injector.ADEK trojan
C:\Users\Guest\Downloads\8.WhatNow.mp3.exe Win32/InstalleRex.I potentially unwanted application
C:\Users\Guest\Downloads\Extreme_Flash_Player_Setup (1).exe a variant of Win32/Adware.iBryte.G application
C:\Users\Guest\Downloads\Extreme_Flash_Player_Setup.exe a variant of Win32/Adware.iBryte.G application
C:\Users\Guest\Downloads\FlashPlayer_V.98524403c.exe Win32/DomaIQ.D potentially unwanted application
C:\Users\Guest\Downloads\FlashPlayer_V.98524615c.exe Win32/DomaIQ.D potentially unwanted application
C:\Users\Guest\Downloads\iLividSetup-r394-n-bc.exe Win32/Toolbar.SearchSuite potentially unwanted application
C:\Users\Guest\Downloads\PluginInstall.exe Win32/DownWare.I potentially unwanted application

#13 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 03 March 2014 - 09:22 AM

Only things left there are install programs that have been patched with adware/spyware/redirectors.

COMBOFIX-Script

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::

C:\Users\Guest\Downloads\8.WhatNow.mp3.exe

C:\Users\Guest\Downloads\Extreme_Flash_Player_Setup (1).exe

C:\Users\Guest\Downloads\Extreme_Flash_Player_Setup.exe

C:\Users\Guest\Downloads\FlashPlayer_V.98524403c.exe

C:\Users\Guest\Downloads\FlashPlayer_V.98524615c.exe

C:\Users\Guest\Downloads\iLividSetup-r394-n-bc.exe

C:\Users\Guest\Downloads\PluginInstall.exe

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then please let me know how things seem to be running.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#14 HMH22

Authentic Member

Authentic Member
169 posts

Posted 03 March 2014 - 04:08 PM

Ok I just dragged over the cfscript to combofix and a window popped up saying do i want to upgrade to a newer version of combofix should i upgrade or stay with the one i have?

#15 HMH22

Authentic Member

Authentic Member
169 posts

Posted 03 March 2014 - 05:59 PM

ComboFix 14-02-24.02 - User 03/03/2014 18:44:19.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2815.1932 [GMT -5:00]
Running from: c:\users\Family.User-PC\Desktop\ComboFix.exe
Command switches used :: c:\users\Family.User-PC\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Guest\Downloads\8.WhatNow.mp3.exe"
"c:\users\Guest\Downloads\Extreme_Flash_Player_Setup (1).exe"
"c:\users\Guest\Downloads\Extreme_Flash_Player_Setup.exe"
"c:\users\Guest\Downloads\FlashPlayer_V.98524403c.exe"
"c:\users\Guest\Downloads\FlashPlayer_V.98524615c.exe"
"c:\users\Guest\Downloads\iLividSetup-r394-n-bc.exe"
"c:\users\Guest\Downloads\PluginInstall.exe"
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-03 to 2014-03-03 )))))))))))))))))))))))))))))))
.
.
2014-03-03 23:54 . 2014-03-03 23:54 -------- d-----w- c:\users\User\AppData\Local\temp
2014-03-03 23:54 . 2014-03-03 23:54 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-03-03 23:54 . 2014-03-03 23:54 -------- d-----w- c:\users\Guest\AppData\Local\temp
2014-03-03 23:54 . 2014-03-03 23:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-03 12:52 . 2014-03-03 12:52 -------- d-----w- c:\program files\ESET
2014-03-02 20:51 . 2014-03-02 20:51 -------- d-----w- c:\programdata\WindowsSearch
2014-02-28 15:37 . 2014-02-17 06:32 7947048 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AAA6E909-3B8A-4F34-94B5-D1BAC8FE6115}\mpengine.dll
2014-02-12 13:23 . 2014-02-12 13:23 -------- d-----w- c:\users\Hunter
2014-02-12 01:05 . 2014-02-12 01:05 -------- d-----w- c:\users\Family
2014-02-11 22:33 . 2014-02-11 22:33 -------- d-----w- c:\users\Guest\AppData\Roaming\Lionhead Studios
2014-02-11 22:32 . 2014-02-11 22:32 -------- d-----w- c:\users\User\AppData\Roaming\Lionhead Studios
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-18 11:13 . 2013-02-27 22:34 231584 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 10:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-11 4702208]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2007-12-30 34552]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-12-07 196128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"ActivManager"="c:\program files\Activ Software\ActivDriver\ActivMgr.exe" [2013-02-27 683328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*Restore"="c:\windows\System32\rstrui.exe" [2008-02-29 318464]
"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2008-01-21 217088]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe 9999 [2008-2-5 535336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
S2 ActivControl;ActivControl;c:\program files\Activ Software\ActivDriver\ActivControlsvc.exe [2013-02-27 21328]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-25 20:13 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-05 22:13]
.
2014-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-05 22:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-03 18:54
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3040)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2014-03-03 18:56:29
ComboFix-quarantined-files.txt 2014-03-03 23:56
ComboFix2.txt 2014-03-02 23:00
ComboFix3.txt 2014-03-02 12:58
.
Pre-Run: 66,187,415,552 bytes free
Post-Run: 66,164,224,000 bytes free
.
- - End Of File - - 0B8DB4281BEABFD418275D8AC3C10299
A863475757CC50891AA8458C415E4B25

Body Background

skin color theme