gtdriski Posted April 29, 2013 ID:674822 Share Posted April 29, 2013 Hello,Well somehow my desktop has been infected with the FBI MoneyPak virus and I need your help. It is a WinXP 32bit system and I have MalwareBytes Pro and NOD32 on the system.Please help.Thanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 29, 2013 Staff ID:674823 Share Posted April 29, 2013 Hello Lets see if we can get this to runDownload OTLPE from either location and save it to your desktop:http://oldtimer.geekstogo.com/OTLPEStd.exehttp://ottools.noahdfear.net/OTLPEStd.exeDouble click the OTLPENet icon on your desktop"Do you want to burn the CD?" choose YesImgBurn will automatically extract and load the OTLPE Iso to be burned to CDPlace a blank CD in your CD-RomClick to start the burn processYou will see a dialog "Operation successfully completed"Boot the non-working computer using the boot CD you just createdIn order to do so, the computer must be set to boot from the CD firstNote : For information click hereYour system should now display a REATOGO-X-PE desktop.Double-click on the OTLPE icon.Select the Windows folder of the infected drive if it asks for a locationWhen asked "Do you wish to load the remote registry", select YesWhen asked "Do you wish to load remote user profile(s) for scanning", select YesEnsure the box "Automatically Load All Remaining Users" is checked and press "OK"OTL should now start.Push When finished, the file will be saved in drive C:\OTL.txtCopy this file to your USB drive.Please post the contents of the C:\OTL.txt file in your next reply.Gringo Link to post Share on other sites More sharing options...
gtdriski Posted April 29, 2013 Author ID:674838 Share Posted April 29, 2013 Hello Gringo,Thanks for your assistance.Unfortunately, I have a problem. I followed your instructions, but when I boot from the CD and run OTLPE, it doesn't see my infected drive. I am sure this is because on this system the main drive is a Raid array and the boot CD doesn't have software for it.Please advise.Thanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 29, 2013 Staff ID:674841 Share Posted April 29, 2013 You didn't say in your first post - can you get into safe mode?gringo Link to post Share on other sites More sharing options...
gtdriski Posted April 29, 2013 Author ID:674844 Share Posted April 29, 2013 I am afraid not. When I try, it just shuts down.Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 29, 2013 Staff ID:674845 Share Posted April 29, 2013 Try this please. You will need a USB drive.Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computerInsert your USB drivePress Start > My Computer > right click your USB drive > choose Format > Quick formatDouble click the unetbootin-xpud-windows-387.exe that you just downloadedPress Run then OKSelect the DiskImage option then click the browse button located on the right side of the textbox field.Browse to and select the xpud-0.9.2.iso file you downloadedVerify the correct drive letter is selected for your USB device then click OKIt will install a little bootable OS on your USB deviceOnce the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interfaceAfter it has completed do not choose to reboot the clean computer simply close the installerNext download http://noahdfear.net/downloads/driver.sh to your USBRemove the USB and insert it in the sick computerBoot the Sick computerPress F12 and choose to boot from the USBFollow the promptsA Welcome to xPUD screen will appearPress FileExpand mntsda1,2...usually corresponds to your HDDsdb1 is likely your USBClick on the folder that represents your USB drive (sdb1 ?)Confirm that you see driver.sh that you downloaded therePress Tool at the topChoose Open TerminalType bash driver.shPress EnterAfter it has finished a report will be located on your USB drive named report.txtRemove the USB drive and insert back in your working computer and navigate to report.txtPlease note - all text entries are case sensitiveCopy and paste the report.txt for my review Link to post Share on other sites More sharing options...
gtdriski Posted April 29, 2013 Author ID:675037 Share Posted April 29, 2013 Hello,Well I am having issues. Usually, I am pretty good with these things. It seems F12 doesn't bring up the boot menu on my system. I went into the BIOS setup and changed the 3 boot options to the only USB choices available (USB-CDROM, USB-FDD & USB-ZIP). I think this ZIP is the old ZIP Drives. I then plugged the USB drive into a front USB port and tried to boot the system. However, it still booted from the hard disk.I eventually discovered that F11 would bring up the boot menu on my system. However, I tried choosing USB-CDROM or USB-FDD, but it still booted from the Hard Disk.Is it possible that some of the USB ports aren't active during boot? Should I try one of the back USB ports, directly on the motherboard?Also, I could delete my RAID array, go back to our original OLTPE option and then rebuild the RAID array after we remove the infection.Sorry to be so much trouble.Thanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 30, 2013 Staff ID:675099 Share Posted April 30, 2013 Hello Gary How much work is involved with that as my next option is to send instructions for xpud to use on a cd b Link to post Share on other sites More sharing options...
gtdriski Posted April 30, 2013 Author ID:675102 Share Posted April 30, 2013 It is just time consuming to rebuild the RAID array. Go ahead and send the instructions for xpud on CD.Thanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 30, 2013 Staff ID:675116 Share Posted April 30, 2013 Try this please. You will need a USB drive.Download GETxPUD.exe to the desktop of your clean computerRun GETxPUD.exeA new folder will appear on the desktop.Open the GETxPUD folder and click on the get&burn.batThe program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.Click on Start and follow the prompts to burn the image to a CD.Next download driver.sh to your USB driveRemove the USB & CD and insert it in the sick computerBoot the Sick computer with the CD you just burnedThe computer must be set to boot from the CDGently tap F12 and choose to boot from the CDFollow the promptsA Welcome to xPUD screen will appearPress FileExpand mntsda1,2...usually corresponds to your HDDsdb1 is likely your USBClick on the folder that represents your USB drive (sdb1 ?)Confirm that you see driver.sh that you downloaded therePress Tool at the topChoose Open TerminalType bash driver.shPress EnterAfter it has finished a report will be located on your USB drive named report.txtRemove the USB drive and insert it back in your working computer and navigate to report.txtPlease note - all text entries are case sensitiveCopy and paste the report.txt for my review Link to post Share on other sites More sharing options...
