Email Virus

[dykesc]

Experienced mass email distributions to people on my email contact list. Changed email program password but mass virus emails continued. Ran Malwarebytes and got one hit that identified a file which was something like "pup.offer.bundler...". File was removed by Malwarebytes. Unfortunately another mass email distribution occured after removal of this file. To stop the virus I then deleted all of my email contacts. I need to figure out what is causing this problem. See attached dds and attach files.

dds.txt

attach.txt

[TheDarkKnight]

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear.

Please post the contents of the logs, as malware writers would like nothing more than to infect the computers of helpers, such as myself. Thanks!

Please download OTL.exe by OldTimer to your Desktop.

• Close all windows and double click OTL.exe.
  
• In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:
  
  netsvcs
  drivers32
  %SYSTEMDRIVE%\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  
  
• Click Run Scan and let the program run uninterrupted.
  
• When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  
• You may need to use two posts to get it all.

[dykesc]

Away from my computer until Thursday night. I'll run OTL then and post the logs. Thanks for your help.

[TheDarkKnight]

Hello dykesc,

Sounds good.

[dykesc]

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 1.6.0_30

Run by OWner at 9:32:08 on 2013-01-29

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2046.889 [GMT -6:00]

.

AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\crypserv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\nHancer\nHancerService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\Windows\System32\nvraidservice.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://att.my.yahoo.com

uProxyServer = hxxp=127.0.0.1:57910

uProxyOverride = <local>;*.local

BHO: vShare Plugin: {043C5167-00BB-4324-AF7E-62013FAEDACF} - c:\program files\vshare\vshare_toolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll

BHO: SBCONVERT Class: {A1056498-D09A-41E4-864B-505EDD640D9E} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Arcadesafari BHO: {adff4c9a-4f49-4a1f-8885-360e107b7938} -

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: GrabberObj Class: {FF7C3CF0-4B15-11D1-ABED-709549C10000} - c:\program files\speedbit video downloader\toolbar\Grabber.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: SpeedBit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll

TB: vShare Plugin: {043C5167-00BB-4324-AF7E-62013FAEDACF} - c:\program files\vshare\vshare_toolbar.dll

TB: SpeedBit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - c:\program files\speedbit video downloader\toolbar\SpeedBitVideoDownloader.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe

uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: NoDrives = dword:0

uPolicies-Explorer: DisallowRun = dword:1

uPolicies-DisallowRun: 1 = avnotify.exe

uPolicies-DisallowRun: 2 = ipmgui.exe

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab

DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.readyforcrysis.com/sysreqlab2.cab

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.doylevisualmedia.com/activex/AMC.cab

DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

TCP: NameServer = 192.168.1.254 192.168.1.254

TCP: Interfaces\{C4006B26-9C86-4752-B5B0-7B114F73878D} : DHCPNameServer = 192.168.1.254 192.168.1.254

Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll

STS: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - c:\windows\system32\DreamScene.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.56\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\2ympkwwi.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT168755&SearchSource=3&q=

FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/

FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll

FF - plugin: c:\program files\ubisoft\ubisoft game launcher\npuplaypc.dll

FF - plugin: c:\program files\ubisoft\ubisoft game launcher\npuplaypchub.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\users\owner\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071705000014.dll

FF - ExtSQL: !HIDDEN! 2009-08-14 01:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-8-31 36000]

R1 EterlogicVirtualSerialDriver;EterlogicVirtualSerialDriver;c:\windows\system32\drivers\VSPE.sys [2011-7-2 25984]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-8-31 86224]

R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-8-31 110032]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-11 83392]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-5 21504]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-28 398184]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-10-23 682344]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-10-2 382824]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-10-23 21104]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate1c9be0d3d443554;Google Update Service (gupdate1c9be0d3d443554);c:\program files\google\update\GoogleUpdate.exe [2009-4-15 133104]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-10-26 1153368]

S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-7-12 12672]

S3 PIXMCV;Victor Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2004-6-3 33792]

S3 PIXMCVA;Victor PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2004-3-20 38144]

S3 PIXMCVV;Victor PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2004-3-27 32768]

S3 Ser2rs;Radioshack USB to Serial Driver;c:\windows\system32\drivers\ser2rs.sys [2007-6-25 76288]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2013-01-20 05:54:56 -------- d-----w- c:\program files\Mozilla Firefox(18)

2013-01-09 08:50:22 2048000 ----a-w- c:\windows\system32\win32k.sys

2013-01-09 08:49:58 204288 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 08:49:57 1400832 ----a-w- c:\windows\system32\msxml6.dll

2013-01-03 06:15:12 -------- d-----w- c:\users\owner\appdata\local\Arcadesafari

.

==================== Find3M ====================

.

2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 22:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-13 01:29:51 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-02 10:18:17 376320 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 08:26:06 23040 ----a-w- c:\windows\system32\dpnsvr.exe

2007-07-06 23:29:39 694668 ----a-w- c:\program files\unins000.exe

2001-09-28 22:00:28 164864 ------w- c:\program files\UNWISE.EXE

.

============= FINISH: 9:33:19.30 ===============

NLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft® Windows Vista™ Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 3/24/2007 12:58:52 AM

System Uptime: 1/28/2013 9:45:30 PM (12 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P5N-E SLI

Processor: Intel® Core2 CPU 6700 @ 2.66GHz | Socket 775 | 2666/266mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 373 GiB total, 150.095 GiB free.

D: is CDROM ()

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description:

Device ID: USB\VID_062A&PID_0201&MI_01\6&2BF301B4&0&0001

Manufacturer:

Name:

PNP Device ID: USB\VID_062A&PID_0201&MI_01\6&2BF301B4&0&0001

Service:

.

==== System Restore Points ===================

.

RP2553: 1/20/2013 1:23:00 AM - Scheduled Checkpoint

RP2554: 1/21/2013 2:11:22 AM - Scheduled Checkpoint

RP2555: 1/22/2013 12:07:50 AM - Scheduled Checkpoint

RP2556: 1/23/2013 4:03:13 AM - Scheduled Checkpoint

RP2557: 1/24/2013 1:00:01 AM - Scheduled Checkpoint

RP2558: 1/24/2013 2:33:24 PM - Scheduled Checkpoint

RP2559: 1/25/2013 4:03:29 AM - Scheduled Checkpoint

RP2560: 1/26/2013 3:24:00 AM - Scheduled Checkpoint

RP2561: 1/27/2013 12:00:03 AM - Scheduled Checkpoint

RP2562: 1/28/2013 12:00:04 AM - Scheduled Checkpoint

RP2563: 1/29/2013 12:13:57 AM - Scheduled Checkpoint

.

==== Installed Programs ======================

.

AAV ColorLab 32-bit 1.0.10.0

Active Sky Advanced Upgrade From ASX

Active Sky Evolution

Active Sky X

ADDS Flight Path Tool

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.2.0

Amateur Contact Log 3.0

Amateur Contact Log 3.0 (C:\Program Files\ACLog 3.0\)

AOPA's Real-Time Flight Planner 1.2.2

AOPA 177 Cardinal for FSX

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Arcadesafari

ARCS II Version 1.20

ArcSoft PhotoImpression 5

ASUSUpdate

AT&T Yahoo! Messenger

ATT eChat Support Tools

AutoUpdate

Avira Free Antivirus

AXIS Media Control Embedded

Bonjour

Carenado Mooney M20J FSX

Carenado Piper Cherokee 180F

CCleaner (remove only)

Citrix Presentation Server Client - Web Only

Citrix XenApp Web Plugin

Compatibility Pack for the 2007 Office system

CoreAVC Professional Edition (remove only)

CPUID CPU-Z 1.51

CrystalDiskMark 3.0.1c

De-Kooy-Texel-FA

DivX Codec

DJ_SF_03_D1500_Software_Min

DVD Architect Studio 5.0

DVDFab 8.1.8.5 (24/05/2012) Qt

DX Atlas 2.25

DXKeeper

DXLabLauncher

E-Trac Xchange

Eagle CUDA 240 S/GPS Demo

Eastern 206 - ATC Flight

EasyPal 26/MAY/09

EPSON TWAIN 5

ESET Online Scanner

ESET Online Scanner v3

EtracEm-V1-en

Exif Pilot 4.4

EZNEC Demo v. 5.0

EZNEC v. 5.0

Flight Simulator X

Flight Simulator X Service Pack 1

Flight1 Citation Mustang

FormatFactory 2.70

Fraps (remove only)

FS Water Configurator 3.15

FSX Bonus Multiplayer Racing Missions

GameShadow

Geek Squad 24 Hour Computer Support

GeoAlert-Extreme Wizard 4.1.44

GIMP 2.6.4

Google Chrome

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

GSpot Codec Information Appliance

H&R Block Deluxe + Efile + State 2009

H&R Block Mississippi 2009

Haali Media Splitter

Ham CAP 1.61

Ham Radio Deluxe

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Deskjet D1500 Printer Driver 10.0 Rel .3

iCloud

ImgBurn

IonoProbe 1.36

ISO Recorder

ITS HF Propagation 2008.01.21

ITS HF Propagation 2009.03.26

iTunes

Java Auto Updater

Java 6 Update 30

Juniper Networks, Inc. Setup Client

Juniper Networks, Inc. Setup Client Activex Control

LightScribe 1.4.142.1

LightScribe Applications

LightScribe Diagnostic Utility

Lightscribe Extended Label Contrast Utility

link700

Malwarebytes Anti-Malware version 1.70.0.1100

Media Player Classic - Home Cinema v1.5.1.2903

MetaFrame Presentation Server Web Client for Win32

Metal Detectives University

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Flight Simulator X

Microsoft Flight Simulator X Service Pack 1

Microsoft Flight Simulator X: Acceleration

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Word Viewer 2003

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

mini Ring Core Calculator 1.2

MobileMe Control Panel

Mooney 20J High Definition Virtual Cockpit

Morse Machine

Move Media Player

Movie Studio Platinum 12.0

Mozilla Firefox 18.0 (x86 en-US)

