Jump to content

Google redirect malware


Recommended Posts

My computer has been infected by malware that redirects my google search results to random websites. When the problem first started, Malwarebytes was actually able to find it and supposedly get rid of it, but now the problem is back and neither my TrendMicro or Malwarebytes seem to be able to see it.

As directed, I downloaded DDS and tried to run it, but every time I open it it results in my computer freezing. It opens, runs for a few minutes, seems to be working, then everything freezes. I have turned off my TrendMicro and the active protection feature in Windows Defender in order to enable the script to run without interference. Is there something I'm missing?

Before I read about DDS I had downloaded and run RogueKiller. The report is pasted below. Don't know if this helps or not.

RogueKiller V8.1.1 [10/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : Joe [Admin rights]

Mode : Scan -- Date : 10/09/2012 21:48:47

¤¤¤ Bad processes : 3 ¤¤¤

[sUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll -> UNLOADED

[sUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll -> KILLED [TermProc]

[sUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : Dropbox (rundll32.exe C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll,GetImporterInterface) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-452256800-3484198201-3087025338-1000[...]\Run : Dropbox (rundll32.exe C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll,GetImporterInterface) -> FOUND

[TASK][sUSP PATH] {5C83FDEC-3EEC-4420-86F9-BF192C89220D} : C:\Windows\System32\pcalua.exe -a "C:\Users\Joe\Desktop\ActiveClientCAC_DoDRoot\InstallRootCerts\InstallRoot v2.16(A).exe" -d C:\Users\Joe\Desktop\ActiveClientCAC_DoDRoot\InstallRootCerts -> FOUND

[TASK][sUSP PATH] {D3E9814B-C704-45CE-A3AE-885BE5F36D63} : C:\Windows\System32\pcalua.exe -a C:\Users\Joe\Desktop\InstallRoot_v2_20A-B-S\InstallRoot_v2.20A.exe -d C:\Users\Joe\Desktop\InstallRoot_v2_20A-B-S -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[64] : NtCreateKey @ 0x825FD140 -> HOOKED (Unknown @ 0x884FD0A0)

SSDT[67] : NtCreateMutant @ 0x8262E812 -> HOOKED (Unknown @ 0x884FE3E0)

SSDT[72] : NtCreateProcess @ 0x8269FDAB -> HOOKED (Unknown @ 0x884FC2E0)

SSDT[73] : NtCreateProcessEx @ 0x8269FDF6 -> HOOKED (Unknown @ 0x884FC5A0)

SSDT[78] : NtCreateThread @ 0x8269FBE0 -> HOOKED (Unknown @ 0x884FDF00)

SSDT[123] : NtDeleteKey @ 0x825C0727 -> HOOKED (Unknown @ 0x884FD620)

SSDT[126] : NtDeleteValueKey @ 0x825BBCC8 -> HOOKED (Unknown @ 0x884FD8E0)

SSDT[165] : NtLoadDriver @ 0x82579DEE -> HOOKED (Unknown @ 0x884FE240)

SSDT[194] : NtOpenProcess @ 0x8262EFAE -> HOOKED (Unknown @ 0x884FCB20)

SSDT[317] : NtSetSystemInformation @ 0x825F4EEB -> HOOKED (Unknown @ 0x884FE580)

SSDT[324] : NtSetValueKey @ 0x825EC3C2 -> HOOKED (Unknown @ 0x884FD360)

SSDT[334] : NtTerminateProcess @ 0x825FF143 -> HOOKED (Unknown @ 0x884FCDE0)

SSDT[358] : NtWriteVirtualMemory @ 0x8261B92D -> HOOKED (Unknown @ 0x884FDD60)

SSDT[382] : NtCreateThreadEx @ 0x82629FE9 -> HOOKED (Unknown @ 0x884FE0A0)

SSDT[383] : NtCreateUserProcess @ 0x825D7C11 -> HOOKED (Unknown @ 0x884FC860)

S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0x884FEBE0)

S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x884FEA00)

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9320325AS ATA Device +++++

--- User ---

Thanks for your help.

Link to post
Share on other sites

Hello jmanzella7 and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

Step 3

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • OTL log with Extras.txt

Link to post
Share on other sites

Hi Maniac, here are the logs you requested.

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.10.10.05

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 8.0.6001.19328

Joe :: JOE-PC [administrator]

10/10/2012 8:15:24 AM

mbam-log-2012-10-10 (08-15-24).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 189004

Time elapsed: 13 minute(s), 57 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------------------------------------------------------

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-10-10 08:36:18

-----------------------------

08:36:18.173 OS Version: Windows 6.0.6002 Service Pack 2

08:36:18.173 Number of processors: 2 586 0xE08

08:36:18.175 ComputerName: JOE-PC UserName: Joe

08:36:44.142 Initialize success

08:37:06.246 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

08:37:06.248 Disk 0 Vendor: ST9320325AS 0001SDM1 Size: 305245MB BusType: 3

08:37:06.262 Disk 0 MBR read successfully

08:37:06.264 Disk 0 MBR scan

08:37:06.266 Disk 0 unknown MBR code

08:37:06.268 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 22285 MB offset 63

08:37:06.289 Disk 0 Partition 2 80 (A) 06 FAT16 NTFS 141941 MB offset 45640665

08:37:06.312 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 141018 MB offset 336336840

08:37:06.317 Disk 0 scanning sectors +625142448

08:37:06.377 Disk 0 scanning C:\Windows\system32\drivers

08:37:24.334 Service scanning

08:37:45.179 Modules scanning

08:37:52.119 Disk 0 trace - called modules:

08:37:52.150 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys

08:37:52.154 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866649d8]

08:37:52.157 3 CLASSPNP.SYS[8abb58b3] -> nt!IofCallDriver -> [0x85379020]

08:37:52.160 5 acpi.sys[82a9b6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85d18b98]

08:37:52.164 Scan finished successfully

08:38:03.776 Disk 0 MBR has been saved successfully to "C:\Users\Joe\Desktop\MBR.dat"

08:38:03.784 The log file has been saved successfully to "C:\Users\Joe\Desktop\aswMBR.txt"

---------------------------------------------------------------------------------------------------------------------------------------

OTL logfile created on: 10/10/2012 8:40:03 AM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Joe\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19328)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.92 Gb Available Physical Memory | 64.20% Memory free

6.20 Gb Paging File | 5.17 Gb Available in Paging File | 83.40% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 138.61 Gb Total Space | 84.55 Gb Free Space | 60.99% Space Free | Partition Type: NTFS

Drive D: | 137.71 Gb Total Space | 96.44 Gb Free Space | 70.03% Space Free | Partition Type: NTFS

Drive E: | 2.07 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: JOE-PC | User Name: Joe | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/10 08:38:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Joe\Desktop\OTL.exe

PRC - [2012/05/24 11:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- C:\Users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe

PRC - [2012/04/03 22:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

PRC - [2011/09/19 16:29:48 | 000,087,368 | ---- | M] (Nero AG) -- C:\Program Files\Motorola Media Link\Lite\NServiceEntry.exe

PRC - [2011/09/15 10:26:02 | 000,166,864 | ---- | M] (Motorola Mobility Inc.) -- C:\Program Files\Motorola Mobility\MotoCast\MotoCast.exe

PRC - [2011/09/15 10:25:52 | 000,237,032 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\MotoCast-thumbnailer.exe

PRC - [2011/09/14 16:09:04 | 000,218,992 | ---- | M] () -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe

PRC - [2011/09/14 16:08:08 | 000,804,720 | ---- | M] () -- C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe

PRC - [2011/08/16 22:38:03 | 000,208,896 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Users\Joe\AppData\Local\Temp\RtkBtMnt.exe

PRC - [2010/11/08 09:40:56 | 000,715,440 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

PRC - [2010/03/12 22:07:17 | 000,689,416 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

PRC - [2010/03/12 22:07:17 | 000,345,352 | ---- | M] () -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe

PRC - [2010/01/26 00:40:32 | 001,020,248 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

PRC - [2009/06/03 17:16:42 | 000,207,400 | ---- | M] (ActivIdentity) -- C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe

PRC - [2009/06/03 17:16:34 | 000,153,640 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe

PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008/01/19 00:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe

PRC - [2006/12/01 11:34:16 | 000,131,072 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

PRC - [2006/11/20 22:43:08 | 000,118,784 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe

PRC - [2006/11/19 23:13:00 | 004,018,176 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe

PRC - [2006/11/16 17:35:18 | 000,045,056 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

PRC - [2006/11/13 01:13:10 | 000,024,576 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

========== Modules (No Company Name) ==========

MOD - [2012/10/10 08:11:17 | 000,379,904 | ---- | M] () -- C:\Users\Joe\AppData\Local\Temp\libsqlitejdbc-8175058078959342349.lib

MOD - [2012/10/10 08:10:29 | 000,205,824 | ---- | M] () -- C:\Users\Joe\AppData\Local\Temp\WindowsAPI.dll1235610244091184470.lib

MOD - [2012/09/09 09:01:04 | 000,354,304 | ---- | M] () -- C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll

MOD - [2011/09/15 10:26:02 | 000,071,680 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstvideoscale.dll

MOD - [2011/09/15 10:26:02 | 000,059,904 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstvideobox.dll