gtdriski Posted April 30, 2013 Author ID:675161 Share Posted April 30, 2013 Gringo,I don't think I have ever been so frustrated and I have built several of my own systems. Here is the update:Following you last instructions, I created and booted the infected system from the xpud CD.However, I couldn't get it to see the USB drive, regardless of which port I put it inAll I saw were sda1, sdb1 & sdc1 and these were the 3 hard drives in my system (the 2 drives in the array and a spare). The USB drive didn't show at all.I even unplugged all other USB devices and booted with only the USB drive plugged in.At this point I went back to the OTLPE optionI noticed when REATOGO-X-PE started to load that I could hit F6 and load other drivers. A light bulb came on as I remembered having to do this when I first built this system and loaded XP. The motherboard came with a floppy disk for the RAID drivers and I still have a floppy drive on the system.Therefore, I hit F6, inserted the floppy and selected the drivers. It seemed to do its thing and REATOGO-X-PE continued to load.Once REATOGO-X-PE was loaded I fully expected to see my hard drive, since the drivers loaded, but failure again. No hard drive.I tried this a couple of times with the same result.Also, while in REATOGO-X-PE, I also noticed (as with xpud) that the system didn't see my USB drive.I went into control panel and then system -> hardware and the USB drive had a yellow exclamation point on it. It said it couldn't load the driver (code 39), whatever that meant. Could I have a USB drive that requies a special driver? This drive has never been a problem before.At this point I was really frustrated.I went into the RAID utility (during boot) and deleted the ArrayI booted with the REATOGO-X-PE CD again. However, it still doesn't see the hard drive.Now, even more frustrated, do you have any ideas:Options to get it to see the USB drive?Options to get it to see the hard drive?For your information, the RAID is handled by an Nvidia chip and firmware/software.The floppy disk, with the RAID drivers, which came with the motherboard is labeled:G72-NVSA041For Nvidia CK804 & CK804-A2SATA RAID DriverVersion: 5.10.2600.0479For Win 2K/XPI hope you have some brilliant ideasThanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 30, 2013 Staff ID:675165 Share Posted April 30, 2013 boot back into xpud and when everything is booted up I want you to remove the usb and then put it back ingringo Link to post Share on other sites More sharing options...
gtdriski Posted April 30, 2013 Author ID:675174 Share Posted April 30, 2013 Gringo,Good news, I think, but not from xpud.I had let the system boot normally into windows:Of course It seemed locked with the FBI screenI left it alone for a whileI hit the system power button, it cleared the FBI screen and started to shutdown.I entered "shutdown -a" and managed to stop the shutdownMalware Bytes had been running its daily scan the other day when it got infected. Luckily it had now finished its scan and found 4 infections.I let it clean the infections and rebooted.Voila! it booted back up without the FBI screen.I am in XP and It seems ok, but should we run some other scans to make sure it is fully clean.Thanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 30, 2013 Staff ID:675175 Share Posted April 30, 2013 Hello Gary That is GREAT NEWS!!I Would like you to do the following.Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stallNote 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer"information and logs"In your next post I need the followingLog from Combofixlet me know of any problems you may have hadHow is the computer doing now?Gringo Link to post Share on other sites More sharing options...
gtdriski Posted April 30, 2013 Author ID:675179 Share Posted April 30, 2013 Gringo,Ok, here you go.So far things seem ok. It is a little slow as it is rebuilding my RAID array.I ran ComboFix as directed and here is the log:ComboFix 13-04-29.01 - GaryT 04/30/2013 7:28.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3455.2405 [GMT -4:00]Running from: c:\documents and settings\GaryT\My Documents\Download\FBI MoneyPak Cleanup\ComboFix.exeAV: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txtc:\documents and settings\All Users\Application Data\TEMPc:\documents and settings\GaryT\Application Data\Scorch_Install.logc:\documents and settings\GaryT\Application Data\skype.inic:\documents and settings\GaryT\Favorites\Antivirus Test Online.urlc:\documents and settings\GaryT\g2mdlhlpx.exec:\documents and settings\GaryT\jqs.exec:\documents and settings\GaryT\Local Settings\Application Data\assembly\tmpc:\documents and settings\GaryT\opera.exec:\documents and settings\GaryT\vlcplayer.exec:\documents and settings\GaryT\WINDOWSc:\program files\Conferencec:\program files\Conference\Conference.dbc:\program files\Conference\Conference.dllc:\program files\Conference\Conference.exec:\program files\Conference\Conference.inic:\program files\Conference\Conference.keyc:\program files\Conference\Languages\de.xmlc:\program files\Conference\Languages\en.xmlc:\program files\Conference\Languages\es.xmlc:\program files\Conference\Languages\fr.xmlc:\program files\Conference\Languages\hu.xmlc:\program files\Conference\Languages\pl.xmlc:\program files\Conference\Languages\pt.xmlc:\program files\Conference\Languages\ru.xmlc:\program files\Conference\Languages\ua.xmlc:\windows\EventSystem.logc:\windows\favicon.icoc:\windows\iun6002.exec:\windows\msvcr71.dllc:\windows\shell.inic:\windows\ST6UNST.000c:\windows\system32\dllcache\wmpvis.dllc:\windows\system32\driver.datc:\windows\system32\SET2B05.tmpc:\windows\system32\SET2B06.tmpc:\windows\system32\SET2B07.tmpc:\windows\system32\SET2B09.tmpc:\windows\system32\SET2B0B.tmpc:\windows\system32\SET2B0C.tmpc:\windows\system32\SET2B0D.tmpc:\windows\system32\SET2B14.tmpc:\windows\system32\SET2B15.tmpc:\windows\system32\SET2B18.tmpc:\windows\system32\SET2B1D.tmpc:\windows\system32\SET2B1E.tmpc:\windows\system32\SET2B1F.tmpc:\windows\system32\SET2B21.tmpc:\windows\system32\SET2B22.tmpc:\windows\system32\SET2B23.tmpc:\windows\system32\SET2B24.tmpc:\windows\system32\SET2B25.tmpc:\windows\system32\SET2B27.tmpc:\windows\system32\SET2B28.tmpc:\windows\system32\SET2B29.tmpc:\windows\system32\SET2B2C.tmpc:\windows\system32\SET2B33.tmpc:\windows\system32\SET2B34.tmpc:\windows\system32\SET2B37.tmpc:\windows\system32\SET2B39.tmpc:\windows\system32\SET2B3A.tmpc:\windows\system32\SET2B40.tmpc:\windows\system32\SET2B41.tmpc:\windows\system32\SET2B44.tmpc:\windows\system32\SET2B45.tmpc:\windows\system32\SET2B47.tmpc:\windows\system32\SET2B4C.tmpc:\windows\system32\SET2B4D.tmpc:\windows\system32\SET2B4E.tmpc:\windows\system32\SET2B4F.tmpc:\windows\system32\SET2B50.tmpc:\windows\system32\SET2B56.tmpc:\windows\system32\SET2B5B.tmpc:\windows\system32\SET2B5C.tmpc:\windows\system32\SET2B5F.tmpc:\windows\system32\SET2B60.tmpc:\windows\system32\SET2B62.tmpc:\windows\system32\SET2B63.tmpc:\windows\system32\SET2B6A.tmpc:\windows\system32\SET2B6B.tmpc:\windows\system32\SET2B6D.tmpc:\windows\system32\SET2B7A.tmpc:\windows\system32\SET2B7B.tmpc:\windows\system32\SET2B7E.tmpc:\windows\system32\SET2B80.tmpc:\windows\system32\SET2B81.tmpc:\windows\system32\SET2B82.tmpc:\windows\system32\SET2B83.tmpc:\windows\system32\SET2B84.tmpc:\windows\system32\SET2B85.tmpc:\windows\system32\SET2B89.tmpc:\windows\system32\SET2B95.tmpc:\windows