Mozilla Maintenance Service

MSVCRT Redists

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

Net Logger

nHancer

NVIDIA Control Panel 306.97

NVIDIA Drivers

NVIDIA Graphics Driver 306.97

NVIDIA Install Application

NVIDIA nTune

NVIDIA PhysX

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.3.5

NVIDIA Update Components

OGA Notifier 2.0.0048.0

OpenOffice.org Installer 1.0

PC Probe II

Pdf995 (installed by TaxCut)

PdfEdit995 (installed by TaxCut)

Ping Plotter Freeware

PMapServer7

QuickTime

Radar Contact Version 4.3

Real Environment Xtreme

Real Environment Xtreme 2.0

RealPlayer

Realtek High Definition Audio Driver

RealUpgrade 1.0

RefManager 1.0

RevLoad

Safari

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Windows Media Encoder (KB2447961)

Security Update for Windows Media Encoder (KB954156)

Security Update for Windows Media Encoder (KB979332)

Silent Hunter 5

Silent Hunter Wolves of the Pacific

SpeedBit Video Downloader

SpeedFan (remove only)

Spelling Dictionaries Support For Adobe Reader 8

SpotCollector

Spybot - Search & Destroy

SpywareBlaster 4.2

System Requirements Lab

TaxCut Mississippi 2007

TaxCut Premium + State 2007

Toolbox

Treasure Valley

TrustedQSL 1.13

Ubisoft Game Launcher

UI-View32

Uninstall Digital Binoculars Driver

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Veetle TV 0.9.17

Vegas Movie Studio HD Platinum 11.0

Visualizer Photo Resize

VLC media player 1.1.11

VOAProp

vShare Plugin

W6ELProp

WD Discovery Software

WinCAP Wizard 5.0.10

Windows 7 Upgrade Advisor

Windows Driver Package - FTDI CDM Driver Package (02/17/2009 2.04.16)

Windows Media Encoder 9 Series

Windows Media Player Firefox Plugin

WinPatrol 2009

WinRAR archiver

XPax

Yahoo! BrowserPlus 2.9.8

.

==== Event Viewer Messages From Past Week ========

.

1/29/2013 2:49:32 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 6 time(s).

1/29/2013 2:49:32 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

1/29/2013 1:03:21 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 5 time(s).

1/28/2013 9:48:27 PM, Error: Microsoft-Windows-WMPNSS-Service [14325] - Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80070424'. In Windows Media Player, turn off media sharing, and then turn it back on.

1/28/2013 9:47:25 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 4 time(s).

1/28/2013 9:47:03 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 3 time(s).

1/28/2013 9:47:03 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running.

1/28/2013 9:46:54 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

1/28/2013 9:46:50 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

1/28/2013 9:46:50 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt

1/28/2013 9:46:50 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

1/28/2013 9:46:50 PM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.

1/28/2013 9:46:50 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

1/28/2013 9:46:50 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

1/28/2013 9:46:03 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer PDF995 with shared resource name PDF995. Error 2114. The printer cannot be used by others on the network.

1/28/2013 9:45:58 PM, Error: Microsoft-Windows-HttpEvent [15021] - An error occured while using SSL configuration for socket address 192.168.1.97:63331. The error status code is contained within the returned data.

1/28/2013 9:45:46 PM, Error: volmgr [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

1/28/2013 7:27:08 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 24 time(s).

1/28/2013 6:24:45 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 26 time(s).

1/28/2013 3:46:06 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 25 time(s).

1/28/2013 1:19:37 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 23 time(s).

1/27/2013 6:18:51 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 22 time(s).

1/27/2013 3:05:41 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 21 time(s).

1/26/2013 4:13:59 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 18 time(s).

1/26/2013 4:13:58 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 17 time(s).

1/26/2013 2:22:55 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 19 time(s).

1/26/2013 11:48:17 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 20 time(s).

1/25/2013 7:47:46 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 13 time(s).

1/25/2013 7:45:31 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 12 time(s).

1/25/2013 4:52:47 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

1/25/2013 4:52:47 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/25/2013 4:52:46 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 11 time(s).

1/25/2013 4:52:46 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}

1/25/2013 3:36:19 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 16 time(s).

1/25/2013 2:11:18 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 15 time(s).

1/25/2013 10:32:10 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 14 time(s).

1/24/2013 9:18:01 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 10 time(s).

1/24/2013 9:18:00 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 9 time(s).

1/24/2013 9:17:59 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 8 time(s).

1/24/2013 9:17:58 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 7 time(s).

1/24/2013 10:29:51 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.97 for the Network Card with network address 001A92249F20 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

1/24/2013 10:29:49 AM, Error: EventLog [6008] - The previous system shutdown at 4:57:59 AM on 1/24/2013 was unexpected.

.

==== End Of File ===========================

[dykesc]

OTL logfile created on: 1/31/2013 10:04:18 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\OWner\Desktop

Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.08 Gb Available Physical Memory | 54.16% Memory free

3.89 Gb Paging File | 2.66 Gb Available in Paging File | 68.27% Paging File free

Paging file location(s): c:\pagefile.sys 2000 3067 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 151.19 Gb Free Space | 40.58% Space Free | Partition Type: NTFS

Computer Name: RCZMB04N | User Name: OWner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/31 22:01:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\OWner\Desktop\OTL.exe

PRC - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2012/12/14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

PRC - [2012/10/02 13:29:14 | 000,864,616 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

PRC - [2012/10/02 13:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

PRC - [2012/08/31 19:39:59 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2012/08/31 19:38:31 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

PRC - [2012/08/31 19:38:14 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2012/08/31 19:38:12 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2011/05/21 05:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

PRC - [2010/10/27 19:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

PRC - [2010/08/25 11:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

PRC - [2010/08/02 06:20:23 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

PRC - [2009/06/01 10:41:11 | 000,341,312 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2009/03/05 15:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2009/01/26 19:37:22 | 000,039,936 | ---- | M] (KSE - Korndörfer Software Engineering) -- C:\Program Files\nHancer\nHancerService.exe

PRC - [2007/09/04 19:25:44 | 000,131,072 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

PRC - [2007/07/11 00:09:52 | 004,317,184 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe

PRC - [2006/12/22 18:12:38 | 000,178,176 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvraidservice.exe

PRC - [2006/09/21 17:33:15 | 000,069,632 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\Windows\System32\Crypserv.exe

========== Modules (No Company Name) ==========

MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

MOD - [2007/09/14 09:58:00 | 000,059,904 | ---- | M] () -- C:\Program Files\ArcSoft\PhotoImpression 5\Share\PIHook.dll

========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService)

SRV - [2013/01/20 13:22:32 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)

SRV - [2012/10/02 13:15:38 | 000,382,824 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)

SRV - [2012/08/31 19:39:59 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2012/08/31 19:38:14 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2011/05/21 05:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)

SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)

SRV - [2009/01/26 19:37:22 | 000,039,936 | ---- | M] (KSE - Korndörfer Software Engineering) [Auto | Running] -- C:\Program Files\nHancer\nHancerService.exe -- (nHancer)

SRV - [2007/09/04 19:25:44 | 000,131,072 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)

SRV - [2006/09/21 17:33:15 | 000,069,632 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\Windows\System32\Crypserv.exe -- (Crypkey License)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\OWner\AppData\Local\Temp\mbr.sys -- (mbr)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\OWner\AppData\Local\Temp\catchme.sys -- (catchme)

DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)

DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2012/10/10 21:14:28 | 010,837,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2012/08/31 19:40:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)

DRV - [2012/08/31 19:40:48 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)

DRV - [2012/08/31 19:40:46 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)

DRV - [2012/08/31 19:40:45 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2012/08/19 21:14:04 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt)

DRV - [2012/08/19 21:14:04 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt)

DRV - [2012/04/13 09:05:20 | 000,062,216 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ftdibus.sys -- (FTDIBUS)

DRV - [2012/04/13 09:05:06 | 000,073,096 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ftser2k.sys -- (FTSER2K)

DRV - [2011/07/02 10:05:20 | 000,025,984 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\VSPE.sys -- (EterlogicVirtualSerialDriver)

DRV - [2011/03/18 10:08:54 | 000,025,240 | ---- | M] (Almico Software) [Kernel | Boot | Running] -- C:\Windows\System32\speedfan.sys -- (speedfan)

DRV - [2010/09/22 13:19:02 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\taphss.sys -- (taphss)

DRV - [2009/03/27 00:16:28 | 000,012,672 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cpuz132_x32.sys -- (cpuz132)

DRV - [2008/07/15 20:10:18 | 000,068,730 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\jl2005c.sys -- (JL2005C)

DRV - [2007/09/04 19:26:32 | 000,029,696 | ---- | M] (NVidia Corp.) [Kernel | On_Demand | Running] -- C:\Windows\nvoclock.sys -- (NVR0Dev)

DRV - [2007/07/02 23:37:08 | 000,110,112 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)

DRV - [2007/06/25 07:14:32 | 000,076,288 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ser2rs.sys -- (Ser2rs)

DRV - [2007/05/03 17:29:10 | 001,065,384 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)

DRV - [2007/04/29 16:58:32 | 000,023,944 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\KMWDFILTER.sys -- (KMWDFILTER)

DRV - [2006/12/22 18:07:04 | 000,122,880 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvrd32.sys -- (nvrd32)

DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)

DRV - [2006/10/18 13:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\AsIO.sys -- (AsIO)