MOD - [2011/09/15 10:26:02 | 000,059,904 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgsttypefindfunctions.dll

MOD - [2011/09/15 10:26:02 | 000,054,784 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstsmpte.dll

MOD - [2011/09/15 10:26:02 | 000,053,248 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstvorbis.dll

MOD - [2011/09/15 10:26:02 | 000,051,712 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstsubparse.dll

MOD - [2011/09/15 10:26:02 | 000,050,688 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstwavpack.dll

MOD - [2011/09/15 10:26:02 | 000,041,984 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstwavparse.dll

MOD - [2011/09/15 10:26:02 | 000,034,304 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstvolume.dll

MOD - [2011/09/15 10:26:02 | 000,032,768 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstvideocrop.dll

MOD - [2011/09/15 10:26:02 | 000,024,576 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstvideorate.dll

MOD - [2011/09/15 10:26:02 | 000,013,312 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgsty4menc.dll

MOD - [2011/09/15 10:26:02 | 000,011,264 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libshift.dll

MOD - [2011/09/15 10:26:00 | 000,163,328 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstmatroska.dll

MOD - [2011/09/15 10:26:00 | 000,150,528 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstmpegdemux.dll

MOD - [2011/09/15 10:26:00 | 000,149,504 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstqtdemux.dll

MOD - [2011/09/15 10:26:00 | 000,126,976 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstogg.dll

MOD - [2011/09/15 10:26:00 | 000,114,688 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstqtmux.dll

MOD - [2011/09/15 10:26:00 | 000,061,952 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstjpeg.dll

MOD - [2011/09/15 10:26:00 | 000,047,616 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstmpegaudioparse.dll

MOD - [2011/09/15 10:26:00 | 000,039,424 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstmpegtsmux.dll

MOD - [2011/09/15 10:26:00 | 000,035,840 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstselector.dll

MOD - [2011/09/15 10:26:00 | 000,035,840 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstinterleave.dll

MOD - [2011/09/15 10:26:00 | 000,035,328 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstreplaygain.dll

MOD - [2011/09/15 10:26:00 | 000,034,304 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstid3tag.dll

MOD - [2011/09/15 10:26:00 | 000,032,256 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstid3demux.dll

MOD - [2011/09/15 10:26:00 | 000,028,672 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstpng.dll

MOD - [2011/09/15 10:26:00 | 000,025,600 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstmpegvideoparse.dll

MOD - [2011/09/15 10:26:00 | 000,025,088 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstmultipart.dll

MOD - [2011/09/15 10:26:00 | 000,020,480 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstmultifile.dll

MOD - [2011/09/15 10:26:00 | 000,019,456 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstlevel.dll

MOD - [2011/09/15 10:26:00 | 000,015,360 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstmulaw.dll

MOD - [2011/09/15 10:25:58 | 000,531,968 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflumpeg4video.dll

MOD - [2011/09/15 10:25:58 | 000,119,296 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflumpegdemux.dll

MOD - [2011/09/15 10:25:58 | 000,074,240 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflv.dll

MOD - [2011/09/15 10:25:58 | 000,037,888 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstgio.dll

MOD - [2011/09/15 10:25:58 | 000,029,696 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstgdp.dll

MOD - [2011/09/15 10:25:54 | 002,009,600 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstfluh264dec.dll

MOD - [2011/09/15 10:25:54 | 001,694,208 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstfluaacdec.dll

MOD - [2011/09/15 10:25:54 | 001,563,136 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflump3enc.dll

MOD - [2011/09/15 10:25:54 | 001,520,128 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libvorbisenc-2.dll

MOD - [2011/09/15 10:25:54 | 001,396,736 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libxml2-2.dll

MOD - [2011/09/15 10:25:54 | 001,376,256 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflump3dec.dll

MOD - [2011/09/15 10:25:54 | 000,682,496 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstreamer-0.10.dll

MOD - [2011/09/15 10:25:54 | 000,563,712 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\liborc-0.4-0.dll

MOD - [2011/09/15 10:25:54 | 000,363,008 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflumpeg2video.dll

MOD - [2011/09/15 10:25:54 | 000,276,992 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libjpeg-8.dll

MOD - [2011/09/15 10:25:54 | 000,248,352 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libopencore-amrnb.0.1.1.dll

MOD - [2011/09/15 10:25:54 | 000,196,608 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libwavpack-1.dll

MOD - [2011/09/15 10:25:54 | 000,190,976 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libpng14-14.dll

MOD - [2011/09/15 10:25:54 | 000,187,904 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstffmpegcolorspace.dll

MOD - [2011/09/15 10:25:54 | 000,179,712 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstcoreelements.dll

MOD - [2011/09/15 10:25:54 | 000,162,304 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libvorbis-0.dll

MOD - [2011/09/15 10:25:54 | 000,125,440 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgsttag-0.10.dll

MOD - [2011/09/15 10:25:54 | 000,123,947 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libopencore-amrwb.0.1.1.dll

MOD - [2011/09/15 10:25:54 | 000,122,880 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstfluasfdemux.dll

MOD - [2011/09/15 10:25:54 | 000,122,368 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstavi.dll

MOD - [2011/09/15 10:25:54 | 000,091,136 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstdshowdecwrapper.dll

MOD - [2011/09/15 10:25:54 | 000,088,064 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflummssrc.dll

MOD - [2011/09/15 10:25:54 | 000,085,504 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\z.dll

MOD - [2011/09/15 10:25:54 | 000,083,968 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstdecodebin2.dll

MOD - [2011/09/15 10:25:54 | 000,079,872 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstpbutils-0.10.dll

MOD - [2011/09/15 10:25:54 | 000,078,336 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstaudioconvert.dll

MOD - [2011/09/15 10:25:54 | 000,073,728 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstdshowsrcwrapper.dll

MOD - [2011/09/15 10:25:54 | 000,070,144 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstrtp-0.10.dll

MOD - [2011/09/15 10:25:54 | 000,067,584 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflac.dll

MOD - [2011/09/15 10:25:54 | 000,050,688 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstaudioresample.dll

MOD - [2011/09/15 10:25:54 | 000,048,640 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstalpha.dll

MOD - [2011/09/15 10:25:54 | 000,041,984 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstriff-0.10.dll

MOD - [2011/09/15 10:25:54 | 000,038,912 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstaiff.dll

MOD - [2011/09/15 10:25:54 | 000,037,376 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstvideo-0.10.dll

MOD - [2011/09/15 10:25:54 | 000,036,864 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflumch264enc.dll

MOD - [2011/09/15 10:25:54 | 000,033,280 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstflumcaacenc.dll

MOD - [2011/09/15 10:25:54 | 000,030,208 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstadder.dll

MOD - [2011/09/15 10:25:54 | 000,029,184 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstautodetect.dll

MOD - [2011/09/15 10:25:54 | 000,029,184 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstautoconvert.dll

MOD - [2011/09/15 10:25:54 | 000,026,624 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstequalizer.dll

MOD - [2011/09/15 10:25:54 | 000,023,552 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libogg-0.dll

MOD - [2011/09/15 10:25:54 | 000,020,480 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstamrnb.dll

MOD - [2011/09/15 10:25:54 | 000,019,968 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstaudiorate.dll

MOD - [2011/09/15 10:25:54 | 000,019,456 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstauparse.dll

MOD - [2011/09/15 10:25:54 | 000,018,944 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstalaw.dll

MOD - [2011/09/15 10:25:54 | 000,017,920 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstalphacolor.dll

MOD - [2011/09/15 10:25:54 | 000,016,896 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstcutter.dll

MOD - [2011/09/15 10:25:54 | 000,015,360 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstapetag.dll

MOD - [2011/09/15 10:25:54 | 000,014,848 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstamrwbdec.dll

MOD - [2011/09/15 10:25:54 | 000,014,848 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstadpcmdec.dll

MOD - [2011/09/15 10:25:54 | 000,011,776 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstcoreindexers.dll

MOD - [2011/09/15 10:25:54 | 000,008,192 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\plugins\libgstapp.dll

MOD - [2011/09/15 10:25:52 | 000,331,264 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libFLAC-8.dll

MOD - [2011/09/15 10:25:52 | 000,237,032 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\MotoCast-thumbnailer.exe

MOD - [2011/09/15 10:25:52 | 000,199,168 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstbase-0.10.dll

MOD - [2011/09/15 10:25:52 | 000,126,976 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstcontroller-0.10.dll

MOD - [2011/09/15 10:25:52 | 000,108,544 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstaudio-0.10.dll

MOD - [2011/09/15 10:25:52 | 000,053,760 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstinterfaces-0.10.dll

MOD - [2011/09/15 10:25:52 | 000,038,400 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstapp-0.10.dll

MOD - [2011/09/15 10:25:52 | 000,018,944 | ---- | M] () -- C:\Program Files\Motorola Mobility\MotoCast\bin\libgstdataprotocol-0.10.dll

MOD - [2011/09/14 16:08:08 | 000,804,720 | ---- | M] () -- C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe

MOD - [2007/03/30 11:04:48 | 000,249,856 | ---- | M] () -- C:\Windows\System32\igfxTMM.dll

========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Windows\system32\DRIVERS\xaudio.exe -- (XAudioService)

SRV - File not found [Auto | Stopped] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon -- (CLTNetCnService)