\system32\SET2B9A.tmpc:\windows\system32\SET2B9C.tmpc:\windows\system32\SET2B9E.tmpc:\windows\system32\SET2B9F.tmpc:\windows\system32\SET2BA0.tmpc:\windows\system32\SET2BA3.tmpc:\windows\system32\SET2BA4.tmpc:\windows\system32\SET2BA8.tmpc:\windows\system32\SET2BA9.tmpc:\windows\system32\SET2BAC.tmpc:\windows\system32\SET2BAD.tmpc:\windows\system32\SET2BAE.tmpc:\windows\system32\SET2BB4.tmpc:\windows\system32\SET2BB5.tmpc:\windows\system32\SET2BB6.tmpc:\windows\system32\SET2BBE.tmpc:\windows\system32\SET2BC1.tmpc:\windows\system32\SET2BC4.tmpc:\windows\system32\SET2BC5.tmpc:\windows\system32\SET2BC6.tmpc:\windows\system32\SET2BC7.tmpc:\windows\system32\SET2BC9.tmpc:\windows\system32\SET2BCE.tmpc:\windows\system32\SET2BCF.tmpc:\windows\system32\SET2BD3.tmpc:\windows\system32\SET2BDB.tmpc:\windows\system32\SET2BDD.tmpc:\windows\system32\SET2BDF.tmpc:\windows\system32\SET2BE0.tmpc:\windows\system32\SET2BE1.tmpc:\windows\system32\SET2BEC.tmpc:\windows\system32\SET2BF0.tmpc:\windows\system32\SET2BF1.tmpc:\windows\system32\SET2BF4.tmpc:\windows\system32\SET2BF6.tmpc:\windows\system32\SET2BF9.tmpc:\windows\system32\SET2BFE.tmpc:\windows\system32\SET2C01.tmpc:\windows\system32\SET2C02.tmpc:\windows\system32\SET2C0A.tmpc:\windows\system32\SET2C0B.tmpc:\windows\system32\SET2C0C.tmpc:\windows\system32\SET2C13.tmpc:\windows\system32\SET2C14.tmpc:\windows\system32\SET2C18.tmpc:\windows\system32\SET2C19.tmpc:\windows\system32\SET2C1A.tmpc:\windows\system32\SET2C1B.tmpc:\windows\system32\SET2C1C.tmpc:\windows\system32\SET2C1E.tmpc:\windows\system32\SET2C1F.tmpc:\windows\system32\SET2C20.tmpc:\windows\system32\SET2C22.tmpc:\windows\system32\SET2C23.tmpc:\windows\system32\SET2C24.tmpc:\windows\system32\SET2C26.tmpc:\windows\system32\SET2C29.tmpc:\windows\system32\SET2C2E.tmpc:\windows\system32\SET2C2F.tmpc:\windows\system32\SET2C30.tmpc:\windows\system32\SET2C35.tmpc:\windows\system32\SET2C36.tmpc:\windows\system32\SET2C37.tmpc:\windows\system32\SET2C39.tmpc:\windows\system32\SET2C5D.tmpc:\windows\system32\SET2C5F.tmpc:\windows\system32\SET2C60.tmpc:\windows\system32\SET2C63.tmpc:\windows\system32\SET2C64.tmpc:\windows\system32\SET2C67.tmpc:\windows\system32\SET2C6A.tmpc:\windows\system32\SET2C6B.tmpc:\windows\system32\SET2C6D.tmpc:\windows\system32\SET2C72.tmpc:\windows\system32\SET2C75.tmpc:\windows\system32\SET2C7B.tmpc:\windows\system32\SET2C7C.tmpc:\windows\system32\SET2C7F.tmpc:\windows\system32\SET2C80.tmpc:\windows\system32\SET2C86.tmpc:\windows\system32\SET2C87.tmpc:\windows\system32\SET2C89.tmpc:\windows\system32\SET2C8A.tmpc:\windows\system32\SET2C8E.tmpc:\windows\system32\SET2C8F.tmpc:\windows\system32\SET2C90.tmpc:\windows\system32\SET2C92.tmpc:\windows\system32\SET2C93.tmpc:\windows\system32\SET2C94.tmpc:\windows\system32\SET2C95.tmpc:\windows\system32\SET2C97.tmpc:\windows\system32\SET2C99.tmpc:\windows\system32\SET2C9B.tmpc:\windows\system32\SET2CA6.tmpc:\windows\system32\SET2CA8.tmpc:\windows\system32\SET2CA9.tmpc:\windows\system32\SET2CAA.tmpc:\windows\system32\SET2CAC.tmpc:\windows\system32\SET2CAE.tmpc:\windows\system32\SET2CB3.tmpc:\windows\system32\SET2CB5.tmpc:\windows\system32\SET2CB6.tmpc:\windows\system32\SET2CBC.tmpc:\windows\system32\SET2CC7.tmpc:\windows\system32\SET2CCA.tmpc:\windows\system32\SET2CCB.tmpc:\windows\system32\SET2CCF.tmpc:\windows\system32\SET2CD7.tmpc:\windows\system32\SET2CDE.tmpc:\windows\system32\SET2CE0.tmpc:\windows\system32\SET2CE4.tmpc:\windows\system32\SET2CE6.tmpc:\windows\system32\SET2CF8.tmpc:\windows\system32\SET2CFC.tmpc:\windows\system32\SET2CFE.tmpc:\windows\system32\SET2D00.tmpc:\windows\system32\SET2D06.tmpc:\windows\system32\SET2D0A.tmpc:\windows\system32\SET2D18.tmpc:\windows\system32\SET2D1E.tmpc:\windows\system32\SET2D20.tmpc:\windows\system32\SET2D21.tmpc:\windows\system32\SET2D27.tmpc:\windows\system32\SET2D2B.tmpc:\windows\system32\SET2D32.tmpc:\windows\system32\SET2D35.tmpc:\windows\system32\SET2D37.tmpc:\windows\system32\SET2D3D.tmpc:\windows\system32\SET2D4A.tmpc:\windows\system32\SET2D4B.tmpc:\windows\system32\SET2D4D.tmpc:\windows\system32\SET2D4E.tmpc:\windows\system32\SET2D4F.tmpc:\windows\system32\SET2D5B.tmpc:\windows\system32\SET2D66.tmpc:\windows\system32\SET2D76.tmpc:\windows\system32\SET2D77.tmpc:\windows\system32\SET2D7C.tmpc:\windows\system32\SET2D99.tmpc:\windows\system32\SET2D9C.tmpc:\windows\system32\SET2DA1.tmpc:\windows\system32\SET2DA3.tmpc:\windows\system32\SET2DAA.tmpc:\windows\system32\SET2DAB.tmpc:\windows\system32\SET2DAC.tmpc:\windows\system32\SET2DAE.tmpc:\windows\system32\SET2DAF.tmpc:\windows\system32\SET2DB0.tmpc:\windows\system32\SET2DB1.tmpc:\windows\system32\SET2DB3.tmpc:\windows\system32\SET2DB5.tmpc:\windows\system32\SET2DB6.tmpc:\windows\system32\SET2DB8.tmpc:\windows\system32\SET2DBB.tmpc:\windows\system32\SET2DBD.tmpc:\windows\system32\SET2DC2.tmpc:\windows\system32\SET2DC3.tmpc:\windows\system32\SET2DCB.tmpc:\windows\system32\SET2DD2.tmpc:\windows\system32\SET2DD7.tmpc:\windows\system32\SET2DDA.tmpc:\windows\system32\SET2DDD.tmpc:\windows\system32\SET2DDF.tmpc:\windows\system32\SET2DE3.tmpc:\windows\system32\SET2DE5.tmpc:\windows\system32\SET2DE6.tmpc:\windows\system32\SET2DEB.tmpc:\windows\system32\SET2DEC.tmpc:\windows\system32\SET2DF0.tmpc:\windows\system32\SET2DF1.tmpc:\windows\system32\SET2DF4.tmpc:\windows\system32\SET2DF6.tmpc:\windows\system32\SET2DFB.tmpc:\windows\system32\SET2DFE.tmpc:\windows\system32\SET2E02.tmpc:\windows\system32\SET2E04.tmpc:\windows\system32\SET2E06.tmpc:\windows\system32\SET2F73.tmpc:\windows\system32\SET2F79.tmpc:\windows\system32\SET3AEA.tmpc:\windows\system32\SET3AED.tmpc:\windows\system32\SET3AF2.tmpc:\windows\system32\SET3AF6.tmpc:\windows\system32\SET3AFC.tmpc:\windows\system32\SET3B23.tmpc:\windows\system32\SET3B46.tmpc:\windows\system32\SETD45.tmpc:\windows\system32\SETD46.tmpc:\windows\system32\SETD48.tmpc:\windows\system32\SETD54.tmpc:\windows\system32\SETD56.tmpc:\windows\system32\SETD5D.tmpc:\windows\system32\SETD5E.tmpc:\windows\system32\SETD5F.tmpc:\windows\system32\SETD62.tmpc:\windows\system32\URTTempc:\windows\system32\URTTemp\fusion.dllc:\windows\system32\URTTemp\mscoree.dllc:\windows\system32\URTTemp\mscoree.dll.localc:\windows\system32\URTTemp\mscorsn.dllc:\windows\system32\URTTemp\mscorwks.dllc:\windows\system32\URTTemp\msvcr71.dllc:\windows\system32\URTTemp\regtlib.exec:\windows\wininit.ini..((((((((((((((((((((((((( Files Created from 2013-03-28 to 2013-04-30 )))))))))))))))))))))))))))))))..2013-04-24 19:37 . 2013-04-24 19:37 -------- d-----w- c:\documents and settings\GaryT\Application Data\Sibelius Software2013-04-24 19:36 . 2013-04-24 19:36 -------- d-----w- c:\program files\Sibelius Software2013-04-12 18:51 . 2013-04-12 18:51 -------- d-----w- c:\program files\Common Files\Skype...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-04-22 19:03 . 2012-04-04 22:07 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-04-22 19:03 . 2011-05-25 00:30 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-04-04 18:50 . 2011-01-05 17:12 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-03-11 03:44 . 2013-03-11 03:44 1409 ----a-w- c:\windows\QTFont.for2013-02-12 00:32 . 2009-05-11 00:18 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys2013-02-12 00:32 . 2009-05-11 00:18 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys2013-02-06 00:51 . 