DRV - [2006/10/18 12:44:48 | 000,007,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)

DRV - [2006/01/09 20:47:27 | 000,031,846 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\Ckldrv.sys -- (NetworkX)

DRV - [2004/11/22 17:36:39 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)

DRV - [2004/11/22 17:36:34 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5)

DRV - [2004/06/03 20:10:36 | 000,033,792 | ---- | M] (Pixela) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pixmcvc.sys -- (PIXMCV)

DRV - [2004/03/27 00:56:10 | 000,032,768 | ---- | M] (Pixela) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pixmcvv.sys -- (PIXMCVV)

DRV - [2004/03/20 04:27:26 | 000,038,144 | ---- | M] (Pixela) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pixmcva.sys -- (PIXMCVA)

DRV - [1996/04/03 13:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\giveio.sys -- (giveio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7'>http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7'>http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en

IE - HKCU\..\SearchScopes\{c99fdc39-a1ae-4b24-8d71-e5274f8d7c54}: "URL" = http://search.hotspotshield.com/g/results.php?c=s&q={searchTerms}

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:57910

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Hotspot Shield Private Search"

FF - prefs.js..browser.search.defaultthis.enginename: "web-radio Customized Web Search"

FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT168755&SearchSource=3&q="

FF - prefs.js..browser.search.suggest.enabled: false

FF - prefs.js..browser.startup.homepage: "http://att.my.yahoo.com/"

FF - prefs.js..extensions.enabledAddons: %7B888d99e7-e8b5-46a3-851e-1ec45da1e644%7D:17.0.0

FF - prefs.js..extensions.enabledAddons: module%40com.arcadesafari.firefox:2.1.335

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:4.0.1

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5

FF - prefs.js..extensions.enabledItems: vshareus@toolbar:1.0.0

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\OWner\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll (Move Networks)

FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.775: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.775: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.775: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)

FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)

FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)

FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\OWner\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll (Move Networks)

FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Users\OWner\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/08/23 23:03:55 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/01/20 13:22:33 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/01/20 13:22:28 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Users\OWner\AppData\Roaming\Move Networks [2012/08/23 23:04:06 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\module@com.arcadesafari.firefox: C:\Users\OWner\AppData\Local\Arcadesafari\module@com.arcadesafari.firefox [2013/01/03 00:15:14 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/01/20 13:22:33 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/01/20 13:22:28 | 000,000,000 | ---D | M]

[2009/02/13 19:00:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\OWner\AppData\Roaming\mozilla\Extensions

[2012/12/24 09:53:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\OWner\AppData\Roaming\mozilla\Firefox\Profiles\2ympkwwi.default\extensions

[2012/08/23 23:04:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\OWner\AppData\Roaming\mozilla\Firefox\Profiles\2ympkwwi.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2012/12/24 09:53:38 | 000,030,502 | ---- | M] () (No name found) -- C:\Users\OWner\AppData\Roaming\mozilla\firefox\profiles\2ympkwwi.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi

[2009/01/15 09:58:06 | 000,000,878 | ---- | M] () -- C:\Users\OWner\AppData\Roaming\mozilla\firefox\profiles\2ympkwwi.default\searchplugins\conduit.xml

[2013/01/03 00:15:14 | 000,000,000 | ---D | M] (Arcadesafari) -- C:\USERS\OWNER\APPDATA\LOCAL\ARCADESAFARI\MODULE@COM.ARCADESAFARI.FIREFOX

[2013/01/20 13:22:33 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2008/08/16 16:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll

[2008/08/16 16:42:12 | 000,091,448 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\confmgr.dll

[2008/08/16 16:42:08 | 000,020,800 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll

[2008/05/21 07:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcm80.dll

[2008/05/21 07:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcp80.dll

[2008/05/21 07:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcr80.dll

[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2008/08/16 16:44:46 | 000,427,312 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll

[2008/08/16 16:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll

[2013/01/20 13:22:30 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2013/01/20 13:22:30 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com

CHR - Extension: Arcadesafari = C:\Users\OWner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmeemomfelpigklppifflheakfpkfjjg\

CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\OWner\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.2\

O1 HOSTS File: ([2009/07/11 01:41:54 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (SBCONVERT Class) - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll ()

O2 - BHO: (GrabberObj Class) - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\SpeedBit Video Downloader\Toolbar\Grabber.dll (Speedbit Ltd.)

O3 - HKLM\..\Toolbar: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)

O4 - HKLM..\Run: [NVRaidService] C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)

O4 - HKCU..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" File not found

O4 - HKCU..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe File not found

O4 - HKCU..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 1 = avnotify.exe

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 2 = ipmgui.exe

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O15 - HKCU\..Trusted Domains: att.net ([www] http in Trusted sites)

O15 - HKCU\..Trusted Domains: dxspots.com ([]http in Trusted sites)

O15 - HKCU\..Trusted Domains: netlogger.org ([www] http in Trusted sites)

O15 - HKCU\..Trusted Domains: omiss.net ([]http in Trusted sites)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://echat.bellsouth.net/sdccommon/download/tgctlcm.cab (Support.com Configuration Class)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.srtest.com/srl_bin/sysreqlab3.cab (System Requirements Lab Class)

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.readyforcrysis.com/sysreqlab2.cab (Reg Error: Key error.)

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab (NVIDIA Smart Scan)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://www.doylevisualmedia.com/activex/AMC.cab (AxisMediaControlEmb Class)

O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab (Reg Error: Value error.)

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C4006B26-9C86-4752-B5B0-7B114F73878D}: DhcpNameServer = 192.168.1.254 192.168.1.254

O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll ()

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\OWner\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp

O24 - Desktop BackupWallPaper: C:\Users\OWner\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found

O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: Sharedaccess - File not found

NetSvcs: SRService - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)

Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)

Drivers32: VIDC.FPS1 - C:\Windows\System32\frapsvid.dll (Beepa P/L)

Drivers32: VIDC.JDCT - C:\Windows\System32\jl_jdct.drv (JEILIN Tech.)

Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/01/31 22:01:57 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\OWner\Desktop\OTL.exe

[2013/01/28 20:35:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Motive

[2013/01/20 13:22:28 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2013/01/19 23:54:56 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox(18)

[2013/01/09 02:50:22 | 002,048,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2013/01/09 02:49:58 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll

[2013/01/03 19:21:08 | 000,000,000 | ---D | C] -- C:\Users\OWner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserPlus

[2013/01/03 00:15:17 | 000,000,000 | ---D | C] -- C:\Users\OWner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Arcadesafari

[2013/01/03 00:15:12 | 000,000,000 | ---D | C] -- C:\Users\OWner\AppData\Local\Arcadesafari

[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

[1 C:\Windows\Fonts\*.tmp files -> C:\Windows\Fonts\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/31 22:01:58 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\OWner\Desktop\OTL.exe

[2013/01/31 21:54:56 | 000,000,312 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

[2013/01/31 21:49:26 | 000,005,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2013/01/31 21:49:26 | 000,005,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2013/01/31 21:18:18 | 000,000,464 | ---- | M] () -- C:\Windows\tasks\Arcadesafari.job

[2013/01/31 21:14:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2013/01/31 08:50:01 | 000,000,366 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateXML_OWner.job

[2013/01/30 22:14:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2013/01/30 12:41:28 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateFiles_OWner.job

[2013/01/28 21:46:02 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\RNUpgradeHelperLogonPrompt_OWner.job

[2013/01/28 21:45:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2013/01/28 21:20:17 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2013/01/28 01:19:36 | 000,000,157 | ---- | M] () -- C:\Users\OWner\Desktop\Ashokan Farewell.url

[2013/01/24 10:36:49 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2013/01/24 10:36:49 | 000,104,202 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2013/01/20 09:29:37 | 000,001,995 | ---- | M] () -- C:\Users\OWner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2013/01/11 18:42:44 | 000,482,017 | ---- | M] () -- C:\Users\OWner\Desktop\Mississippi Comprehensive Health Insurance Risk Pool Application.pdf

[2013/01/11 18:11:38 | 000,062,211 | ---- | M] () -- C:\Users\OWner\Desktop\Hill-Burton Facilities Obligated to Provide Free or Reduced-Cost Health Care.htm

[2013/01/11 18:06:45 | 000,158,209 | ---- | M] () -- C:\Users\OWner\Desktop\Claiborne County Health Centers.pdf

[2013/01/09 03:27:51 | 000,235,800 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/28 01:19:12 | 000,000,157 | ---- | C] () -- C:\Users\OWner\Desktop\Ashokan Farewell.url

[2013/01/11 18:42:44 | 000,482,017 | ---- | C] () -- C:\Users\OWner\Desktop\Mississippi Comprehensive Health Insurance Risk Pool Application.pdf

[2013/01/11 18:11:38 | 000,062,211 | ---- | C] () -- C:\Users\OWner\Desktop\Hill-Burton Facilities Obligated to Provide Free or Reduced-Cost Health Care.htm

[2013/01/11 18:06:45 | 000,158,209 | ---- | C] () -- C:\Users\OWner\Desktop\Claiborne County Health Centers.pdf

[2013/01/03 00:15:18 | 000,000,464 | ---- | C] () -- C:\Windows\tasks\Arcadesafari.job

[2012/09/15 01:17:25 | 000,001,000 | RHS- | C] () -- C:\Users\OWner\ntuser.pol

[2012/08/19 21:14:04 | 000,281,760 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys

[2012/08/19 21:14:04 | 000,025,888 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys

[2012/02/15 19:54:10 | 000,000,079 | ---- | C] () -- C:\Users\OWner\AppData\Local\CrystalDiskMark30.ini