SRV - [2012/10/08 15:47:02 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2012/10/05 19:15:32 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2012/04/03 22:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)

SRV - [2011/09/19 16:29:48 | 000,087,368 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Motorola Media Link\Lite\NServiceEntry.exe -- (DeviceMonitorService)

SRV - [2011/09/14 16:09:04 | 000,218,992 | ---- | M] () [Auto | Running] -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe -- (MotoHelper)

SRV - [2010/11/08 09:40:56 | 000,715,440 | ---- | M] () [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom)

SRV - [2010/03/12 22:07:17 | 000,689,416 | ---- | M] () [On_Demand | Running] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy)

SRV - [2010/03/12 22:07:17 | 000,345,352 | ---- | M] () [On_Demand | Running] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)

SRV - [2009/07/20 10:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)

SRV - [2009/06/03 17:16:42 | 000,207,400 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe -- (ac.sharedstore)

SRV - [2008/01/19 00:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2007/10/31 15:11:34 | 000,354,648 | ---- | M] (Rosetta Stone Ltd.) [On_Demand | Stopped] -- C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe -- (RosettaStoneLtdController)

SRV - [2006/12/01 11:34:16 | 000,131,072 | ---- | M] (acer) [Auto | Running] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)

SRV - [2006/11/30 20:39:10 | 000,024,576 | ---- | M] (Acer Inc.) [On_Demand | Stopped] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)

SRV - [2006/11/20 22:43:08 | 000,118,784 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service)

SRV - [2006/11/16 17:35:18 | 000,045,056 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)

SRV - [2006/11/13 01:13:10 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- system32\DRIVERS\xaudio.sys -- (XAudio)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\UIUSYS.SYS -- (UIUSys)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [Kernel | Auto | Stopped] -- system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSXHWAZL.sys -- (HSXHWAZL)

DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)

DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Joe\AppData\Local\Temp\aswMBR.sys -- (aswMBR)

DRV - [2012/10/09 21:47:45 | 000,014,080 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\Windows\System32\drivers\TrueSight.sys -- (TrueSight)

DRV - [2011/07/12 03:44:10 | 000,262,416 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmxpflt.sys -- (tmxpflt)

DRV - [2011/07/12 03:43:58 | 000,036,624 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmpreflt.sys -- (tmpreflt)

DRV - [2011/07/12 03:09:32 | 001,405,720 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vsapint.sys -- (vsapint)

DRV - [2010/07/19 11:03:10 | 000,059,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\DRIVERS\tmactmon.sys -- (tmactmon)

DRV - [2010/07/19 11:03:00 | 000,051,792 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\DRIVERS\tmevtmgr.sys -- (tmevtmgr)

DRV - [2010/07/19 11:02:54 | 000,163,408 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\DRIVERS\tmcomm.sys -- (tmcomm)

DRV - [2010/03/12 22:07:25 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmtdi.sys -- (tmtdi)

DRV - [2009/06/17 09:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)

DRV - [2009/06/17 09:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)

DRV - [2007/10/17 23:11:00 | 000,056,448 | ---- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SCR3XX2K.sys -- (SCR3XX2K)

DRV - [2006/11/22 00:29:00 | 004,455,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2006/11/02 06:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO)

DRV - [2006/11/02 01:51:27 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbccid.sys -- (USBCCID)

DRV - [2006/11/02 00:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

DRV - [2006/11/02 00:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)

DRV - [2006/10/29 18:42:28 | 001,786,880 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32)

DRV - [2006/10/24 23:36:48 | 000,042,240 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ESD7SK.sys -- (ESDCR)

DRV - [2006/10/24 23:36:44 | 000,076,928 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ESM7SK.sys -- (ESMCR)

DRV - [2006/10/24 23:36:36 | 000,062,208 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\EMS7SK.sys -- (EMSCR)

DRV - [2006/10/18 16:44:30 | 000,031,232 | ---- | M] (SMSC) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\smscirda.sys -- (SMSCIRDA)

DRV - [2005/04/12 20:21:32 | 000,022,240 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WmFilter.sys -- (WmFilter)

DRV - [2005/04/12 20:21:28 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WmBEnum.sys -- (WmBEnum)

DRV - [2005/04/12 20:21:28 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WmVirHid.sys -- (WmVirHid)

DRV - [2005/04/12 20:21:26 | 000,045,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WmXlCore.sys -- (WmXlCore)

DRV - [2005/01/13 15:46:16 | 000,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SEARCH PAGE = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\..\SearchScopes\{5E3967A3-FFDB-427E-968D-3EE8486D14FE}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADBR_en

IE - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: moveplayer@movenetworks.com:1.0.0.071303000006

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: File not found

FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Joe\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKCU\Software\MozillaPlugins\electronicarts.com/GameFacePlugin: C:\Users\Joe\AppData\Roaming\Electronic Arts\Game Face\npGameFacePlugin.dll (Electronic Arts)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/09 20:40:30 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/08/10 13:29:02 | 000,000,000 | ---D | M]

[2008/12/21 17:48:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Joe\AppData\Roaming\Mozilla\Extensions

[2012/07/24 20:09:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\j3a3o27h.default\extensions

[2012/02/08 19:19:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\j3a3o27h.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2012/02/08 19:19:19 | 000,000,000 | ---D | M] (20-20 3D Viewer) -- C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\j3a3o27h.default\extensions\2020Player@2020Technologies.com

[2012/02/08 19:19:20 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\j3a3o27h.default\extensions\moveplayer@movenetworks.com

[2012/07/24 20:09:07 | 000,741,958 | ---- | M] () (No name found) -- C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\j3a3o27h.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

[2012/10/09 20:40:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2011/03/23 21:49:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2012/10/05 19:15:51 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2004/08/18 12:00:00 | 000,270,336 | ---- | M] (Gradkell Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\DCAENTU.dll

[2004/08/18 12:00:00 | 001,294,336 | ---- | M] (Gradkell Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\DCARSA.dll

[2004/08/18 12:00:00 | 000,348,160 | ---- | M] (Gradkell Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\GuiUtils.dll

[2004/08/18 12:00:00 | 000,393,216 | ---- | M] (Gradkell Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npDBsignWeb.dll

[2011/02/02 19:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2004/08/18 12:00:00 | 000,122,880 | ---- | M] (Netscape Communications Corporation) -- C:\Program Files\mozilla firefox\plugins\nsldap32v30.dll

[2012/10/05 19:15:12 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2012/10/05 19:15:12 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2006/09/18 14:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\System32\ActiveToolBand.dll (HiTRUST)

O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)

O3 - HKU\S-1-5-21-452256800-3484198201-3087025338-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [ufSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe ()

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-21-452256800-3484198201-3087025338-1000..\Run: [Dropbox] C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll ()

O4 - HKU\S-1-5-21-452256800-3484198201-3087025338-1000..\Run: [MotoCast] C:\Program Files\Motorola Mobility\MotoCast\MotoLauncher.lnk ()

O4 - Startup: C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not found

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=928 (Performance Viewer Activex Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{00A46013-805B-456C-91FF-75978ACDE10B}: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A95BCE07-1B66-4DFD-92B4-B94208B884FE}: DhcpNameServer = 10.61.32.1 4.2.2.1

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - File not found

O24 - Desktop WallPaper: C:\Users\Joe\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O24 - Desktop BackupWallPaper: C:\Users\Joe\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/12/01 23:15:27 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{1cdaa7cf-84f3-11de-96cf-0016d467f43c}\Shell\AutoRun\command - "" = E:\JDSecure\Windows\JDSecure31.exe

O33 - MountPoints2\{75ff7d10-75c6-11df-93c9-0014d11b3ffe}\Shell - "" = AutoRun

O33 - MountPoints2\{75ff7d10-75c6-11df-93c9-0014d11b3ffe}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a

O33 - MountPoints2\{9d108e69-693f-11dc-af33-0016d467f43c}\Shell - "" = AutoRun

O33 - MountPoints2\{9d108e69-693f-11dc-af33-0016d467f43c}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a

O33 - MountPoints2\{eeaa0b04-fa8c-11e1-8878-0016d467f43c}\Shell - "" = AutoRun

O33 - MountPoints2\{eeaa0b04-fa8c-11e1-8878-0016d467f43c}\Shell\AutoRun\command - "" = H:\MotoCastSetup.exe -a

O33 - MountPoints2\{fc2cddde-3c46-11e1-a0dd-0016d467f43c}\Shell - "" = AutoRun

O33 - MountPoints2\{fc2cddde-3c46-11e1-a0dd-0016d467f43c}\Shell\AutoRun\command - "" = H:\MotoCastSetup.exe -a

O33 - MountPoints2\{fc2cde07-3c46-11e1-a0dd-0016d467f43c}\Shell - "" = AutoRun

O33 - MountPoints2\{fc2cde07-3c46-11e1-a0dd-0016d467f43c}\Shell\AutoRun\command - "" = G:\TL-Bootstrap.exe

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/10 08:38:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Joe\Desktop\OTL.exe

[2012/10/10 08:33:18 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Joe\Desktop\aswMBR.exe

[2012/10/10 07:22:59 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Joe\Desktop\dds.com

[2012/10/09 22:00:40 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Joe\Desktop\dds.scr

[2012/10/09 21:47:25 | 000,000,000 | ---D | C] -- C:\Users\Joe\Desktop\RK_Quarantine