2005-04-27 14:54 832512 ----a-w- c:\windows\system32\wininet.dll2013-02-06 00:51 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll2013-02-06 00:51 . 2003-03-31 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2013-02-06 00:51 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll2013-01-31 09:35 . 2012-04-25 23:27 32032 ----a-w- c:\windows\system32\TURegOpt.exe2013-01-31 09:35 . 2013-02-18 05:00 29984 ----a-w- c:\windows\system32\uxtuneup.dll2009-10-31 20:13 . 2009-11-02 08:13 44 ---h--w- c:\program files\dd2c2250.tmp2003-08-27 18:19 . 2005-08-07 18:05 36963 ----a-w- c:\program files\Common Files\SM1updtr.dll2012-02-23 21:09 . 2013-04-12 05:12 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll2012-02-23 21:09 . 2013-04-12 05:12 449848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll2011-03-03 18:52 . 2013-04-12 05:12 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll2011-03-03 18:52 . 2013-04-12 05:12 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll2010-03-31 15:09 . 2010-03-31 15:09 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll2010-04-08 16:35 . 2010-04-08 16:35 9822960 ----a-r- c:\program files\mozilla firefox\plugins\ScorchAxPlugin.dll2010-04-08 17:36 . 2010-04-08 17:36 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll2013-04-12 05:12 . 2013-04-12 05:11 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]2009-04-21 09:17 233472 ------w- c:\program files\SOS Online Backup\CtxMenu_1_0_0_10.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2011-10-31 21:02 94208 ----a-w- c:\documents and settings\GaryT\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2011-10-31 21:02 94208 ----a-w- c:\documents and settings\GaryT\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2011-10-31 21:02 94208 ----a-w- c:\documents and settings\GaryT\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]2011-10-31 21:02 94208 ----a-w- c:\documents and settings\GaryT\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856]"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-02-28 18642024].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2013-03-01 2778424]"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-12-21 5074384].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"UIHost"="c:\windows\system32\logonui.exe".[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]2010-06-10 00:08 87424 ----a-w- c:\windows\system32\LMIinit.dll.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0sasnative32.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver".[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Intuit Data Protect.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnkbackup=c:\windows\pss\Intuit Data Protect.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnkbackup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnkbackup=c:\windows\pss\QuickBooks_Standard_21.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^Dropbox.lnk]path=c:\documents and settings\GaryT\Start Menu\Programs\Startup\Dropbox.lnkbackup=c:\windows\pss\Dropbox.lnkStartup.[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^EvernoteClipper.lnk]path=c:\documents and settings\GaryT\Start Menu\Programs\Startup\EvernoteClipper.lnkbackup=c:\windows\pss\EvernoteClipper.lnkStartup.[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^Jawbone Updater.lnk]path=c:\documents and settings\GaryT\Start Menu\Programs\Startup\Jawbone Updater.lnkbackup=c:\windows\pss\Jawbone Updater.lnkStartup.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]2012-10-06 08:16 1843512 ----a-w- c:\program files\Logitech\SetPointP\SetPoint.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]2011-08-18 23:00 136176 ----atw- c:\documents and settings\GaryT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]2013-03-01 05:28 2778424 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]2005-08-11 20:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]2007-02-08 05:12 488984 ----a-w- c:\program files\Common Files\Logishrd\LComMgr\Communications_Helper.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]2007-02-08 05:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]2008-07-24 22:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]2003-07-14 14:52 40960 ----a-w- c:\windows\ltmsg.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]2009-07-08 06:53 472112 ----a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]2009-07-07 18:48 647216 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]2013-02-28 22:50 18642024 ----a-r- c:\program files\Skype\Phone\Skype.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]2007-04-16 19:28 577536 ----a-w- c:\windows\soundman.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]2012-09-17 16:41 254896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]2007-03-31 08:54 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"ctfmon.exe"=c:\windows\system32\ctfmon.exe"MemoryZipperPlus"="c:\program files\Memzip\memzip.exe""DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" -agent.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"LiveMonitor"=c:\program files\MSI\Live Update 3\LMonitor.exe"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime"bwprnmon.exe"=c:\bitware\NT\bwprnmon.exe"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe""SoundMan"=SOUNDMAN.EXE"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe""DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe""NVRaidService"="c:\windows\System32\nvraidservice.exe""LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe""SM1BG"="c:\windows\SM1BG.EXE""KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe""Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe""Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe""Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe".[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\WINDOWS\\system32\\fxsclnt.exe"="c:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"="c:\\WINDOWS\\system32\\mmc.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Web CEO\\BIN\\webceo.exe"="c:\\Program Files\\Web CEO\\BIN\\wsceokrnl.dll"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Paros\\IEEmbed.exe"="c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"="c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"="c:\\Documents and Settings\\GaryT\\Application Data\\Dropbox\\bin\\Dropbox.exe"="c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"="c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="c:\\Program Files\\Jawbone\\JawboneUpdater.