[2011/10/16 14:42:17 | 000,000,028 | ---- | C] () -- C:\Windows\pdf995.ini

[2011/08/30 20:23:05 | 000,153,795 | ---- | C] () -- C:\Windows\hphins26.dat

[2011/08/30 20:23:05 | 000,000,787 | ---- | C] () -- C:\Windows\hphmdl26.dat

[2011/08/18 20:45:54 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI

[2011/08/03 09:28:43 | 000,000,942 | ---- | C] () -- C:\Users\OWner\AppData\Roaming\coreavc.ini

[2011/08/02 21:34:44 | 000,001,456 | ---- | C] () -- C:\Users\OWner\.recently-used.xbel

[2011/07/02 10:05:20 | 000,025,984 | ---- | C] () -- C:\Windows\System32\drivers\VSPE.sys

[2010/11/05 19:26:29 | 000,000,140 | ---- | C] () -- C:\Users\OWner\.fptFavorites.dat

[2010/10/18 18:52:13 | 000,072,080 | ---- | C] () -- C:\Users\OWner\g2mdlhlpx.exe

[2010/06/05 12:10:10 | 000,164,864 | ---- | C] () -- C:\Program Files\UNWISE.EXE

[2009/07/29 00:55:28 | 000,000,552 | ---- | C] () -- C:\Users\OWner\AppData\Local\d3d8caps.dat

[2009/03/23 22:13:42 | 000,000,137 | ---- | C] () -- C:\Users\OWner\fsx.exe.limited.bat

[2009/03/23 22:11:04 | 000,188,416 | ---- | C] () -- C:\Users\OWner\HookHelper.dll

[2009/03/23 22:11:04 | 000,172,032 | ---- | C] () -- C:\Users\OWner\Limiter_D3D9.dll

[2009/03/23 22:11:04 | 000,122,880 | ---- | C] () -- C:\Users\OWner\FPS_Limiter.exe

[2009/03/23 22:11:04 | 000,102,400 | ---- | C] () -- C:\Users\OWner\Limiter_OGL.dll

[2009/03/23 22:11:04 | 000,102,400 | ---- | C] () -- C:\Users\OWner\Limiter_D3D8.dll

[2009/03/23 22:11:04 | 000,010,956 | ---- | C] () -- C:\Users\OWner\FPS_Limiter_GUI.jar

[2007/07/15 12:51:35 | 000,004,892 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2007/07/06 17:30:34 | 000,694,668 | ---- | C] () -- C:\Program Files\unins000.exe

[2007/07/06 17:30:34 | 000,015,029 | ---- | C] () -- C:\Program Files\unins000.dat

[2007/06/23 19:56:39 | 000,033,792 | ---- | C] () -- C:\Users\OWner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/06/21 22:01:14 | 000,001,356 | ---- | C] () -- C:\Users\OWner\AppData\Local\d3d9caps.dat

========== ZeroAccess Check ==========

[2012/09/21 12:01:15 | 000,002,048 | -HS- | M] () -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\@

[2012/09/21 12:01:15 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\L

[2012/09/21 12:01:15 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\U

[2006/11/02 06:53:06 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

"ThreadingModel" = Both

"" = shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 00:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2006/09/18 15:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat

[2007/11/27 21:09:31 | 000,000,360 | ---- | M] () -- C:\avsim.diz

[2008/11/14 23:21:10 | 020,066,456 | ---- | M] () -- C:\BLShkcu.reg

[2008/11/14 23:21:18 | 197,830,148 | ---- | M] () -- C:\BLShklm.reg

[2009/04/11 00:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr

[2007/03/15 08:17:55 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK

[2008/02/25 22:33:37 | 000,000,068 | ---- | M] () -- C:\CKINFO.TXT

[2009/07/11 11:13:32 | 000,018,078 | ---- | M] () -- C:\ComboFix.txt

[2006/09/18 15:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys

[2009/07/10 01:11:05 | 000,000,286 | ---- | M] () -- C:\cpcerxd.txt

[2007/06/20 14:56:16 | 000,000,120 | ---- | M] () -- C:\dfinstall.log

[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt

[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt

[2007/11/07 07:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt

[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt

[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt

[2007/11/07 07:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt

[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt

[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt

[2007/11/07 07:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt

[2007/11/07 07:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini

[2007/11/07 07:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe

[2007/11/07 07:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini

[2007/11/07 07:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll

[2007/11/07 07:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll

[2007/11/07 07:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll

[2007/11/07 07:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll

[2007/11/07 07:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll

[2007/11/07 07:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll

[2007/11/07 07:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll

[2007/11/07 07:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll

[2007/11/07 07:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll

[2007/07/11 02:01:58 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2009/07/11 11:47:24 | 000,005,541 | ---- | M] () -- C:\JavaRa.log

[2007/07/11 02:01:58 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2013/01/28 21:45:46 | 2097,152,000 | -HS- | M] () -- C:\pagefile.sys

[2012/05/28 19:27:19 | 000,013,030 | ---- | M] () -- C:\PDOXUSRS.NET

[2007/11/27 21:09:31 | 000,002,148 | ---- | M] () -- C:\READ ME.txt

[2007/11/07 07:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp

[2007/11/07 07:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab

[2007/11/07 07:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-01-09 09:09:21

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >

OTL Extras logfile created on: 1/31/2013 10:04:18 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\OWner\Desktop

Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.08 Gb Available Physical Memory | 54.16% Memory free

3.89 Gb Paging File | 2.66 Gb Available in Paging File | 68.27% Paging File free

Paging file location(s): c:\pagefile.sys 2000 3067 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 372.61 Gb Total Space | 151.19 Gb Free Space | 40.58% Space Free | Partition Type: NTFS

Computer Name: RCZMB04N | User Name: OWner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.com [@ = ComFile] -- Reg Error: Key error. File not found

.exe [@ = exefile] -- Reg Error: Key error. File not found

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

.pif [@ = piffile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 0

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{0D005F09-A5F4-473B-A901-5735C6AF5628}" = Silent Hunter Wolves of the Pacific

"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0

"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime

"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox

"{11F27647-5229-4508-9056-D4ECB7FF8303}" = Eagle CUDA 240 S/GPS Demo

"{167F938F-5AD3-40e2-B05D-2B7C6F0FDE48}" = HP Deskjet D1500 Printer Driver 10.0 Rel .3

"{16F124E1-F72B-4314-8DC6-640A7760FA49}" = E-Trac Xchange

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{21ABDAE4-9C9E-446C-B82E-28B143156BE9}" = nHancer

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{254BEB3E-1085-4D66-9CDC-0152C0DC2E93}" = EPSON TWAIN 5

"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v1.5.1.2903

"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java 6 Update 30

"{305468A6-DE2D-43ba-A168-2F45A97A89DA}" = DJ_SF_03_D1500_Software_Min

"{356C1B0F-7ABD-4B52-ADD1-52681D27DBF6}" = Geek Squad 24 Hour Computer Support

"{39600969-41C3-4658-876E-16F108FC5C92}" = ISO Recorder

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3C40DA91-58D8-44F8-BD19-969912D8612E}" = Active Sky Evolution

"{3EE75730-B5B8-490B-B560-913C5C840719}" = EasyPal 26/MAY/09

"{459699C3-9430-4381-964B-4248D87B49F9}" = Apple Mobile Device Support

"{48494430-A8AB-11E0-939A-005056C00008}" = MSVCRT Redists

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CFCC6FD-AEA2-4208-99A6-45CBF9DFFD82}" = Real Environment Xtreme

"{4DF979D5-464C-4926-AF73-54C1C219F06A}" = Ham Radio Deluxe

"{5002C863-CDA3-4E41-9940-981C552A9140}" = Metal Detectives University

"{50C70B7E-C365-4AAF-B9D1-3EC5A8BE1685}" = H&R Block Mississippi 2009

"{519FCD20-AB3E-4A4F-AA30-2AAED80513A8}" = Lightscribe Extended Label Contrast Utility

"{520B0E53-A06B-4350-BBDB-1D6C101B1986}" = Active Sky Advanced Upgrade From ASX

"{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009

"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate

"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth

"{5DDB3393-E08B-447E-925F-6C00B95D0FE7}" = iCloud

"{600B9FB0-30A0-11E0-9ABC-005056C00008}" = DVD Architect Studio 5.0

"{663E217E-FC26-4249-9E8E-F190CD63E737}" = TaxCut Premium + State 2007

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{70365740-1568-4BA4-AE38-25909415D352}" = AAV ColorLab 32-bit 1.0.10.0

"{710BF966-43C8-4216-A8EC-BC4E169FF7C1}" = MobileMe Control Panel

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7373184D-8E8F-4308-912A-3901071FA1AD}" = LightScribe Applications

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{77EBC8CD-F808-4ECD-93D0-311C27B09827}" = ATT eChat Support Tools

"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update

"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune

"{7D8EB14A-50BF-493F-A6D6-30656E04937C}" = XPax

"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003

"{90C1F682-9F40-42EC-BBE0-D2A1A4987E1B}" = LightScribe Diagnostic Utility

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X

"{97AE8685-3E7D-451E-9E24-70A5872F19D5}" = ITS HF Propagation 2009.03.26

"{99341ACA-2A86-4235-A636-02A2A9820987}" = WD Discovery Software

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{A06A6679-41D7-48C5-82F8-7D3B0B654720}" = Active Sky X

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration

"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor

"{AC61C594-5F86-4BE9-ABAF-763C6A8E2302}" = Silent Hunter 5

"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.0

"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8

"{AD208F17-0593-43D1-8D2D-C32495B89690}" = De-Kooy-Texel-FA

"{B0261E53-B6F1-474A-864B-E7C3CBF468E0}" = iTunes

"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR

"{B2390904-74BD-48AA-B2CC-6612F8D46379}" = GameShadow

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 306.97

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 306.97

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{C779648B-410E-4BBA-B75B-5815BCEFE71D}" = Safari