[2012/10/09 20:40:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla

[2012/10/09 20:40:36 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service

[2012/09/11 21:33:19 | 000,000,000 | ---D | C] -- C:\Dropbox

[2012/09/11 21:33:14 | 000,000,000 | ---D | C] -- C:\Users\Joe\Documents\My Cmaps

[2012/09/11 21:33:14 | 000,000,000 | ---D | C] -- C:\Users\Joe\AppData\Roaming\CmapTools

[2012/09/11 21:33:12 | 000,000,000 | ---D | C] -- C:\Users\Joe\CmapToolsLogs

========== Files - Modified Within 30 Days ==========

[2012/10/10 08:46:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2012/10/10 08:38:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Joe\Desktop\OTL.exe

[2012/10/10 08:38:03 | 000,000,512 | ---- | M] () -- C:\Users\Joe\Desktop\MBR.dat

[2012/10/10 08:33:45 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Joe\Desktop\aswMBR.exe

[2012/10/10 08:16:24 | 000,604,702 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2012/10/10 08:16:24 | 000,104,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2012/10/10 08:10:17 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2012/10/10 08:10:17 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2012/10/10 08:10:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/10/10 08:00:49 | 000,002,855 | ---- | M] () -- C:\Users\Joe\Desktop\dds.PIF

[2012/10/10 07:22:29 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Joe\Desktop\dds.com

[2012/10/09 22:00:15 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Joe\Desktop\dds.scr

[2012/10/09 21:47:45 | 000,014,080 | ---- | M] () -- C:\Windows\System32\drivers\TrueSight.sys

[2012/10/09 21:45:35 | 001,422,336 | ---- | M] () -- C:\Users\Joe\Desktop\RogueKiller.exe

[2012/10/09 21:04:57 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/10/09 20:40:40 | 000,000,874 | ---- | M] () -- C:\Users\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2012/10/09 20:40:40 | 000,000,850 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

[2012/09/11 21:32:07 | 000,001,867 | ---- | M] () -- C:\Users\Joe\.powerupdate.user.properties

========== Files Created - No Company Name ==========

[2012/10/10 08:38:03 | 000,000,512 | ---- | C] () -- C:\Users\Joe\Desktop\MBR.dat

[2012/10/10 08:00:49 | 000,002,855 | ---- | C] () -- C:\Users\Joe\Desktop\dds.PIF

[2012/10/09 22:00:54 | 001,422,336 | ---- | C] () -- C:\Users\Joe\Desktop\RogueKiller.exe

[2012/10/09 21:47:45 | 000,014,080 | ---- | C] () -- C:\Windows\System32\drivers\TrueSight.sys

[2012/10/09 21:04:57 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/09/11 21:32:07 | 000,001,867 | ---- | C] () -- C:\Users\Joe\.powerupdate.user.properties

[2011/08/16 21:57:50 | 000,000,680 | ---- | C] () -- C:\Users\Joe\AppData\Local\d3d9caps.dat

[2011/01/11 18:05:18 | 000,008,592 | ---- | C] () -- C:\Windows\System32\ractrlkeyhook.dll

[2009/02/13 07:49:36 | 000,002,716 | -H-- | C] () -- C:\Users\Joe\.strange-eons-settings

[2009/02/13 07:49:26 | 000,000,000 | ---- | C] () -- C:\Users\Joe\.strange-eons-editor-session

[2009/02/13 07:49:16 | 000,000,000 | -H-- | C] () -- C:\Users\Joe\.strange-eons-user-dict

[2007/02/18 20:20:45 | 000,000,552 | ---- | C] () -- C:\Users\Joe\AppData\Local\d3d8caps.dat

[2007/02/15 20:41:11 | 000,099,328 | ---- | C] () -- C:\Users\Joe\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2012/02/08 13:19:59 | 000,000,082 | ---- | M] () -- C:\Windows\$NtUninstallKB38361$\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\N4P7ZWKR\t.cxt.ms\lso.swf\u.sol

[2012/02/08 09:09:05 | 000,000,000 | ---D | M] -- C:\Windows\$NtUninstallKB38361$\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\N4P7ZWKR\wbads.vo.llnwd.net\o25\u

[2006/11/02 05:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 10:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/10 23:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/10 23:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

========== LOP Check ==========

[2007/02/12 21:15:00 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\Acer

[2010/06/09 19:32:56 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\Amazon

[2010/08/24 20:18:04 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\AVICFeeds

[2012/09/11 21:45:19 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\CmapTools

[2012/10/10 08:10:51 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\Dropbox

[2011/12/02 22:23:38 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\Electronic Arts

[2009/01/04 11:17:13 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\Flickr

[2009/02/10 16:47:05 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\FloodLightGames

[2012/02/08 19:19:16 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\FreeAudioPack

[2007/02/12 21:15:00 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\Leadertech

[2012/10/10 08:12:02 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\MotoCast

[2012/09/09 08:02:05 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\Motorola

[2007/05/19 20:32:50 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\PureEdge

[2011/04/25 17:18:20 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\ScanSoft

[2012/07/16 20:35:49 | 000,000,000 | ---D | M] -- C:\Users\Joe\AppData\Roaming\Unity

========== Purity Check ==========

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========

[C:\Windows\$NtUninstallKB38361$] -> Error: Cannot create file handle -> Unknown point type

< End of report >

-------------------------------------------------------------------------------------------------------------------------------------

OTL Extras logfile created on: 10/10/2012 8:40:03 AM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Joe\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19328)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.92 Gb Available Physical Memory | 64.20% Memory free

6.20 Gb Paging File | 5.17 Gb Available in Paging File | 83.40% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 138.61 Gb Total Space | 84.55 Gb Free Space | 60.99% Space Free | Partition Type: NTFS

Drive D: | 137.71 Gb Total Space | 96.44 Gb Free Space | 70.03% Space Free | Partition Type: NTFS

Drive E: | 2.07 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: JOE-PC | User Name: Joe | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-452256800-3484198201-3087025338-1000\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"UacDisableNotify" = 0

"InternetSettingsDisableNotify" = 0

"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"55567:TCP" = 55567:TCP:*:Enabled:RosettaStoneLtdServices Port 55567

"55568:TCP" = 55568:TCP:*:Enabled:RosettaStoneLtdServer Port 55568

"55569:TCP" = 55569:TCP:*:Enabled:RosettaStoneLtdController Port 55569

"55570:TCP" = 55570:TCP:*:Enabled:RosettaStoneLtdServices Port 55570

"55566:TCP" = 55566:TCP:*:Enabled:RosettaStoneLtdServices Port 55566

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"55567:TCP" = 55567:TCP:*:Enabled:RosettaStoneLtdServices Port 55567

"55570:TCP" = 55570:TCP:*:Enabled:RosettaStoneLtdServices Port 55570

"55568:TCP" = 55568:TCP:*:Enabled:RosettaStoneLtdServer Port 55568

"55569:TCP" = 55569:TCP:*:Enabled:RosettaStoneLtdController Port 55569

"55566:TCP" = 55566:TCP:*:Enabled:RosettaStoneLtdServices Port 55566

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe:*:Enabled:RosettaStoneLtdController -- (Rosetta Stone Ltd.)

"C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:*:Enabled:RosettaStoneLtdServices -- ()

"C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe:*:Enabled:RosettaStoneLtdServer -- (Rosetta Stone Ltd.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe:*:Enabled:RosettaStoneLtdController -- (Rosetta Stone Ltd.)

"C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:*:Enabled:RosettaStoneLtdServices -- ()

"C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe" = C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe:*:Enabled:RosettaStoneLtdServer -- (Rosetta Stone Ltd.)

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0689650B-C576-472B-A3BC-70E124B2EE02}" = lport=55566 | protocol=6 | dir=out | name=rosettastoneltdservices port 55566 |

"{09E58C8A-D4CE-42DF-9DF0-F19A9D90F098}" = lport=2869 | protocol=6 | dir=in | app=system |

"{15CEEB51-BDF4-4227-9E80-81E70040DE3F}" = lport=55570 | protocol=6 | dir=out | name=rosettastoneltdservices port 55570 |

"{18D1CDCB-BB08-4903-9391-E34D3545E692}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{1D677432-C2E1-429D-9674-94A606BE6645}" = lport=55569 | protocol=6 | dir=out | name=rosettastoneltdcontroller port 55569 |

"{31C2A865-1DCE-4FF3-9BD1-BA558CA11D97}" = lport=55567 | protocol=6 | dir=out | name=rosettastoneltdservices port 55567 |

"{40416435-F35B-4868-928F-8BE1383C8D4F}" = lport=10243 | protocol=6 | dir=in | app=system |

"{49519BCF-5135-4742-90AF-48470C71ABD4}" = lport=55569 | protocol=6 | dir=in | name=rosettastoneltdcontroller port 55569 |

"{56B32F68-26F2-490C-A4C9-EBCD30979A4A}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

"{58DCC18D-7E06-4188-8BCE-F846F4853ED3}" = lport=55567 | protocol=6 | dir=in | name=rosettastoneltdservices port 55567 |

"{690D2EB7-B944-468D-AA51-CE1C8A5F8847}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{8465F3A1-5737-4028-8212-3E90FF15D09D}" = lport=55568 | protocol=6 | dir=out | name=rosettastoneltdserver port 55568 |