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009"67:UDP"= 67:UDP:DHCP Discovery Service.R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/14/2012 9:40 AM 122240]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/14/2012 9:40 AM 105784]R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2012 2:08 PM 1333424]R2 L4301_Solar;Logitech Solar Keyboard Service;c:\program files\Logitech\SolarApp\L4301_Solar.exe [10/26/2010 5:25 PM 319568]R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/14/2011 11:55 PM 12216]R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/12/2012 7:13 PM 418376]R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 4:13 PM 34064]R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [10/12/2009 2:46 AM 45824]R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [8/19/2011 9:31 PM 1248256]R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe [1/31/2013 5:35 AM 1724192]R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 5:25 PM 14080]R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 5:25 PM 36352]R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9/22/2011 2:43 PM 645048]R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [8/24/2010 1:30 PM 43704]R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [8/24/2010 1:30 PM 12216]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/5/2011 1:12 PM 22856]R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [10/12/2009 2:46 AM 56960]R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys [9/18/2012 4:02 PM 10088]R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 5:25 PM 77056]S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/5/2011 1:12 PM 701512]S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [1/31/2013 10:38 AM 3289208]S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 6:45 PM 161384]S3 FileShd;FileShd;c:\windows\system32\drivers\fileshd2.sys [9/10/2007 4:13 PM 69888]S3 libusb0;Jawbone LibUsb-Win32 - Kernel Driver 09/22/2011,1.2.5.0;c:\windows\system32\drivers\libusb0.sys [5/13/2011 12:17 AM 42592]S3 PCAlertDriver;PCAlertDriver;c:\program files\MSI\Core Center\NTGLM7X.SYS [10/2/2005 1:15 AM 22432]S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/11/2010 1:36 AM 27064].--- Other Services/Drivers In Memory ---.*Deregistered* - uphcleanhlp.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp.Contents of the 'Scheduled Tasks' folder.2013-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57].2013-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 01:24].2013-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 01:24].2013-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1647877149-725345543-1003Core.job- c:\documents and settings\GaryT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 23:00].2013-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1647877149-725345543-1003UA.job- c:\documents and settings\GaryT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 23:00].2013-04-28 c:\windows\Tasks\SOS Online Backup - Driskill.job- c:\program files\sos online backup\sosuploadagent.exe [2009-04-28 06:38].2013-04-30 c:\windows\Tasks\User_Feed_Synchronization-{6B4B2B2E-0337-436A-93B3-0954C8510B04}.job- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://cm.my.yahoo.com/?rd=nuxuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlIE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlIE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlIE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlTrusted Zone: microsoft.com\drmlicense.oneTCP: DhcpNameServer = 208.67.222.222 208.67.220.220 38.116.38.49DPF: NetGUI - hxxp://www.gomeetnow.com/client/window/1,0,1,69/ActiveXInstaller.CABDPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CABDPF: {02FFCFC3-C28F-4ED9-954B-1BAC9FD77E12} - hxxp://webstream.intra.net/media/xflux3.cabDPF: {16C698C4-4BE0-4CDF-B777-39276A95F58F} - hxxp://meeting.zoho.com/login/ActivexViewer.jspDPF: {54D53429-945C-4188-B460-C81356541882} - hxxp://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CABDPF: {56426D1F-A2BB-4195-8555-CCE6533F81E8} - hxxp://meeting.zoho.com/login/Agent.jspDPF: {7BC974EF-A718-4A17-B77E-4C8DBC327AFA} - hxxps://secure.voloper.net/editor.cabDPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cabDPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - hxxp://www.contentpurity.com/xp/ScanFilexp.CABDPF: {87651085-BCBF-4281-B8F7-1F6E56E92515} - hxxp://meeting.zoho.com/login/Agent.jspDPF: {B7039D87-D648-4431-BA87-C3A04E6111DA} - hxxps://67.43.9.72:4643/vz/ssh/wodTelnetDLX.cabDPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} - hxxp://contentpurity.com/members/FileClean.CABDPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} - hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cabDPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cabFF - ProfilePath - c:\documents and settings\GaryT\Application Data\Mozilla\Firefox\Profiles\1llhjzre.default\FF - prefs.js: browser.startup.homepage - web.ebuddy.com|hxxp://www.netvibes.com/FF - ExtSQL: 2013-03-22 16:48; LogMeInClient@logmein.com; c:\documents and settings\GaryT\Application Data\Mozilla\Firefox\Profiles\1llhjzre.default\extensions\LogMeInClient@logmein.comFF - ExtSQL: !HIDDEN! 2011-07-10 18:12; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtensionFF - user.js: network.http.max-persistent-connections-per-server - 4FF - user.js: content.max.tokenizing.time - 1800000FF - user.js: content.notify.interval - 600000FF - user.js: content.switch.threshold - 600000FF - user.js: nglayout.initialpaint.delay - 600.- - - - ORPHANS REMOVED - - - -.AddRemove-TuneXP_1.5 - c:\windows\iun6002.exeAddRemove-Video Conference - c:\program files\Conference\Conference.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2013-04-30 07:37Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ....scanning hidden autostart entries ....scanning hidden files ....scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-796845957-1647877149-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85101310-102D-5980-D761-0EE4110AA843}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)"gaecmjeiibjccj"=hex:61,69,6c,67,6a,61,62,63,68,64,66,6c,70,69,70,65,69,65,6d,6e,6f,61,6c,69,65,6e,6e,6d,69,70,6a,68,6f,64,6a,70,62,67,68,69,6c,67,66,63,\"haecmjeiibfedkne"=hex:6e,61,6c,62,68,6c,6d,70,6b,65,6d,62,61,70,67,6f,65,6a,62,6a,61,61,65,70,62,6c,64,64,00,00"iaecmjeiibaekjjamj"=hex:6f,61,6b,67,6e,6c,6b,64,63,70,64,62,6a,70,69,6a,67,67,62,64,66,6b,6d,62,6c,67,66,6b,6a,70,00,00.[HKEY_USERS\S-1-5-21-796845957-1647877149-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CD5591C1-3A8C-E5F0-9BE6-B3F676E0D08E}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)"iapheijdmnfdhiopcl"=hex:69,61,6f,61,6e,62,70,66,65,61,64,6c,6c,69,63,63,65,68,00,00"hajknpcalibonfkn"=hex:69,61,6f,61,6e,62,70,66,65,61,64,6c,6c,69,63,63,65,68,00,00.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(944)c:\program files\common files\logishrd\bluetooth\LBTWlgn.dllc:\windows\system32\LMIinit.dll.Completion time: 2013-04-30 07:40:07ComboFix-quarantined-files.txt 2013-04-30 11:39ComboFix2.txt 2010-07-12 18:52.Pre-Run: 45,880,643,584 bytes freePost-Run: 45,931,581,440 bytes free.WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /TUTag=TDIP0D /usepmtimer.- - End Of File - - EC32E5748841872DAEE3A98B7F0B5A0FShould I do anything else? Please advise.Thanks Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 30, 2013 Staff ID:675180 Share Posted April 30, 2013 Hello Gary Well the worst is over now anyway.These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.-AdwCleaner-Please download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.Your computer will be rebooted automatically. A text file will open after the restart.Please post the content of that logfile with your next answer.You can find the logfile at C:\AdwCleaner[s1].txt as well.--RogueKiller-- Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started. Please disconnect any USB or external drives from the computer before you run this scan! For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start. Wait until Prescan has finished ... Then Click on "Scan" button Wait until the Status box shows "Scan Finished"click on "delete" Wait until the Status box shows "Deleting Finished" Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+Gringo Link to post Share on other sites More sharing options...