"{CCE825DB-347A-4004-A186-5F4A6FDD8547}" = Apple Application Support

"{CDEE9830-92A2-4A65-8ED7-6804C865BA2F}" = ArcSoft PhotoImpression 5

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1

"{D112D601-C0E2-11E1-AAB9-F04DA23A5C58}" = Movie Studio Platinum 12.0

"{D3621EAA-00D6-4791-97BF-7E8EE3437BF2}" = Visualizer Photo Resize

"{D5306D70-E8AB-45B3-BECA-16C0A0E02894}" = TaxCut Mississippi 2007

"{D880D80F-C0E2-11E1-8A91-F04DA23A5C58}" = MSVCRT Redists

"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX

"{DDBA0DC0-A738-11E0-BF44-005056C00008}" = Vegas Movie Studio HD Platinum 11.0

"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series

"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only

"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F32F502E-4398-4159-B3C9-3336AEDE6FEB}" = Real Environment Xtreme 2.0

"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0

"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II

"{FC1CC3C4-0AF2-46B6-8205-5C3F0965B4F6}_is1" = WinCAP Wizard 5.0.10

"{FD523531-7EA3-4F11-948C-C5F4B734FDB2}" = FSX Bonus Multiplayer Racing Missions

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"2DC0AA065FA83047D7ECD51C7000C1620D79A4C5" = Windows Driver Package - FTDI CDM Driver Package (02/17/2009 2.04.16)

"51A4D522DD31538335EF5736F0E7F588C70BCB12" = Windows Driver Package - FTDI CDM Driver Package (02/17/2009 2.04.16)

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"aopa_177" = AOPA 177 Cardinal for FSX

"AOPA's Real-Time Flight Planner" = AOPA's Real-Time Flight Planner 1.2.2

"ARCS II_is1" = ARCS II Version 1.20

"AT&&T Yahoo! Messenger" = AT&T Yahoo! Messenger

"Avira AntiVir Desktop" = Avira Free Antivirus

"AXIS Media Control Embedded" = AXIS Media Control Embedded

"Carenado Mooney M20J FSX" = Carenado Mooney M20J FSX

"Carenado Piper Cherokee 180F" = Carenado Piper Cherokee 180F

"CCleaner" = CCleaner (remove only)

"CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only)

"CPUID CPU-Z_is1" = CPUID CPU-Z 1.51

"CrystalDiskMark_is1" = CrystalDiskMark 3.0.1c

"Digital Binoculars_is1" = Uninstall Digital Binoculars Driver

"DVDFab 8 Qt_is1" = DVDFab 8.1.8.5 (24/05/2012) Qt

"DX Atlas_is1" = DX Atlas 2.25

"Eastern 206 - ATC Flight_is1" = Eastern 206 - ATC Flight

"ESET Online Scanner" = ESET Online Scanner v3

"EsetOnlineScanner" = ESET Online Scanner

"EtracEm-V1-en" = EtracEm-V1-en

"Exif Pilot_is1" = Exif Pilot 4.4

"EZNEC_5000_is1" = EZNEC v. 5.0

"EZNEC_-5000_is1" = EZNEC Demo v. 5.0

"f1mustang_FSX" = Flight1 Citation Mustang

"FlightSim_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration

"FormatFactory" = FormatFactory 2.70

"Fraps" = Fraps (remove only)

"FS Water Configurator" = FS Water Configurator 3.15

"GeoAlert-Extreme Wizard_is1" = GeoAlert-Extreme Wizard 4.1.44

"Google Chrome" = Google Chrome

"GSpot" = GSpot Codec Information Appliance

"HaaliMkx" = Haali Media Splitter

"Ham CAP_is1" = Ham CAP 1.61

"HijackThis" = HijackThis 2.0.2

"ImgBurn" = ImgBurn

"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune

"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X

"IonoProbe_is1" = IonoProbe 1.36

"ITS HF Propagation" = ITS HF Propagation 2008.01.21

"Juniper_Setup_Client Activex Control" = Juniper Networks, Inc. Setup Client Activex Control

"link700" = link700

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100

"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"minirk12_is1" = mini Ring Core Calculator 1.2

"Morse Machine" = Morse Machine

"Mozilla Firefox 18.0 (x86 en-US)" = Mozilla Firefox 18.0 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"Net Logger" = Net Logger

"NVIDIA Drivers" = NVIDIA Drivers

"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver

"Pdf995" = Pdf995 (installed by TaxCut)

"PdfEdit995" = PdfEdit995 (installed by TaxCut)

"Ping Plotter Freeware" = Ping Plotter Freeware

"PMapServer7" = PMapServer7

"Radar Contact v4.3_is1" = Radar Contact Version 4.3

"RealPlayer 12.0" = RealPlayer

"RefManager_is1" = RefManager 1.0

"RevLoad" = RevLoad

"RTMshadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X

"SP1_9527A496-5DF9-412A-ADC7-168BA5379CA6" = Microsoft Flight Simulator X Service Pack 1

"SP1shadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X Service Pack 1

"SpeedBit Video Downloader" = SpeedBit Video Downloader

"SpeedFan" = SpeedFan (remove only)

"SpywareBlaster_is1" = SpywareBlaster 4.2

"ST6UNST #1" = Amateur Contact Log 3.0

"ST6UNST #2" = Amateur Contact Log 3.0 (C:\Program Files\ACLog 3.0\)

"ST6UNST #3" = DXLabLauncher

"ST6UNST #4" = SpotCollector

"ST6UNST #5" = DXKeeper

"SystemRequirementsLab" = System Requirements Lab

"Treasure Valley" = Treasure Valley

"TrustedQSL_is1" = TrustedQSL 1.13

"UI-View32_is1" = UI-View32

"Veetle TV" = Veetle TV 0.9.17

"VLC media player" = VLC media player 1.1.11

"VOAProp" = VOAProp

"vShare" = vShare Plugin

"W6ELProp" = W6ELProp

"Windows Media Encoder 9" = Windows Media Encoder 9 Series

"WinGimp-2.0_is1" = GIMP 2.6.4

"WinPatrol" = WinPatrol 2009

"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"ADDS Flight Path Tool" = ADDS Flight Path Tool

"Arcadesafari" = Arcadesafari

"Juniper_Setup_Client" = Juniper Networks, Inc. Setup Client

"Mooney 20J High Definition Virtual Cockpit" = Mooney 20J High Definition Virtual Cockpit

"Move Media Player" = Move Media Player

"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 1/29/2013 3:03:21 AM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 1/29/2013 4:49:32 AM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 1/29/2013 3:08:38 PM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 1/30/2013 2:14:19 PM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 1/30/2013 2:17:02 PM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 1/30/2013 2:17:05 PM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 1/30/2013 2:17:07 PM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 2/1/2013 12:02:11 AM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 2/1/2013 12:02:41 AM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

Error - 2/1/2013 12:03:11 AM | Computer Name = RCZMB04N | Source = Windows Search Service | ID = 1006

Description =

[ Media Center Events ]

Error - 9/7/2009 3:31:56 AM | Computer Name = RCZMB04N | Source = MCUpdate | ID = 0

Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 5/20/2010 10:31:16 PM | Computer Name = RCZMB04N | Source = Media Center Guide | ID = 0

Description = Event Info: ERROR: SqmApiWrapper.WaitForUploadComplete failed. Please

try to ping www.msn.com prior to filing a bug.; Win32 GetLastError returned 10000109

Process: DefaultDomain Object Name: Media Center Guide

Error - 5/20/2010 10:50:08 PM | Computer Name = RCZMB04N | Source = Media Center Guide | ID = 0

Description = Event Info: ERROR: SqmApiWrapper.TimerAccumulate failed; Win32 GetLastError

returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 5/20/2010 10:51:04 PM | Computer Name = RCZMB04N | Source = Media Center Guide | ID = 0

Description = Event Info: ERROR: SqmApiWrapper.TimerAccumulate failed; Win32 GetLastError

returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 8/23/2011 10:39:51 PM | Computer Name = RCZMB04N | Source = Media Center Guide | ID = 0

Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError

returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 7/10/2012 7:20:18 PM | Computer Name = RCZMB04N | Source = Media Center Guide | ID = 0

Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError

returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

[ System Events ]

Error - 1/30/2013 2:17:06 PM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7024

Description =

Error - 1/30/2013 2:17:06 PM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7034

Description =

Error - 1/30/2013 2:17:07 PM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7024

Description =

Error - 1/30/2013 2:17:07 PM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7034

Description =

Error - 2/1/2013 12:02:11 AM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7024

Description =

Error - 2/1/2013 12:02:11 AM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7031

Description =

Error - 2/1/2013 12:02:41 AM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7024

Description =

Error - 2/1/2013 12:02:41 AM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7031

Description =

Error - 2/1/2013 12:03:11 AM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7024

Description =

Error - 2/1/2013 12:03:11 AM | Computer Name = RCZMB04N | Source = Service Control Manager | ID = 7034

Description =

< End of report >

[TheDarkKnight]

Hello dykesc.

I see you have Conduit installed. It is often present when there are other infections on computers, and it is for this reason I recommend removing it (please seehere for more information).

Your logs show that the SpeedBit Video Downloader is installed. It has been known to exhibit suspicious behaviour (please see here for further information). I recommend removing it.

Please go to Start>Control Panel> Add or Remove Programs and remove the following program (if present):

• Conduit
  
• Conduit Toolbar
  
• SpeedBit Video Downloader

Please restart your computer after this program removal.

=====

Next, please run OTL.exe.

• Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  :OTL
  FF - prefs.js..extensions.enabledItems: vshareus@toolbar:1.0.0
  O3 - HKCU\..\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
  FF - prefs.js..extensions.enabledItems: vshareus@toolbar:1.0.0
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O15 - HKCU\..Trusted Domains: att.net ([www] http in Trusted sites)
  O15 - HKCU\..Trusted Domains: dxspots.com ([]http in Trusted sites)
  O15 - HKCU\..Trusted Domains: netlogger.org ([www] http in Trusted sites)
  O15 - HKCU\..Trusted Domains: omiss.net ([]http in Trusted sites)
  [2012/09/21 12:01:15 | 000,002,048 | -HS- | M] () -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\@
  [2012/09/21 12:01:15 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\L
  [2012/09/21 12:01:15 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\U
  :Commands
  [EmptyTemp]
  
• Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  
• Click the red Run Fix button.
  
• A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTL.exe
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=====

In addition,

For x32 (x86) bit systems please download the Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

For x64 bit systems please download the Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

To enter System Recovery Options by using the Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt.

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select Computer, find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Press the Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.

=====

In your reply please provide the contents of the OTL fix log and FRST.txt.

What issues remain on your computer?

[dykesc]

Hi DarkKnight,

Neither Conduit or Conduit Toolbar was in the Windows "Add/Remove Programs" dropdown selection list. SpeedBit Video Downloader was in the list and has now been removed from my computer as you recommended.

I ran OTL in Run Fix mode with the parameters you provided. The OTL Fix log is provided in this reply.

I don't have access to a thumb drive at this time. I will get one today and then run the Farbar Recovery San Tool 32 bit as you. Afterwards I will post the FRST.txt file.

It is difficult to say whether the mass email distribution issue has been corrected. I deleted all my email contacts to stop the malware until I could get the malware removed. I added one "fake" email address back to my contact list so I could watch for further issues. The malware used the fake email address in a distribution one time on 1/29/2013. Since then there have been no other malware email distributions.

All processes killed

========== OTL ==========

Prefs.js: vshareus@toolbar:1.0.0 removed from extensions.enabledItems

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{043C5167-00BB-4324-AF7E-62013FAEDACF} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ deleted successfully.

C:\Program Files\vShare\vshare_toolbar.dll moved successfully.

Prefs.js: vshareus@toolbar:1.0.0 removed from extensions.enabledItems

Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\att.net\www\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dxspots.com\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\netlogger.org\www\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\omiss.net\ deleted successfully.

C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\@ moved successfully.

C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\L folder moved successfully.

C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\U folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56545 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Experience

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: OWner

->Temp folder emptied: 10204016780 bytes

->Temporary Internet Files folder emptied: 338040500 bytes

->Java cache emptied: 98305957 bytes

->FireFox cache emptied: 197419741 bytes

->Google Chrome cache emptied: 6206938 bytes

->Apple Safari cache emptied: 2609152 bytes

->Flash cache emptied: 309557 bytes

User: Public

User: UpdatusUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32768 bytes

->Flash cache emptied: 2913 bytes

User: UpdatusUser.RCZMB04N

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56545 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 37136 bytes

%systemroot%\System32 .tmp files removed: 37136 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 2541133547 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 21934008553 bytes

Total Files Cleaned = 33,686.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 02012013_040820

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[dykesc]

DarkNknight

I got a thumb drive and loaded FRST.exe onto it. Unfortunately I can't find a way to boot from a command prompt.

I am running Windows Vista Ultimate. There is NO "Advanced Boot Options" item in the menu that displays after pressing the F8 key. I tried restarting several times while pressing the F8 key after the bios loads. Vista was preloaded on this computer by the OEM. I don't have a Windows installation disc.

[dykesc]

More info. I found a CD that came with my Velocity Micro computer many years ago. It is titled Operating System Disc. Instructions on the front of the CD state to place it in a drive and reboot the computer. It also has a WARNING note that states "This process erases all data and files from the hard drive." I hesitate to use this disc because of that warning. Please advise.

[TheDarkKnight]

Hey dykesc,

The disc you have is probably a recovery; in which case it would wipe all your files.

Please run OTL.exe.

• Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  :files
  C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225
  :Commands
  [EmptyTemp]
  
• Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  
• Click the red Run Fix button.
  
• A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTL.exe
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=====

Also, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

=====

In your reply please provide the contents of both logs and let me know how your computer is currently running.

[dykesc]

Computer is running fine Dark Knight. Well accept for the Malware Forums pages. For some reason I lost all the forum graphics. Just text links right now for some reason.

I re-populated my email contacts list. I will let you know if I see any more malicious activty.

OTL and ComboFix logs follow:

All processes killed

========== FILES ==========

C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225 folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Experience

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: OWner

->Temp folder emptied: 52612 bytes

->Temporary Internet Files folder emptied: 172555 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 89423006 bytes

->Google Chrome cache emptied: 0 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 1679 bytes

User: Public

User: UpdatusUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: UpdatusUser.RCZMB04N

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 6894915 bytes

Total Files Cleaned = 92.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 02012013_193042

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

ComboFix 13-02-01.04 - OWner 02/01/2013 20:06:03.2.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2046.1157 [GMT -6:00]

Running from: c:\users\OWner\Desktop\ComboFix.exe

AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\users\OWner\FPS_Limiter.exe

c:\users\OWner\g2mdlhlpx.exe

c:\users\OWner\HookHelper.dll

c:\users\OWner\Limiter_D3D8.dll

c:\users\OWner\Limiter_D3D9.dll

c:\users\OWner\Limiter_OGL.dll

.

.

((((((((((((((((((((((((( Files Created from 2013-01-02 to 2013-02-02 )))))))))))))))))))))))))))))))

.

.

2013-02-02 02:14 . 2013-02-02 02:17 -------- d-----w- c:\users\OWner\AppData\Local\temp

2013-02-02 02:14 . 2013-02-02 02:14 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-02-02 02:14 . 2013-02-02 02:14 -------- d-----w- c:\users\UpdatusUser.RCZMB04N\AppData\Local\temp

2013-02-02 02:14 . 2013-02-02 02:14 -------- d-----w- c:\users\Experience\AppData\Local\temp

2013-02-02 02:14 . 2013-02-02 02:14 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-01 10:08 . 2013-02-01 10:08 -------- d-----w- C:\_OTL

2013-01-29 02:35 . 2013-01-29 02:35 -------- d-----w- c:\programdata\Motive

2013-01-09 08:50 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys

2013-01-09 08:49 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 08:49 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll

2013-01-03 06:15 . 2013-01-03 06:15 -------- d-----w- c:\users\OWner\AppData\Local\Arcadesafari

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-16 13:12 . 2012-12-23 09:00 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 10:50 . 2012-12-23 09:00 293376 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 22:49 . 2008-10-23 22:35 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-14 02:09 . 2012-12-13 09:04 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58 . 2012-12-13 09:04 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57 . 2012-12-13 09:04 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49 . 2012-12-13 09:04 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48 . 2012-12-13 09:04 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44 . 2012-12-13 09:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-13 01:29 . 2012-12-12 19:01 2048 ----a-w- c:\windows\system32\tzres.dll

2007-07-06 23:29 . 2007-07-06 23:30 694668 ----a-w- c:\program files\unins000.exe

2001-09-28 22:00 . 2010-06-05 18:10 164864 ------w- c:\program files\UNWISE.EXE

2008-08-16 22:42 . 2013-01-20 19:22 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 22:42 . 2013-01-20 19:22 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 22:42 . 2013-01-20 19:22 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 22:42 . 2013-01-20 19:22 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 22:43 . 2013-01-20 19:22 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 22:42 . 2013-01-20 19:22 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 22:42 . 2013-01-20 19:22 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 13:41 . 2013-01-20 19:22 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 13:41 . 2013-01-20 19:22 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 13:41 . 2013-01-20 19:22 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 18:58 . 2013-01-20 19:22 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 22:42 . 2013-01-20 19:22 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2013-01-20 19:22 . 2013-01-20 19:22 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{adff4c9a-4f49-4a1f-8885-360e107b7938}]

2009-11-08 15:55 297808 ----a-w- c:\windows\System32\mscoree.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-04 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-12-23 178176]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]

"RtHDVCpl"="RtHDVCpl.exe" [2007-07-11 4317184]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-02 202256]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-09-01 348664]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux6"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-01-30 18:14 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-02 c:\windows\Tasks\Arcadesafari.job

- c:\users\OWner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe [2013-01-03 06:15]

.

2013-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 21:00]

.

2013-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 21:00]

.

2013-02-01 c:\windows\Tasks\ReclaimerUpdateFiles_OWner.job

- c:\users\OWner\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-22 11:13]

.

2013-02-01 c:\windows\Tasks\ReclaimerUpdateXML_OWner.job

- c:\users\OWner\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-22 11:13]

.

2013-02-02 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_OWner.job

- c:\users\OWner\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-22 11:13]

.

2012-08-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-10-26 20:31]

.

2013-02-01 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-10-26 20:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.my.yahoo.com

uInternet Settings,ProxyServer = http=127.0.0.1:57910

uInternet Settings,ProxyOverride = <local>;*.local

TCP: DhcpNameServer = 192.168.1.254 192.168.1.254

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.doylevisualmedia.com/activex/AMC.cab

DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab

FF - ProfilePath - c:\users\OWner\AppData\Roaming\Mozilla\Firefox\Profiles\2ympkwwi.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT168755&SearchSource=3&q=

FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/

FF - ExtSQL: !HIDDEN! 2009-08-14 01:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe

SafeBoot-WudfPf

SafeBoot-WudfRd

AddRemove-Ping Plotter Freeware - c:\progra~1\PINGPL~1\UNWISE.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-02-01 20:18

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(1336)

c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

c:\program files\NVIDIA Corporation\Display\nvxdsync.exe

c:\windows\system32\nvvsvc.exe

c:\program files\Avira\AntiVir Desktop\sched.exe

c:\program files\ASUS\AASP\1.00.32\aaCenter.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\crypserv.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe

c:\program files\nHancer\nHancerService.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\program files\Spybot - Search & Destroy\SDWinSec.exe

c:\windows\System32\WUDFHost.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Windows Media Player\wmpnscfg.exe

.