"{87BF9FE7-A418-46EE-A0F0-3792E2992E59}" = rport=10243 | protocol=6 | dir=out | app=system |

"{88C99F19-3F3C-4B9B-90AA-B44A3EFA7408}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{A5009E28-65B2-47C6-A38A-CD3867CA44C6}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{D659C140-9608-4CBA-9412-5DDB3708F1B5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{DAE12C66-097B-499D-907A-CF3479FC055C}" = lport=55568 | protocol=6 | dir=in | name=rosettastoneltdserver port 55568 |

"{EE8C9053-A812-4492-B172-D3BEEEFC206D}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{F712A96A-4E52-47BB-AFC1-AD397FB45E85}" = lport=55566 | protocol=6 | dir=in | name=rosettastoneltdservices port 55566 |

"{FB89B564-6614-42A0-9D3F-8638B800900E}" = lport=55570 | protocol=6 | dir=in | name=rosettastoneltdservices port 55570 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{02409618-3ABD-468B-97C9-762B2C55FE44}" = protocol=6 | dir=out | app=system |

"{07DC014F-7BF4-47E3-A78C-6F55F97819C5}" = dir=in | app=c:\program files\rosettastoneltdservices\rosettastoneltdserver.exe |

"{0ABC62F1-B29E-4564-AC59-EFD3649C1865}" = dir=out | app=c:\program files\rosettastoneltdservices\rosettastoneltdservices.exe |

"{0F45AE59-9004-45D8-BE9C-158480CD42CA}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{24834E4C-3087-4CB8-9737-1861FA19C972}" = dir=in | app=c:\program files\rosettastoneltdservices\rosettastoneltdcontroller.exe |

"{300FC74B-2318-4D14-AC53-306200A8835E}" = protocol=6 | dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\mce deluxe suite.exe |

"{3386C163-E6F4-438A-9882-E9A8FCF60B6D}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |

"{40295A2A-3A92-4C66-ADB9-BA76F74DC7B5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{47C39F74-3446-4FB4-B64D-B39E7559E330}" = protocol=17 | dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\mce deluxe suite.exe |

"{4F8E4EAB-25F5-4C75-95FC-31EE6B7C5A64}" = dir=in | app=c:\program files\motorola mobility\motocast\bin\motocast-thumbnailer.exe |

"{51590D0B-8961-443C-8915-44929F3ACA39}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{51FD9217-0408-4F1D-A7B1-A65B22EB27F5}" = protocol=6 | dir=in | app=c:\users\joe\appdata\roaming\dropbox\bin\dropbox.exe |

"{593C912D-576F-4E21-9543-B9250C0A28D2}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{6A594B6A-1F8E-443D-901A-E7CAEE929B65}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{6D00E858-E1DA-49AC-B921-43501069DE1A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{7248EE68-76C1-45C7-9C47-044DD681AC90}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |

"{7800F2C0-61EC-46EF-9BD3-FE42189A9553}" = dir=out | app=c:\program files\motorola mobility\motocast\bin\motocast-thumbnailer.exe |

"{78402537-7529-404A-A2E9-A8D68697B596}" = dir=out | app=c:\program files\rosettastoneltdservices\rosettastoneltdcontroller.exe |

"{7967405D-3F42-4CB4-B8B4-717F407013A2}" = dir=in | app=c:\program files\motorola mobility\motocast\motocast.exe |

"{8B06D77D-2F86-43A3-8B5B-39C2DF393B13}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{8C4DD988-5704-493D-8616-DEEFE1C614B6}" = protocol=17 | dir=in | app=c:\users\joe\appdata\roaming\dropbox\bin\dropbox.exe |

"{9CE01A5F-513C-439F-BFE0-079DCF3FF552}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{9F893350-2C76-43AA-8588-ADD332EA2997}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{A928FCD1-4276-4B12-AB94-4E638A5BE2A8}" = dir=out | app=c:\program files\motorola mobility\motocast\motocast.exe |

"{B580988E-2F00-444E-BFE5-A9F39CC5966C}" = dir=in | app=c:\program files\rosettastoneltdservices\rosettastoneltdservices.exe |

"{C5FFB29A-8D5D-4F9E-BF6C-5121C513CAD6}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{CCA16330-532E-471C-915C-9085BC35F2EC}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{E101189B-4644-4E5F-952B-8AB20BBCB70A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{E6F32A35-4EC1-4998-8D7C-B64A5B6B4133}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{F3DCEC0F-2610-496D-AA55-0C1019D3EA55}" = dir=out | app=c:\program files\rosettastoneltdservices\rosettastoneltdserver.exe |

"TCP Query User{3C00E1D7-9488-4F0C-B997-96697B48DD5E}C:\program files\java\jre6\launch4j-tmp\strange-eons.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\launch4j-tmp\strange-eons.exe |

"TCP Query User{3F602C5D-0321-49B8-86D7-BBD05CC30B4E}C:\program files\ihmc cmaptools\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ihmc cmaptools\jre\bin\javaw.exe |

"TCP Query User{408BF19B-BAEA-4348-8D3E-7637A4E9E0EF}C:\program files\yahoo! games\inspector parker\parker.exe" = protocol=6 | dir=in | app=c:\program files\yahoo! games\inspector parker\parker.exe |

"TCP Query User{6B44D16D-3815-4904-9F50-D5DC011FF14C}C:\users\joe\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\joe\appdata\roaming\dropbox\bin\dropbox.exe |

"TCP Query User{8DC87BD9-9973-4197-B828-F4E96C536C3A}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

"TCP Query User{9A200B56-DC7C-49F9-AF88-A982BCF87724}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |

"TCP Query User{AA69FA27-C0D2-4568-8B25-0116AA4F2F3F}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |

"TCP Query User{ACBF0BBB-FA4E-4300-81DD-5AC39E4471B9}C:\program files\yahoo! games\inspector parker\parker.exe" = protocol=6 | dir=in | app=c:\program files\yahoo! games\inspector parker\parker.exe |

"UDP Query User{24A8F7B3-9F00-4388-9A27-5210981D33CE}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

"UDP Query User{607F7202-8CCA-4FF7-8019-3EA6FBD2BB92}C:\program files\java\jre6\launch4j-tmp\strange-eons.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\launch4j-tmp\strange-eons.exe |

"UDP Query User{6E81629D-83BE-4EC7-9B82-D147F917E6D4}C:\program files\yahoo! games\inspector parker\parker.exe" = protocol=17 | dir=in | app=c:\program files\yahoo! games\inspector parker\parker.exe |

"UDP Query User{7FE35512-8F91-4EAC-8465-FC9E1E2CC58A}C:\users\joe\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\joe\appdata\roaming\dropbox\bin\dropbox.exe |

"UDP Query User{90041FF3-0B93-4E7F-94C1-0B6348C61344}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |

"UDP Query User{911C4B21-4A86-4BF8-A998-663AA5D06763}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |

"UDP Query User{D3FB173B-531C-4C27-AED3-CFF3A5E4E5FE}C:\program files\ihmc cmaptools\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ihmc cmaptools\jre\bin\javaw.exe |

"UDP Query User{D6667EE9-6CCF-41C4-9941-BEB978347864}C:\program files\yahoo! games\inspector parker\parker.exe" = protocol=17 | dir=in | app=c:\program files\yahoo! games\inspector parker\parker.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer

"{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}" = Acer eLock Management

"{1AEC7728-1640-4E98-AABC-5EBE3FB57FE4}" = SMSC Fast Infrared Driver

"{1BE8806A-84F8-4655-A381-0D5524430944}" = ActivClient CAC x86

"{1D8BBD52-90D4-4B20-8C4C-2160C21A07DE}" = AVIC FEEDS

"{20F8DC31-F965-4DD6-BC8A-2820C25A3ED0}" = ApproveIt Desktop 5.8.2

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 24

"{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer

"{2F6CF9E4-91EC-45BB-B5C5-9B31DACC429C}" = Motorola Mobile Drivers Installation 5.3.0

"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper

"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11

"{378397D6-FD32-4092-A854-6A75CB7EDA46}" = MOTOROLA MEDIA LINK

"{3960C3B3-4F51-47EA-815E-EC73AA525ADE}" = Sun Java System Connector for Microsoft Outlook 7

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{44D21B77-D4FC-49E8-A726-CD00D5016703}" = DBsign Web Signer

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{5401CEE8-3C2D-4835-A802-213306537FF4}" = MotoCast

"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management

"{5C1DA723-24FC-48AD-93BA-925695C3EF26}" = Logitech Gaming Software

"{67ADE9AF-5CD9-4089-8825-55DE4B366799}" = NTI Backup NOW! 4.7

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro AntiVirus

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver

"{7A8FF745-BBC5-482B-88E4-18D3178249A9}" = ScanSoft PaperPort 11

"{7D1CE80E-3EAE-441E-BE97-625F9ABD07D9}" = Myst Masterpiece Edition

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0016-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0018-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001A-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001B-0409-0000-0000000FF1CE}_STANDARDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-0409-0000-0000000FF1CE}_STANDARDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-040C-0000-0000000FF1CE}_STANDARDR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARDR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-006E-0409-0000-0000000FF1CE}_STANDARDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0115-0409-0000-0000000FF1CE}_STANDARDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In