gtdriski Posted April 30, 2013 Author ID:675181 Share Posted April 30, 2013 Gringo,Ok, I ran them both:AdwCleaner Log:# AdwCleaner v2.300 - Logfile created 04/30/2013 at 04:31:48# Updated 28/04/2013 by Xplode# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)# User : GaryT - GTD-DESKTOP# Boot Mode : Normal# Running from : C:\Documents and Settings\GaryT\My Documents\Download\FBI MoneyPak Cleanup\adwcleaner.exe# Option [Delete]***** [services] ********** [Files / Folders] *****File Deleted : C:\Documents and Settings\GaryT\Application Data\Mozilla\Firefox\Profiles\1llhjzre.default\searchplugins\Askcom.xmlFolder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma InstallerFolder Deleted : C:\Documents and Settings\GaryT\Application Data\Mozilla\Firefox\Profiles\1llhjzre.default\StumbleUponFolder Deleted : C:\Documents and Settings\GaryT\Local Settings\Application Data\PackageAware***** [Registry] *****Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLLKey Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}Key Deleted : HKLM\SOFTWARE\Classes\toolband.eb_explorerbarKey Deleted : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar.1Key Deleted : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitemKey Deleted : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem.1Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_launcherKey Deleted : HKLM\SOFTWARE\Classes\toolband.pm_launcher.1Key Deleted : HKLM\SOFTWARE\Classes\toolband.pm_printmanagerKey Deleted : HKLM\SOFTWARE\Classes\toolband.pm_printmanager.1Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallbackKey Deleted : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback.1Key Deleted : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandlerKey Deleted : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler.1Key Deleted : HKLM\SOFTWARE\Classes\toolband.tbtoolbandKey Deleted : HKLM\SOFTWARE\Classes\toolband.tbtoolband.1Key Deleted : HKLM\SOFTWARE\Classes\toolband.useroptionsKey Deleted : HKLM\SOFTWARE\Classes\toolband.useroptions.1Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536***** [internet Browsers] *****-\\ Internet Explorer v7.0.6000.17123[OK] Registry is clean.-\\ Mozilla Firefox v20.0.1 (en-US)File : C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\4qu1wovc.default\prefs.js[OK] File is clean.File : C:\Documents and Settings\GaryT\Application Data\Mozilla\Firefox\Profiles\1llhjzre.default\prefs.jsC:\Documents and Settings\GaryT\Application Data\Mozilla\Firefox\Profiles\1llhjzre.default\user.js ... Deleted !Deleted : user_pref("extensions.s4fToolbar.si-blekko-domainlinks", true);Deleted : user_pref("extensions.s4fToolbar.si-blekko-pagelinks", true);Deleted : user_pref("extensions.s4fToolbar.si-blekko-rank", true);-\\ Google Chrome v26.0.1410.64File : C:\Documents and Settings\GaryT\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences[OK] File is clean.*************************AdwCleaner[s1].txt - [3479 octets] - [30/04/2013 04:31:48]########## EOF - C:\AdwCleaner[s1].txt - [3539 octets] ##########RogueKiller Log:RogueKiller V8.5.4 [Mar 18 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser : GaryT [Admin rights]Mode : Remove -- Date : 04/30/2013 04:51:30| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 2 ¤¤¤[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [LOADED] ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\WINDOWS\system32\drivers\etc\hosts127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: NVIDIA MIRROR 186.31G +++++--- User ---[MBR] c742ddd5f6a0c3b55445f63cd19fee64[bSP] 1a31c6e198c07ae4fde6f1b9e53b97ae : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 190771 MoError reading LL1 MBR!Error reading LL2 MBR!Finished : << RKreport[2]_D_04302013_02d0451.txt >>RKreport[1]_S_04302013_02d0449.txt ; RKreport[2]_D_04302013_02d0451.txtNext?Thanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 30, 2013 Staff ID:675187 Share Posted April 30, 2013 Hello Gary I would like you to try and run these next.TDSSKillerPlease download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.Put a checkmark beside loaded modules.A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK.Click the Start Scan button.The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue. If malicious objects are found, they will show in the Scan resultsEnsure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it If the forum still complains about it being to long send me everything that is at the end of the report after where it says================== Scan finished==================and I will see if I want to see the whole reportMalwarebytes Anti-Rootkit1.Download Malwarebytes Anti-Rootkit2.Unzip the contents to a folder in a convenient location.3.Open the folder where the contents were unzipped and run mbar.exe4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.6.Wait while the system shuts down and the cleanup process is performed.7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:•Internet access•Windows Update•Windows Firewall9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.10.Verify that your system is now functioning normally.If you have any problems running either one come back and let me knowplease reply with the reports from TDSSKiller and MBARGringo Link to post Share on other sites More sharing options...