**************************************************************************

.

Completion time: 2013-02-01 20:23:37 - machine was rebooted

ComboFix-quarantined-files.txt 2013-02-02 02:23

ComboFix2.txt 2009-07-11 17:13

ComboFix3.txt 2009-07-11 07:46

.

Pre-Run: 197,418,160,128 bytes free

Post-Run: 197,227,823,104 bytes free

.

- - End Of File - - F2F04A6E3A38E7EC966DC324E2163FCF

[TheDarkKnight]

Good afternoon dykesc .

Not sure about the graphics issue. Is it present only on the MBAM pages?

You had a ZeroAccess infection, which OTL dealt with but to make sure please do the below.

Please follow these instructions to remove the remaining malicious entries:

• Please close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open Notepad and copy/paste the text in the quotebox below into it:
  Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

  
  killall::
  DDS::
  uInternet Settings,ProxyServer = http=127.0.0.1:57910
  

• Save this as CFScript.txt, in the same location as ComboFix.exe.
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe.
  
• When finished, it shall produce a log for you at C:\ComboFix.txt.
  

Please post the ComboFix.txt in your next reply.

=====

Also, please download Malwarebytes Anti-Rootkit here.

• Unzip the contents to a folder on the Desktop.
  
• Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Please post the two logs produced.
  

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

=====

In your reply please provide the following contents:

• ComboFix.txt.
  
• Both MBAR logs.
  

[dykesc]

DarkKnight

ComboFix and MBAR logs follow. MBAM forums have returned to normal. Must have been a temporary glitch. No malicious emails have occured. Looks like you have my computer cleaned up! MBAM and the support provided here is simply exceptional. Many thanks!

ComboFix 13-02-01.04 - OWner 02/01/2013 22:37:32.3.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2046.1113 [GMT -6:00]

Running from: c:\users\OWner\Desktop\ComboFix.exe

Command switches used :: c:\users\OWner\Desktop\CFScript.txt

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\dfinstall.log

C:\Read Me.txt

c:\users\OWner\Desktop\Setup.exe

c:\windows\iun6002.exe

c:\windows\run.log

.

.

((((((((((((((((((((((((( Files Created from 2013-01-02 to 2013-02-02 )))))))))))))))))))))))))))))))

.

.

2013-02-02 04:44 . 2013-02-02 04:46 -------- d-----w- c:\users\OWner\AppData\Local\temp

2013-02-02 04:44 . 2013-02-02 04:44 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-02-02 04:44 . 2013-02-02 04:44 -------- d-----w- c:\users\UpdatusUser.RCZMB04N\AppData\Local\temp

2013-02-02 04:44 . 2013-02-02 04:44 -------- d-----w- c:\users\Experience\AppData\Local\temp

2013-02-02 04:44 . 2013-02-02 04:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-01 10:08 . 2013-02-01 10:08 -------- d-----w- C:\_OTL

2013-01-29 02:35 . 2013-01-29 02:35 -------- d-----w- c:\programdata\Motive

2013-01-09 08:50 . 2012-11-23 01:35 2048000 ----a-w- c:\windows\system32\win32k.sys

2013-01-09 08:49 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 08:49 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll

2013-01-03 06:15 . 2013-01-03 06:15 -------- d-----w- c:\users\OWner\AppData\Local\Arcadesafari

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-16 13:12 . 2012-12-23 09:00 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 10:50 . 2012-12-23 09:00 293376 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 22:49 . 2008-10-23 22:35 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-14 02:09 . 2012-12-13 09:04 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58 . 2012-12-13 09:04 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57 . 2012-12-13 09:04 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49 . 2012-12-13 09:04 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48 . 2012-12-13 09:04 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44 . 2012-12-13 09:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-13 01:29 . 2012-12-12 19:01 2048 ----a-w- c:\windows\system32\tzres.dll

2007-07-06 23:29 . 2007-07-06 23:30 694668 ----a-w- c:\program files\unins000.exe

2001-09-28 22:00 . 2010-06-05 18:10 164864 ------w- c:\program files\UNWISE.EXE

2008-08-16 22:42 . 2013-01-20 19:22 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 22:42 . 2013-01-20 19:22 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 22:42 . 2013-01-20 19:22 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 22:42 . 2013-01-20 19:22 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 22:43 . 2013-01-20 19:22 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 22:42 . 2013-01-20 19:22 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 22:42 . 2013-01-20 19:22 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 13:41 . 2013-01-20 19:22 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 13:41 . 2013-01-20 19:22 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 13:41 . 2013-01-20 19:22 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 18:58 . 2013-01-20 19:22 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 22:42 . 2013-01-20 19:22 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2013-01-20 19:22 . 2013-01-20 19:22 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{adff4c9a-4f49-4a1f-8885-360e107b7938}]

2009-11-08 15:55 297808 ----a-w- c:\windows\System32\mscoree.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-04 39408]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-12-23 178176]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]

"RtHDVCpl"="RtHDVCpl.exe" [2007-07-11 4317184]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-02 202256]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-09-01 348664]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux6"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-01-30 18:14 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-02 c:\windows\Tasks\Arcadesafari.job

- c:\users\OWner\AppData\Local\Arcadesafari\ArcadesafariUpdater.exe [2013-01-03 06:15]

.

2013-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 21:00]

.

2013-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 21:00]

.

2013-02-01 c:\windows\Tasks\ReclaimerUpdateFiles_OWner.job

- c:\users\OWner\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-22 11:13]

.

2013-02-01 c:\windows\Tasks\ReclaimerUpdateXML_OWner.job

- c:\users\OWner\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-22 11:13]

.

2013-02-02 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_OWner.job

- c:\users\OWner\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-22 11:13]

.

2012-08-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-10-26 20:31]

.

2013-02-01 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-10-26 20:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.my.yahoo.com

uInternet Settings,ProxyOverride = <local>;*.local

TCP: DhcpNameServer = 192.168.1.254 192.168.1.254

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.doylevisualmedia.com/activex/AMC.cab

DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab

FF - ProfilePath - c:\users\OWner\AppData\Roaming\Mozilla\Firefox\Profiles\2ympkwwi.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT168755&SearchSource=3&q=

FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/

FF - ExtSQL: !HIDDEN! 2009-08-14 01:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-aopa_177 - c:\windows\iun6002.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-02-01 22:46

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(3936)

c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

c:\program files\NVIDIA Corporation\Display\nvxdsync.exe

c:\windows\system32\nvvsvc.exe

c:\program files\Avira\AntiVir Desktop\sched.exe

c:\program files\ASUS\AASP\1.00.32\aaCenter.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\crypserv.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe

c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\program files\nHancer\nHancerService.exe

c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\program files\Spybot - Search & Destroy\SDWinSec.exe

c:\windows\System32\WUDFHost.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Windows Media Player\wmplayer.exe

c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2013-02-01 22:52:46 - machine was rebooted

ComboFix-quarantined-files.txt 2013-02-02 04:52

ComboFix2.txt 2013-02-02 02:23

ComboFix3.txt 2009-07-11 17:13

ComboFix4.txt 2009-07-11 07:46

.

Pre-Run: 197,090,676,736 bytes free

Post-Run: 197,076,606,976 bytes free

.

- - End Of File - - 702354E878A4161A506F40D6E7CE0B76

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

www.malwarebytes.org

Database version: v2013.02.02.03

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

OWner :: RCZMB04N [administrator]

2/1/2013 11:07:26 PM

mbar-log-2013-02-01 (23-07-26).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 29485

Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1017

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_30

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.666000 GHz

Memory total: 2145198080, free: 1077096448

------------ Kernel report ------------

02/01/2013 22:55:22

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\acpi.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\system32\DRIVERS\nvrd32.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\nvstor.sys

\SystemRoot\system32\drivers\storport.sys

\SystemRoot\system32\DRIVERS\nvstor32.sys

\SystemRoot\system32\DRIVERS\msahci.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\msrpc.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\system32\speedfan.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\system32\giveio.sys

\SystemRoot\System32\drivers\ecache.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\crcdisk.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\tunmp.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\Drivers\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\Afc.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\ohci1394.sys

\SystemRoot\system32\DRIVERS\1394BUS.SYS

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nvmfdx32.sys

\SystemRoot\system32\DRIVERS\ASACPI.sys

\SystemRoot\system32\DRIVERS\msiscsi.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\flpydisk.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\RTKVHDA.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\System32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\smb.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\ssmdrv.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\ckldrv.sys

\??\C:\Windows\system32\drivers\VSPE.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\avkmgr.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\avipbb.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\drivers\AsIO.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_diskdump.sys

\SystemRoot\System32\Drivers\dump_nvstor32.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\DRIVERS\avgntflt.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\drivers\spsys.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\drivers\mrxdav.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\parvdm.sys

\SystemRoot\system32\DRIVERS\atksgt.sys

\SystemRoot\system32\DRIVERS\ipfltdrv.sys

\SystemRoot\system32\DRIVERS\lirsgt.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\??\C:\Windows\nvoclock.sys

\SystemRoot\system32\DRIVERS\cdfs.sys

\??\C:\ComboFix\catchme.sys

\??\C:\Windows\system32\Drivers\PROCEXP113.SYS

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff8829e968

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000070\

Lower Device Object: 0xffffffff885215d0

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

Initialization returned 0x0

Load Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff868f4690

Upper Device Driver Name: \Driver\disk\

Lower Device Name: \Device\00000062\

Lower Device Object: 0xffffffff8561c890

Lower Device Driver Name: \Driver\nvstor32\

Driver name found: nvstor32

Initialization returned 0x0

Port sub-driver loaded: \??\C:\Windows\System32\drivers\Storport.sys (0x0)

IRP handler 0 hooked

IRP handler 2 hooked

IRP handler 14 hooked

IRP handler 15 hooked

IRP handler 22 hooked

IRP handler 23 hooked

IRP handler 27 hooked

Load Function returned 0x0

Downloaded database version: v2013.02.02.03

Downloaded database version: v2013.01.23.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff868f4690, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff868f4378, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff868f4690, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff84c93e00, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8561c890, DeviceName: \Device\00000062\, DriverName: \Driver\nvstor32\

------------ End ----------

Upper DeviceData: 0xffffffffc1e6a2e8, 0xffffffff868f4690, 0xffffffff85028ac8

Lower DeviceData: 0xffffffffa1792f88, 0xffffffff8561c890, 0xffffffff851ec468

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: EC78F734

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 781417602

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 400088457216 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-781402768-781422768)...