"{91120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007

"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}" = MotoHelper MergeModules

"{9D2B0322-44AE-460E-9283-4D2D7A9205AE}" = Trend Micro AntiVirus

"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT

"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)

"{AEEAE013-92F1-4515-B278-139F1A692A35}" = Acer eDataSecurity Management

"{C06554A1-2C1E-4D20-B613-EE62C79927CC}" = Acer eNet Management

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management

"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime

"{E0000650-0650-0650-0650-000000000650}" = PureEdge Viewer 6.5

"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1

"{EB1AE258-8DDD-4F54-B2EB-AC02EC4C6FAB}" = Rosetta Stone Ltd Services

"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint

"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner

"Acer Registration" = Acer Registration

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player

"Agatha Christie - Death on the Nile" = Agatha Christie - Death on the Nile (remove only)

"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10

"CCleaner" = CCleaner

"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2007-07-22

"Defraggler" = Defraggler

"ENTERPRISER" = Microsoft Office Enterprise 2007

"HDMI" = Intel® Graphics Media Accelerator Driver

"IHMC CmapTools v5.04.02" = IHMC CmapTools v5.04.02

"Inspector Parker" = Inspector Parker

"LManager" = Launch Manager

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"MotoHelper" = MotoHelper 2.1.9 Driver 5.3.0

"Mozilla Firefox 16.0 (x86 en-US)" = Mozilla Firefox 16.0 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"Recuva" = Recuva

"Speccy" = Speccy

"STANDARDR" = Microsoft Office Standard 2007 Trial

"StrangeEons" = Strange Eons

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"VASSAL (3.1.15)" = VASSAL (3.1.15)

"VUE" = VUE 3.1.2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-452256800-3484198201-3087025338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Dropbox" = Dropbox

"EA SPORTS Game Face Browser Plugin" = EA SPORTS Game Face Browser Plugin 1.5.2.0

"UnityWebPlayer" = Unity Web Player

========== Last 20 Event Log Errors ==========

[ ActivIdentity Events ]

Error - 2/24/2010 12:32:13 AM | Computer Name = Joe-PC | Source = ActivClient | ID = 769

Description = No exchange account

Error - 2/24/2010 12:38:21 AM | Computer Name = Joe-PC | Source = ActivClient | ID = 769

Description = No exchange account

Error - 2/24/2010 1:19:23 AM | Computer Name = Joe-PC | Source = ActivClient | ID = 769

Description = No exchange account

[ Application Events ]

Error - 7/12/2012 5:43:07 PM | Computer Name = Joe-PC | Source = Application Error | ID = 1000

Description = Faulting application EXCEL.EXE, version 12.0.6661.5000, time stamp

0x4f7cda6d, faulting module kernel32.dll, version 6.0.6002.18449, time stamp 0x4da47967,

exception code 0xe06d7363, fault offset 0x0003fc56, process id 0xaa4, application

start time 0x01cd607751d62d90.

Error - 7/13/2012 1:20:44 PM | Computer Name = Joe-PC | Source = Application Error | ID = 1000

Description = Faulting application EXCEL.EXE, version 12.0.6661.5000, time stamp

0x4f7cda6d, faulting module kernel32.dll, version 6.0.6002.18449, time stamp 0x4da47967,

exception code 0xe06d7363, fault offset 0x0003fc56, process id 0xbf8, application

start time 0x01cd611bd47c3509.

Error - 7/13/2012 1:26:53 PM | Computer Name = Joe-PC | Source = MsiInstaller | ID = 11719

Description =

Error - 7/13/2012 1:30:24 PM | Computer Name = Joe-PC | Source = Application Error | ID = 1000

Description = Faulting application EXCEL.EXE, version 12.0.6661.5000, time stamp

0x4f7cda6d, faulting module kernel32.dll, version 6.0.6002.18449, time stamp 0x4da47967,

exception code 0xe06d7363, fault offset 0x0003fc56, process id 0xebc, application

start time 0x01cd611d2c5ee223.

Error - 7/13/2012 4:57:02 PM | Computer Name = Joe-PC | Source = Application Error | ID = 1000

Description = Faulting application POWERPNT.EXE, version 12.0.6600.1000, time stamp

0x4de50c7e, faulting module ppcore.dll, version 12.0.6654.5000, time stamp 0x4e8d280f,

exception code 0xc0000005, fault offset 0x0000b2c3, process id 0x900, application

start time 0x01cd611d0a141323.

Error - 8/1/2012 10:35:49 PM | Computer Name = Joe-PC | Source = Perflib | ID = 1010

Description =

Error - 8/10/2012 8:15:02 PM | Computer Name = Joe-PC | Source = Windows Search Service | ID = 3013

Description =

Error - 8/10/2012 8:15:02 PM | Computer Name = Joe-PC | Source = Windows Search Service | ID = 3013

Description =

Error - 8/10/2012 8:15:02 PM | Computer Name = Joe-PC | Source = Windows Search Service | ID = 3013

Description =

Error - 8/10/2012 8:15:02 PM | Computer Name = Joe-PC | Source = Windows Search Service | ID = 3013

Description =

[ Media Center Events ]

Error - 9/17/2009 11:54:45 PM | Computer Name = Joe-PC | Source = MCUpdate | ID = 0

Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ OSession Events ]

Error - 2/23/2011 4:26:33 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 232

seconds with 120 seconds of active time. This session ended with a crash.

Error - 2/23/2011 4:28:49 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 115

seconds with 60 seconds of active time. This session ended with a crash.

Error - 2/23/2011 4:31:05 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 124

seconds with 60 seconds of active time. This session ended with a crash.

Error - 2/23/2011 4:32:21 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 47

seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/2/2011 12:40:27 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 34

seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/10/2011 8:22:21 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 0, Application Name: Microsoft Office Word, Application Version:

12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 616

seconds with 600 seconds of active time. This session ended with a crash.

Error - 12/22/2011 5:44:08 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 32

seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/12/2012 5:43:07 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:

12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2

seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/13/2012 1:20:43 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:

12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 1

seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/13/2012 1:30:24 PM | Computer Name = Joe-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:

12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 5

seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]

Error - 10/10/2012 10:07:21 AM | Computer Name = Joe-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 10/10/2012 10:19:29 AM | Computer Name = Joe-PC | Source = EventLog | ID = 6008

Description = The previous system shutdown at 7:13:45 AM on 10/10/2012 was unexpected.

Error - 10/10/2012 10:19:51 AM | Computer Name = Joe-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 10/10/2012 10:19:51 AM | Computer Name = Joe-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 10/10/2012 10:27:46 AM | Computer Name = Joe-PC | Source = EventLog | ID = 6008

Description = The previous system shutdown at 7:24:29 AM on 10/10/2012 was unexpected.

Error - 10/10/2012 10:28:02 AM | Computer Name = Joe-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 10/10/2012 10:28:02 AM | Computer Name = Joe-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 10/10/2012 11:10:05 AM | Computer Name = Joe-PC | Source = EventLog | ID = 6008

Description = The previous system shutdown at 8:01:46 AM on 10/10/2012 was unexpected.

Error - 10/10/2012 11:10:19 AM | Computer Name = Joe-PC | Source = Service Control Manager | ID = 7000

Description =

Error - 10/10/2012 11:10:19 AM | Computer Name = Joe-PC | Source = Service Control Manager | ID = 7000

Description =

< End of report >

-----------------------------------------------------------------------------------

Thanks again for your help.

Link to post
Share on other sites

Note: Please do not run this tool without special supervision and instruction of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Hi Maniac,

I carefully read all the instructions before downloading and running ComboFix. A few minutes into the scan, a window popped up that said something like "Rootkit found, this may take a long time". I clicked ok. ComboFix has been running for over an hour now, and it is still on the scan page, but it doesn't look like it's making any progress. Is this normal?

Thanks.

Link to post
Share on other sites

Sorry, tried to paste screen captures of the error messages into the post but it didn't work for some reason. Anyway, here's the text from the "Windows has recovered from an unexpected shutdown" message:

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 1033

Additional information about the problem:

BCCode: 9f

BCP1: 00000003

BCP2: 8A849C70

BCP3: 8A849C70

BCP4: 8659E100

OS Version: 6_0_6002

Service Pack: 2_0

Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\Mini101212-01.dmp

C:\Users\Joe\AppData\Local\Temp\WER-160805-0.sysdata.xml

C:\Users\Joe\AppData\Local\Temp\WERC476.tmp.version.txt

Read our privacy statement:

http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

Link to post
Share on other sites

After several hours of ComboFix being stuck on the scan screen, I was forced to do a hard re-start on my computer. Just out of curiosity, I downloaded McAfee's rootkitremover software (since it's supposed to eliminate rootkit.zeroaccess) and ran it. When it did the initial scan, it said that it did not find any trojans. Is it possible that ComboFix ended up working, even though it looked like it was stuck? I just launched Google in FireFox and clicked several links, with no redirects.

Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Link to post
Share on other sites

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites

Before I do any of the steps you described should I back-up files to an external drive? Will this delete any files from my computer?

Everytime is a good idea to have backup, no matter whether your system is infected or not. This tool wouldn't delete any files without your instructions.

Also, if I transfer files to an external hard drive, is there a risk that I can spread the infection to another computer?