gtdriski Posted April 30, 2013 Author ID:675195 Share Posted April 30, 2013 Hello again,Well it looks like good news. I ran both utilities.TDSSKiller Log:I attached file TDSSKiller.2.8.16.0_30.04.2013_07.15.44_log.txtMalwarebytes Anti-Rootkit log:Malwarebytes Anti-Rootkit BETA 1.05.0.1001www.malwarebytes.orgDatabase version: v2013.04.30.02Windows XP Service Pack 3 x86 NTFSInternet Explorer 7.0.5730.11GaryT :: GTD-DESKTOP [administrator]4/30/2013 7:41:42 AMmbar-log-2013-04-30 (07-41-42).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled:Objects scanned: 29042Time elapsed: 15 minute(s), 53 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)Next?Thanks Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 30, 2013 Staff ID:675202 Share Posted April 30, 2013 HelloI would like you to rerun TDSSKiller and this time when it gets to this part\Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user\Device\Harddisk0\DR0 ( TDSS File System ) - User select action: SkipI want you to select Delete this time instead of skip.Gringo Link to post Share on other sites More sharing options...
gtdriski Posted April 30, 2013 Author ID:675209 Share Posted April 30, 2013 DoneHere is the log file TDSSKiller.2.8.16.0_30.04.2013_08.26.35_log.txtThanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 30, 2013 Staff ID:675283 Share Posted April 30, 2013 Hello Gary At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.:Run CFScript:Please start by opening Notepad and copy/paste the text in the box into the window:ClearJavaCache::RegNull::[HKEY_USERS\S-1-5-21-796845957-1647877149-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85101310-102D-5980-D761-0EE4110AA843}*][HKEY_USERS\S-1-5-21-796845957-1647877149-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CD5591C1-3A8C-E5F0-9BE6-B3F676E0D08E}*]Save it to your desktop as CFScript.txtReferring to the picture above, drag CFScript.txt into ComboFix.exeThis will let ComboFix run again.Restart if you have to.Save the produced logfile to your desktop.Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stallNote 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer"information and logs"In your next post I need the followingreport from Combofixlet me know of any problems you may have hadHow is the computer doing now after running the script?Gringo Link to post Share on other sites More sharing options...
gtdriski Posted May 1, 2013 Author ID:675407 Share Posted May 1, 2013 Hello,I did as instructed. Here is the log:ComboFix 13-04-29.01 - GaryT 04/30/2013 19:56:05.3.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3455.2314 [GMT -4:00]Running from: c:\documents and settings\GaryT\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\GaryT\Desktop\CFScript.txtAV: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\EventSystem.log..((((((((((((((((((((((((( Files Created from 2013-04-01 to 2013-05-01 )))))))))))))))))))))))))))))))..2013-04-30 12:28 . 2013-04-30 12:28 -------- d-----w- C:\TDSSKiller_Quarantine2013-04-30 11:24 . 2013-04-30 11:24 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys2013-04-30 10:18 . 2013-04-30 10:18 1072544 ----a-w- c:\windows\system32\nvdrsdb0.bin2013-04-30 10:18 . 2013-04-30 10:18 1 ----a-w- c:\windows\system32\nvdrssel.bin2013-04-30 10:18 . 2013-04-30 10:18 1072544 ----a-w- c:\windows\system32\nvdrsdb1.bin2013-04-24 19:37 . 2013-04-24 19:37 -------- d-----w- c:\documents and settings\GaryT\Application Data\Sibelius Software2013-04-24 19:36 . 2013-04-24 19:36 -------- d-----w- c:\program files\Sibelius Software2013-04-12 18:51 . 2013-04-12 18:51 -------- d-----w- c:\program files\Common Files\Skype...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-04-22 19:03 . 2012-04-04 22:07 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-04-22 19:03 . 2011-05-25 00:30 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-04-04 18:50 . 2011-01-05 17:12 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-03-11 03:44 . 2013-03-11 03:44 1409 ----a-w- c:\windows\QTFont.for2013-03-08 08:36 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll2013-03-07 01:32 . 2009-05-11 00:18 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe2013-03-07 00:50 . 2009-05-11 00:18 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe2013-03-02 01:25 . 2009-05-11 00:18 1867264 ----a-w- c:\windows\system32\win32k.sys2013-02-27 07:56 . 2005-07-18 01:19 2067456 ----a-w- c:\windows\system32\mstscax.dll2013-02-24 19:03 . 2005-04-27 14:54 832512 ----a-w- c:\windows\system32\wininet.dll2013-02-24 19:03 . 2003-03-31 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl2013-02-24 19:03 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll2013-02-24 19:03 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll2013-02-12 00:32 . 2009-05-11 00:18 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys2013-02-12 00:32 . 2009-05-11 00:18 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys2013-02-08 09:03 . 2013-02-08 09:03 1010464 ----a-w- c:\windows\system32\nvdispco32.dll2013-02-08 09:03 . 2005-06-15 21:20 19189760 ----a-w- c:\windows\system32\nvoglnt.dll2013-02-08 09:03 . 2005-06-15 21:20 4494336 ----a-w- c:\windows\system32\nv4_disp.dll2013-02-08 09:02 . 2009-07-08 13:07 7536640 ----a-w- c:\windows\system32\nvcuda.dll2013-02-08 09:02 . 2009-07-08 13:07 2581792 ----a-w- c:\windows\system32\nvcuvid.dll2013-02-08 09:02 . 2013-02-08 09:02 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll2013-02-08 09:02 . 2013-02-08 09:02 17551360 ----a-w- c:\windows\system32\nvcompiler.dll2013-02-08 09:02 . 2009-07-08 13:07 2389504 ----a-w- c:\windows\system32\nvapi.dll2013-02-08 09:02 . 2005-06-15 21:20 12648960 ----a-w- c:\windows\system32\drivers\nv4_mini.sys2013-02-08 09:02 . 2013-02-08 09:02 5967872 ----a-w- c:\windows\system32\nvopencl.dll2013-02-08 09:02 . 2009-07-08 13:07 1869088 ----a-w- c:\windows\system32\nvcuvenc.dll2013-01-31 09:35 . 2012-04-25 23:27 32032 ----a-w- c:\windows\system32\TURegOpt.exe2013-01-31 09:35 . 2013-02-18 05:00 29984 ----a-w- c:\windows\system32\uxtuneup.dll2009-10-31 20:13 . 2009-11-02 08:13 44 ---h--w- c:\program files\dd2c2250.tmp2003-08-27 18:19 . 2005-08-07 18:05 36963 ----a-w- c:\program files\Common Files\SM1updtr.dll2012-02-23 21:09 . 2013-04-12 05:12 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll2012-02-23 21:09 . 2013-04-12 05:12 449848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll2011-03-03 18:52 . 2013-04-12 05:12 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll2011-03-03 18:52 . 2013-04-12 05:12 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll2010-03-31 15:09 . 2010-03-31 15:09 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll2010-04-08 16:35 . 2010-04-08 16:35 9822960 ----a-r- c:\program files\mozilla firefox\plugins\ScorchAxPlugin.dll2010-04-08 17:36 . 2010-04-08 17:36 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll2013-04-12 05:12 . 2013-04-12 05:11 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]2009-04-21 09:17 233472 ------w- c:\program files\SOS Online Backup\CtxMenu_1_0_0_10.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2011-10-31 21:02 94208 ----a-w- c:\documents and settings\GaryT\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2011-10-31 21:02 94208 ----a-w- c:\documents and settings\GaryT\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2011-10-31 21:02 94208 ----a-w- c:\documents and settings\GaryT\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]2011-10-31 21:02 94208 ----a-w- c:\documents and settings\GaryT\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856]"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-02-28 18642024].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2013-03-01 2778424]"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-12-21 5074384].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"Z1"="c:\documents and settings\GaryT\My Documents\Download\FBI MoneyPak Cleanup\mbar\mbar.exe" [2013-03-23 1398856].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"UIHost"="c:\windows\system32\logonui.exe".[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]2010-06-10 00:08 87424 ----a-w- c:\windows\system32\LMIinit.dll.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0sasnative32.