Physical Sector Size: 512

Drive: 1, DevicePointer: 0xffffffff8829e968, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff88426020, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff8829e968, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\

DevicePointer: 0xffffffff885215d0, DeviceName: \Device\00000070\, DriverName: \Driver\USBSTOR\

------------ End ----------

Upper DeviceData: 0xffffffffc6d5d668, 0xffffffff8829e968, 0xffffffff884f9ac8

Lower DeviceData: 0xffffffffbb52e4a0, 0xffffffff885215d0, 0xffffffff9dc3c798

Drive 1

Scanning MBR on drive 1...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 0

Partition information:

Partition 0 type is Other (0xb)

Partition is NOT ACTIVE.

Partition starts at LBA: 32 Numsec = 15633376

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 8004304896 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

[TheDarkKnight]

Hello dykesc,

I am glad to hear your computer seems to be running well.

Please run a free online scan with the ESET Online Scanner.

Note: You can use Internet Explorer or Mozilla Firefox for this scan.

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start.
  
• When asked, allow the ActiveX control to install.
  
• Click Start.
  
• Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  
• Click Scan.
  Wait for the scan to finish.
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

[dykesc]

DarkKnight,

ESET Online Scanner found 3 threats. They are listed at the end of the log file.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)

# OnlineScanner.ocx=1.0.0.5886

# api_version=3.0.2

# EOSSerial=7e465eb596223345add74cab2db97809

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-07-11 02:18:11

# local_time=2009-07-10 09:18:11 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=6.0.6001 NT Service Pack 1

# compatibility_mode=5889 61 66 100 465503730961019

# scanned=294808

# found=3

# cleaned=0

# scan_time=2825

C:\Users\OWner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3LO9W8PP\dfuninstaller.prod.v14000.18mar2009.exe[1].10b9665cc5f98c037e9b8dcc0e88929e probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I

C:\Users\OWner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5RPW5287\156[1].net probably unknown NewHeur_PE virus 00000000000000000000000000000000 I

C:\Users\OWner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F3N2Q8LB\163[1].net probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I

ESETSmartInstaller@High as downloader log:

all ok

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6889

# api_version=3.0.2

# EOSSerial=7e465eb596223345add74cab2db97809

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2013-02-02 08:14:16

# local_time=2013-02-02 02:14:16 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=1799 16775165 100 98 0 130423315 0 0

# compatibility_mode=5892 16776574 100 100 12517686 196443711 0 0

# scanned=400746

# found=3

# cleaned=0

# scan_time=7785

C:\Flight One Software\Super80FSX.exe Win32/SuspLibLoad.B trojan EAE3012D878EADCF5A36440B819B5F07804CDB19 I

C:\Program Files\vShare\imedix-silent.exe Win32/Toolbar.Zugo application BC713E7599E9CCC3EFDE2E96CB5B0B5FA85C2106 I

C:\Windows\System32\flt1chk4.dll Win32/SuspLibLoad.B trojan 2BEC3A89EB5BF0BED90AD0923C7D12D44AEB3111 I

[TheDarkKnight]

Good morning dykesc.

Please download TFC to your Desktop.

• Open the file and close any other windows.
  
• It will close all programs itself when run; make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job.
  
• Once its finished it should reboot your machine; if not, do this yourself to ensure a complete clean.

=====

Then, please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[dykesc]

TFC completed

Security Check completed

Results of screen317's Security Check version 0.99.57

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Avira Desktop

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

WinPatrol

WinPatrol 2009 (Outdated! Latest version is WinPatrol 2012)

Out of date HijackThis installed!

SpywareBlaster 4.2

Spybot - Search & Destroy

Malwarebytes Anti-Malware version 1.70.0.1100

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 30

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 10.3.181.22 Flash Player out of Date!

Adobe Reader 8 Adobe Reader out of Date!

Mozilla Firefox (18.0)

Google Chrome 24.0.1312.56

Google Chrome 24.0.1312.57

````````Process Check: objlist.exe by Laurent````````

WinPatrol winpatrol.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

BillP Studios WinPatrol WinPatrol.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0 %

````````````````````End of Log``````````````````````

[TheDarkKnight]

Good afternoon dykesc.

Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable.

Please follow the instructions below to update Java:

• Please go to the below link and download the latest Windows 7 version:
  

http://www.java.com/...load/manual.jsp

• Save it to your Desktop.
  
• Please go to Start>Control Panel>Programs.
  
• Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them:
  
• Select Uninstall.
  
• Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed.
  

=====

Next, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it:

• Please go to Start>All Programs>Adobe Reader.
  
• Open Adobe Reader and navigate to Help>Check for Updates.
  
• Please follow the prompts to install the latest version.
  

Also, your version of Adobe Flash Player is out of date. Please follow these instructions to update to the latest version:

Go to the Adobe Global Notifications Update website here:

http://www.macromedi...r05.html#118377

A small box to the right within the window should load. Please select how often you would like Adobe to check for a new update for its Flash Player.

Note: This has to be done separately for Firefox and IE.

If a new version is found:

• Please tick the License Agreement.
  
• Click Install.
  Note: If you are running Mozilla Firefox all of its windows will need to be closed.
  
• Click Done.
  

Note: In future if an update is available Adobe will notify you on your Desktop via the Adobe Download Manager.

=====

Finally, I notice that your version of Winpatrol is out of date. I recommend updating it.

As for HijackThis, it is not very useful for Windows Vista or 7 so rather than updating it I recommend removing it.

=====

In your reply please let me know how the updates go.

[dykesc]

Old Java version uninstalled

Latest Java version has been installed

Tried to update Adobe Reader but kept getting an error 1116 message (An error occured. Try again later.)

Latest Adobe Flash Player version has been installed (Update checks set at 7 days)

Latest Winpatrol version installed

HiJackThis uninstalled

[TheDarkKnight]

Hello dykesc,

Please uninstall Adobe Reader completely.

Then go to the above link and try installing the latest version. Did that work?

[dykesc]

That worked DarkKnight. Latest version of Adobe Reader is now installed.

One question I meant to ask you. Earlier you stated that my problem was due to a ZeroAccess rootkit infection that OTL took care of for me. I searched the OTL log files and couldn't find anything that looked like ZeroAccess. Could you let me know where you saw that?

Thanks again for all the time you've spent working with me. I made a donation to the Neuroscience Research Institute linked in your signature.

[TheDarkKnight]

Hello dykesc,

One question I meant to ask you. Earlier you stated that my problem was due to a ZeroAccess rootkit infection that OTL took care of for me. I searched the OTL log files and couldn't find anything that looked like ZeroAccess. Could you let me know where you saw that?

These 3 lines:

2012/09/21 12:01:15 | 000,002,048 | -HS- | M] () -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\@

[2012/09/21 12:01:15 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\L

[2012/09/21 12:01:15 | 000,000,000 | -HSD | M] -- C:\$RECYCLE.BIN\S-1-5-18\$71213cd9c34348feb47e474775353225\U

ZeroAccess has a few different variants. The one you had is one of the older ones, and tends to be removed more easily. As you can see above, OTL found a folder in the Recycle Bin with random characters and the symbols @, L and U. This is characteristic of this type of variant. Generally, and in your case particularly, removing these folders (and the original one without the symbols) removes the infection. OldTimer (the creator of OTL) recently updated OTL so that it has a section titled ZeroAccess, making it easier to find characteristics of ZA such as these folders.

I should warn you that ZA can sometimes give a user remote access, so at the very least you should change your passwords for banking etc.

Thanks again for all the time you've spent working with me. I made a donation to the Neuroscience Research Institute linked in your signature.

It has been a pleasure. Thank you for your donation; it will be very much appreciated.

=====

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

And AdwCleaner:

• Please double click on adwcleaner.exe to run the tool.
  
• Click on Uninstall.
  
• Confirm with Yes.

To remove all of the tools we used and the files and folders they created do the following:

Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Right-click the Recycle Bin and please select Empty Recycle Bin.

=====

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

[dykesc]

ComboFix uninstalled

AdwCleaner is not on my computer

OTL uninstalled via cleanup button

Windows updates are set to automatic

Avira antivirus program is active and up to date. Runs daily.

Malwarebytes Pro is active and up to date. Runs daily.

Windows firewall is enabled.

Installed SpywareBlaster. All protection is enabled.

Mozilla Firefox is my active browser.

Thanks again for your help!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!