Yes, that could be a risk, so I suggest you to immunize your removable drive before you do that.

www.pandasecurity.com/homeusers/downloads/usbvaccine/

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-10-2012

Ran by SYSTEM at 14-10-2012 20:21:46

Running from F:\

Windows Vista Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [x]

HKLM\...\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart [90191 2006-11-21] (NVIDIA Corporation)

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [7757824 2006-11-21] (NVIDIA Corporation)

HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [81920 2006-11-21] (NVIDIA Corporation)

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]

HKLM\...\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [815104 2006-10-22] (Synaptics, Inc.)

HKLM\...\Run: [] [x]

HKLM\...\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [1020248 2010-01-25] (Trend Micro Inc.)

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)

HKU\Joe\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)

HKU\Joe\...\Run: [Dropbox] rundll32.exe C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll,GetImporterInterface [354304 2012-09-09] ()

HKU\Joe\...\Run: [MotoCast] "C:\Program Files\Motorola Mobility\MotoCast\MotoLauncher.lnk" [x]

Winlogon\Notify\ScCertProp: wlnotify.dll [X]

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Startup: C:\Users\Joe\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ===================

2 ac.sharedstore; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [207400 2009-06-03] (ActivIdentity)

2 DeviceMonitorService; "C:\Program Files\Motorola Media Link\Lite\NServiceEntry.exe" [87368 2011-09-19] (Nero AG)

3 eLockService; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [24576 2006-11-30] (Acer Inc.)

2 eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [118784 2006-11-20] (Acer Inc.)

2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [45056 2006-11-16] (Acer Inc.)

2 eSettingsService; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [24576 2006-11-13] ()

2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [218992 2011-09-14] ()

3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [115168 2012-10-05] (Mozilla Foundation)

3 RosettaStoneLtdController; "C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe" [354648 2007-10-31] (Rosetta Stone Ltd.)

2 SfCtlCom; "C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe" [715440 2010-11-08] (Trend Micro Inc.)

3 TMBMServer; "C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service [345352 2010-03-12] (Trend Micro Inc.)

3 TmProxy; "C:\Program Files\Trend Micro\Internet Security\TmProxy.exe" [689416 2010-03-12] (Trend Micro Inc.)

2 WMIService; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [131072 2006-12-01] (acer)

2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [x]

2 XAudioService; C:\Windows\System32\DRIVERS\xaudio.exe [x]

==================== Drivers (Whitelisted) ====================

1 DritekPortIO; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [20112 2006-11-02] (Dritek System Inc.)

3 EMSCR; C:\Windows\System32\DRIVERS\EMS7SK.sys [62208 2006-10-24] (ENE Technology Inc.)

3 ESDCR; C:\Windows\System32\DRIVERS\ESD7SK.sys [42240 2006-10-24] (ENE Technology Inc.)

3 ESMCR; C:\Windows\System32\DRIVERS\ESM7SK.sys [76928 2006-10-24] (ENE Technology Inc.)

2 int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [69632 2005-01-13] ()

3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [37392 2009-06-17] (Logitech, Inc.)

0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [10624 2006-11-10] (HiTRUST)

0 PSDNServ; C:\Windows\System32\drivers\PSDNServ.sys [7936 2006-11-10] (HiTRUST)

0 psdvdisk; C:\Windows\System32\drivers\psdvdisk.sys [53760 2006-11-08] (HiTRUST)

3 SCR3XX2K; C:\Windows\System32\DRIVERS\SCR3XX2K.sys [56448 2007-10-17] (SCM Microsystems Inc.)

3 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [59472 2010-07-19] (Trend Micro Inc.)

2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [163408 2010-07-19] (Trend Micro Inc.)

3 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [51792 2010-07-19] (Trend Micro Inc.)

2 tmpreflt; C:\Windows\System32\DRIVERS\tmpreflt.sys [36624 2011-07-12] (Trend Micro Inc.)

1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [89872 2010-03-12] (Trend Micro Inc.)

2 tmxpflt; C:\Windows\System32\DRIVERS\tmxpflt.sys [262416 2011-07-12] (Trend Micro Inc.)

3 TrueSight; \??\C:\Windows\system32\drivers\TrueSight.sys [14080 2012-10-09] ()

2 vsapint; C:\Windows\System32\DRIVERS\vsapint.sys [1405720 2011-07-12] (Trend Micro Inc.)

3 WmBEnum; C:\Windows\System32\drivers\WmBEnum.sys [10144 2005-04-12] (Logitech Inc.)

3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [22240 2005-04-12] (Logitech Inc.)

3 WmVirHid; C:\Windows\System32\drivers\WmVirHid.sys [5600 2005-04-12] (Logitech Inc.)

3 WmXlCore; C:\Windows\System32\drivers\WmXlCore.sys [45504 2005-04-12] (Logitech Inc.)

4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]

3 catchme; \??\C:\Users\Joe\AppData\Local\Temp\catchme.sys [x]

3 HSXHWAZL; C:\Windows\System32\DRIVERS\HSXHWAZL.sys [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

2 mdmxsdk; C:\Windows\System32\DRIVERS\mdmxsdk.sys [x]

3 MFE_RR; \??\C:\Users\Joe\AppData\Local\Temp\mfe_rr.sys [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

3 UIUSys; C:\Windows\System32\DRIVERS\UIUSYS.SYS [x]

2 XAudio; C:\Windows\System32\DRIVERS\xaudio.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2012-10-14 20:21 - 2012-10-14 20:21 - 00000000 ____D C:\FRST

2012-10-12 20:51 - 2012-10-12 20:52 - 00000240 ____A C:\Users\Joe\Desktop\RootkitRemover20121012215140.txt

2012-10-12 20:50 - 2012-10-12 20:50 - 00475752 ____A (McAfee, Inc.) C:\Users\Joe\Desktop\rootkitremover.exe

2012-10-12 09:01 - 2012-10-12 09:02 - 00000000 ___SD C:\ComboFix

2012-10-12 07:43 - 2012-10-12 07:43 - 00138384 ____A C:\Windows\Minidump\Mini101212-01.dmp

2012-10-12 07:42 - 2012-10-12 07:42 - 340175182 ____A C:\Windows\MEMORY.DMP

2012-10-11 14:55 - 2012-10-11 14:55 - 00000000 ____D C:\Windows\erdnt

2012-10-11 14:55 - 2012-10-11 14:55 - 00000000 ____D C:\Qoobox

2012-10-11 14:55 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe

2012-10-11 14:55 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe

2012-10-11 14:55 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2012-10-11 14:55 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2012-10-11 14:55 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2012-10-11 14:55 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe

2012-10-11 14:55 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe

2012-10-11 14:55 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe

2012-10-11 14:52 - 2012-10-12 09:00 - 04771502 ____R (Swearware) C:\Users\Joe\Desktop\ComboFix.exe

2012-10-10 09:05 - 2012-09-13 05:28 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2012-10-10 09:05 - 2012-08-29 03:27 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2012-10-10 09:05 - 2012-08-29 03:27 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-10-10 09:05 - 2012-08-24 07:53 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll

2012-10-10 09:05 - 2012-06-01 16:02 - 00985088 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

2012-10-10 09:05 - 2012-06-01 16:02 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll

2012-10-10 09:05 - 2012-06-01 16:02 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

2012-10-10 07:52 - 2012-10-10 07:52 - 00070536 ____A C:\Users\Joe\Desktop\Extras.Txt

2012-10-10 07:51 - 2012-10-10 07:51 - 00091476 ____A C:\Users\Joe\Desktop\OTL.Txt

2012-10-10 07:38 - 2012-10-10 07:38 - 00602112 ____A (OldTimer Tools) C:\Users\Joe\Desktop\OTL.exe

2012-10-10 07:38 - 2012-10-10 07:38 - 00001728 ____A C:\Users\Joe\Desktop\aswMBR.txt

2012-10-10 07:38 - 2012-10-10 07:38 - 00000512 ____A C:\Users\Joe\Desktop\MBR.dat

2012-10-10 07:33 - 2012-10-10 07:33 - 04731392 ____A (AVAST Software) C:\Users\Joe\Desktop\aswMBR.exe

2012-10-10 07:00 - 2012-10-10 07:00 - 00002855 ____A C:\Users\Joe\Desktop\dds.PIF

2012-10-10 06:22 - 2012-10-10 06:22 - 00607260 ____R (Swearware) C:\Users\Joe\Desktop\dds.com

2012-10-09 21:00 - 2012-10-09 21:00 - 00607260 ____R (Swearware) C:\Users\Joe\Desktop\dds.scr

2012-10-09 21:00 - 2012-10-09 20:45 - 01422336 ____A C:\Users\Joe\Desktop\RogueKiller.exe

2012-10-09 20:48 - 2012-10-09 20:48 - 00003851 ____A C:\Users\Joe\Desktop\RKreport[1].txt

2012-10-09 20:47 - 2012-10-09 20:48 - 00000000 ____D C:\Users\Joe\Desktop\RK_Quarantine

2012-10-09 20:47 - 2012-10-09 20:47 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys

2012-10-09 20:04 - 2012-10-09 20:04 - 00000910 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-10-09 19:40 - 2012-10-09 19:40 - 00000000 ____D C:\Users\All Users\Mozilla

2012-10-09 19:40 - 2012-10-09 19:40 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2012-09-21 15:01 - 2012-08-25 03:50 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-09-21 15:01 - 2012-08-25 03:50 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-09-21 15:01 - 2012-08-25 03:50 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-09-21 15:01 - 2012-08-25 03:48 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll

2012-09-21 15:01 - 2012-08-25 03:46 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll

2012-09-21 15:01 - 2012-08-25 03:45 - 06008832 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-09-21 15:01 - 2012-08-25 03:45 - 00630272 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-09-21 15:01 - 2012-08-25 03:45 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-09-21 15:01 - 2012-08-25 03:45 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 01469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-09-21 15:01 - 2012-08-25 03:44 - 00387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 00055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll

2012-09-21 15:01 - 2012-08-25 03:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-09-21 15:01 - 2012-08-25 02:11 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec

2012-09-21 15:01 - 2012-08-25 00:31 - 00174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2012-09-21 15:01 - 2012-08-25 00:31 - 00133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-09-21 15:01 - 2012-08-25 00:30 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe

2012-09-21 15:01 - 2012-08-25 00:29 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

==================== 3 Months Modified Files ==================

2012-10-14 19:17 - 2011-08-19 10:26 - 01878624 ____A C:\Windows\WindowsUpdate.log

2012-10-14 19:17 - 2006-11-02 05:01 - 00032646 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-10-14 19:17 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-10-14 19:17 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-10-14 19:17 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-10-14 19:16 - 2006-11-02 02:33 - 00703404 ____A C:\Windows\System32\PerfStringBackup.INI

2012-10-14 18:46 - 2012-04-02 20:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-10-12 20:52 - 2012-10-12 20:51 - 00000240 ____A C:\Users\Joe\Desktop\RootkitRemover20121012215140.txt

2012-10-12 20:50 - 2012-10-12 20:50 - 00475752 ____A (McAfee, Inc.) C:\Users\Joe\Desktop\rootkitremover.exe

2012-10-12 20:33 - 2012-08-16 02:30 - 00002110 ____A C:\Windows\PFRO.log

2012-10-12 09:00 - 2012-10-11 14:52 - 04771502 ____R (Swearware) C:\Users\Joe\Desktop\ComboFix.exe

2012-10-12 07:43 - 2012-10-12 07:43 - 00138384 ____A C:\Windows\Minidump\Mini101212-01.dmp

2012-10-12 07:42 - 2012-10-12 07:42 - 340175182 ____A C:\Windows\MEMORY.DMP

2012-10-11 14:54 - 2012-08-20 06:01 - 00000540 ____A C:\Windows\TMFilter.log

2012-10-11 02:05 - 2006-11-02 02:24 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2012-10-10 07:52 - 2012-10-10 07:52 - 00070536 ____A C:\Users\Joe\Desktop\Extras.Txt

2012-10-10 07:51 - 2012-10-10 07:51 - 00091476 ____A C:\Users\Joe\Desktop\OTL.Txt

2012-10-10 07:38 - 2012-10-10 07:38 - 00602112 ____A (OldTimer Tools) C:\Users\Joe\Desktop\OTL.exe

2012-10-10 07:38 - 2012-10-10 07:38 - 00001728 ____A C:\Users\Joe\Desktop\aswMBR.txt

2012-10-10 07:38 - 2012-10-10 07:38 - 00000512 ____A C:\Users\Joe\Desktop\MBR.dat

2012-10-10 07:33 - 2012-10-10 07:33 - 04731392 ____A (AVAST Software) C:\Users\Joe\Desktop\aswMBR.exe

2012-10-10 07:00 - 2012-10-10 07:00 - 00002855 ____A C:\Users\Joe\Desktop\dds.PIF

2012-10-10 06:22 - 2012-10-10 06:22 - 00607260 ____R (Swearware) C:\Users\Joe\Desktop\dds.com

2012-10-09 21:00 - 2012-10-09 21:00 - 00607260 ____R (Swearware) C:\Users\Joe\Desktop\dds.scr

2012-10-09 20:48 - 2012-10-09 20:48 - 00003851 ____A C:\Users\Joe\Desktop\RKreport[1].txt

2012-10-09 20:47 - 2012-10-09 20:47 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys

2012-10-09 20:45 - 2012-10-09 21:00 - 01422336 ____A C:\Users\Joe\Desktop\RogueKiller.exe

2012-10-09 20:04 - 2012-10-09 20:04 - 00000910 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-10-09 19:40 - 2008-12-21 16:46 - 00000850 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk

2012-10-08 14:47 - 2012-04-02 20:15 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-10-08 14:47 - 2011-07-16 17:02 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-09-13 20:22 - 2012-07-13 14:30 - 00003570 ____A C:\Windows\setupact.log

2012-09-13 05:28 - 2012-10-10 09:05 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll

2012-09-11 20:32 - 2012-09-11 20:32 - 00001867 ____A C:\Users\Joe\.powerupdate.user.properties

2012-09-09 07:01 - 2012-09-09 07:01 - 00001739 ____A C:\Users\Public\Desktop\MotoCast.lnk

2012-09-07 16:04 - 2011-07-16 13:36 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-29 03:27 - 2012-10-10 09:05 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2012-08-29 03:27 - 2012-10-10 09:05 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-08-25 03:50 - 2012-09-21 15:01 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-08-25 03:50 - 2012-09-21 15:01 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-08-25 03:50 - 2012-09-21 15:01 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-08-25 03:48 - 2012-09-21 15:01 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll

2012-08-25 03:46 - 2012-09-21 15:01 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll

2012-08-25 03:45 - 2012-09-21 15:01 - 06008832 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-08-25 03:45 - 2012-09-21 15:01 - 00630272 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-08-25 03:45 - 2012-09-21 15:01 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-08-25 03:45 - 2012-09-21 15:01 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 01469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-08-25 03:44 - 2012-09-21 15:01 - 00387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 00055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll

2012-08-25 03:44 - 2012-09-21 15:01 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-08-25 02:11 - 2012-09-21 15:01 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec

2012-08-25 00:31 - 2012-09-21 15:01 - 00174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2012-08-25 00:31 - 2012-09-21 15:01 - 00133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-08-25 00:30 - 2012-09-21 15:01 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe

2012-08-25 00:29 - 2012-09-21 15:01 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-08-24 07:53 - 2012-10-10 09:05 - 00172544 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll

2012-08-20 05:58 - 2012-08-20 05:58 - 00062399 ____A C:\Users\Joe\Desktop\Copy of Issues with August 2012 Update List-internal and external.xlsx

2012-08-16 02:32 - 2006-11-02 04:47 - 00372920 ____A C:\Windows\System32\FNTCACHE.DAT

2012-08-14 19:54 - 2012-08-14 19:54 - 00134144 ____A C:\Users\Joe\Desktop\Body_Fat_Worksheet_v6.0.xls

2012-08-10 12:29 - 2012-08-10 12:29 - 00001896 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-12 08:19:45

Restore point made on: 2012-10-14 19:00:31

==================== Memory info ===========================

Percentage of memory in use: 9%

Total physical RAM: 3061.5 MB

Available physical RAM: 2765.15 MB

Total Pagefile: 2960.31 MB

Available Pagefile: 2833.23 MB

Total Virtual: 2047.88 MB

Available Virtual: 1983.72 MB

==================== Partitions =============================

1 Drive c: (ACER) (Fixed) (Total:138.61 GB) (Free:82.7 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (DATA) (Fixed) (Total:137.71 GB) (Free:96.44 GB) NTFS

4 Drive f: (LEXAR) (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT

5 Drive x: (PQSERVICE) (Fixed) (Total:21.76 GB) (Free:15.72 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 298 GB 0 B

Disk 1 Online 968 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 22 GB 32 KB

Partition 2 Primary 139 GB 22 GB

Partition 3 Primary 138 GB 160 GB

=========================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 X PQSERVICE NTFS Partition 22 GB Healthy Hidden

=========================================================

Disk: 0

Partition 2

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 C ACER NTFS Partition 139 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D DATA NTFS Partition 138 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 967 MB 16 KB

=========================================================

Disk: 1

Partition 1

Type : 04

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 F LEXAR FAT Removable 967 MB Healthy

=========================================================

Last Boot: 2012-10-14 18:30

==================== End Of Log ============================

Link to post
Share on other sites

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKU\Joe\...\Run: [Dropbox] rundll32.exe C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll,GetImporterInterface [354304 2012-09-09] ()

C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-10-2012

Ran by SYSTEM at 2012-10-15 20:50:55 Run:1

Running from F:\

==============================================

HKEY_USERS\Joe\Software\Microsoft\Windows\CurrentVersion\Run\\Dropbox Value deleted successfully.

C:\Users\Joe\AppData\Local\Dropbox\khtbwxtb.dll moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Thanks! :)

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=96e016d9bc8a564786eb29eca5e3ad34

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-10-18 06:38:21

# local_time=2012-10-17 11:38:21 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 81157998 81157998 0 0

# compatibility_mode=5892 16776638 100 100 0 187141372 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=165455

# found=1

# cleaned=1

# scan_time=8460

C:\FRST\Quarantine\khtbwxtb.dll Win32/Kryptik.AMNR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.