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver".[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Intuit Data Protect.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnkbackup=c:\windows\pss\Intuit Data Protect.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnkbackup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnkbackup=c:\windows\pss\QuickBooks_Standard_21.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^Dropbox.lnk]path=c:\documents and settings\GaryT\Start Menu\Programs\Startup\Dropbox.lnkbackup=c:\windows\pss\Dropbox.lnkStartup.[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^EvernoteClipper.lnk]path=c:\documents and settings\GaryT\Start Menu\Programs\Startup\EvernoteClipper.lnkbackup=c:\windows\pss\EvernoteClipper.lnkStartup.[HKLM\~\startupfolder\C:^Documents and Settings^GaryT^Start Menu^Programs^Startup^Jawbone Updater.lnk]path=c:\documents and settings\GaryT\Start Menu\Programs\Startup\Jawbone Updater.lnkbackup=c:\windows\pss\Jawbone Updater.lnkStartup.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]2012-10-06 08:16 1843512 ----a-w- c:\program files\Logitech\SetPointP\SetPoint.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]2011-08-18 23:00 136176 ----atw- c:\documents and settings\GaryT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]2013-03-01 05:28 2778424 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]2005-08-11 20:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]2007-02-08 05:12 488984 ----a-w- c:\program files\Common Files\Logishrd\LComMgr\Communications_Helper.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]2007-02-08 05:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]2008-07-24 22:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]2003-07-14 14:52 40960 ----a-w- c:\windows\ltmsg.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]2009-07-08 06:53 472112 ----a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]2009-07-07 18:48 647216 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]2013-02-28 22:50 18642024 ----a-r- c:\program files\Skype\Phone\Skype.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]2007-04-16 19:28 577536 ----a-w- c:\windows\soundman.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]2012-09-17 16:41 254896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]2007-03-31 08:54 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"ctfmon.exe"=c:\windows\system32\ctfmon.exe"MemoryZipperPlus"="c:\program files\Memzip\memzip.exe""DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" -agent.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"LiveMonitor"=c:\program files\MSI\Live Update 3\LMonitor.exe"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime"bwprnmon.exe"=c:\bitware\NT\bwprnmon.exe"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe""SoundMan"=SOUNDMAN.EXE"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe""DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe""NVRaidService"="c:\windows\System32\nvraidservice.exe""LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe""SM1BG"="c:\windows\SM1BG.EXE""KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe""Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe""Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe""Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe".[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\WINDOWS\\system32\\fxsclnt.exe"="c:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"="c:\\WINDOWS\\system32\\mmc.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Web CEO\\BIN\\webceo.exe"="c:\\Program Files\\Web CEO\\BIN\\wsceokrnl.dll"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Paros\\IEEmbed.exe"="c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"="c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"="c:\\Documents and Settings\\GaryT\\Application Data\\Dropbox\\bin\\Dropbox.exe"="c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"="c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="c:\\Program Files\\Jawbone\\JawboneUpdater.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009"67:UDP"= 67:UDP:DHCP Discovery Service.R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/14/2012 9:40 AM 122240]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/14/2012 9:40 AM 105784]R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2012 2:08 PM 1333424]R2 L4301_Solar;Logitech Solar Keyboard Service;c:\program files\Logitech\SolarApp\L4301_Solar.exe [10/26/2010 5:25 PM 319568]R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/14/2011 11:55 PM 12216]R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/12/2012 7:13 PM 418376]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/5/2011 1:12 PM 701512]R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 4:13 PM 34064]R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [10/12/2009 2:46 AM 45824]R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [8/19/2011 9:31 PM 1248256]R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe [1/31/2013 5:35 AM 1724192]R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 5:25 PM 14080]R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 5:25 PM 36352]R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9/22/2011 2:43 PM 645048]R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [8/24/2010 1:30 PM 43704]R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [8/24/2010 1:30 PM 12216]R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/30/2013 7:24 AM 35144]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/5/2011 1:12 PM 22856]R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [10/12/2009 2:46 AM 56960]R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys [9/18/2012 4:02 PM 10088]R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 5:25 PM 77056]S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [1/31/2013 10:38 AM 3289208]S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 6:45 PM 161384]S3 FileShd;FileShd;c:\windows\system32\drivers\fileshd2.sys [9/10/2007 4:13 PM 69888]S3 libusb0;Jawbone LibUsb-Win32 - Kernel Driver 09/22/2011,1.2.5.0;c:\windows\system32\drivers\libusb0.sys [5/13/2011 12:17 AM 42592]S3 PCAlertDriver;PCAlertDriver;c:\program files\MSI\Core Center\NTGLM7X.SYS [10/2/2005 1:15 AM 22432]S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/11/2010 1:36 AM 27064].--- Other Services/Drivers In Memory ---.*NewlyCreated* - 14873701*NewlyCreated* - 25549179*NewlyCreated* - 26730192*NewlyCreated* - 80328800*NewlyCreated* - MBAMCHAMELEON*Deregistered* - 14873701*Deregistered* - 25549179*Deregistered* - 26730192*Deregistered* - 80328800*Deregistered* - uphcleanhlp.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp.Contents of the 'Scheduled Tasks' folder.2013-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57].2013-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 01:24].2013-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 01:24].2013-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1647877149-725345543-1003Core.job- c:\documents and settings\GaryT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 23:00].2013-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1647877149-725345543-1003UA.job- c:\documents and settings\GaryT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 23:00].2013-04-28 c:\windows\Tasks\SOS Online Backup - Driskill.job- c:\program files\sos online backup\sosuploadagent.exe [2009-04-28 06:38].2013-04-30 c:\windows\Tasks\User_Feed_Synchronization-{6B4B2B2E-0337-436A-93B3-0954C8510B04}.job- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://cm.my.yahoo.com/?rd=nuxuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlIE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlIE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlIE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlTrusted Zone: microsoft.com\drmlicense.oneTCP: DhcpNameServer = 208.67.222.222 208.67.220.220 38.116.38.49DPF: NetGUI - hxxp://www.gomeetnow.com/client/window/1,0,1,69/ActiveXInstaller.CABDPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CABDPF: {02FFCFC3-C28F-4ED9-954B-1BAC9FD77E12} - hxxp://webstream.intra.net/media/xflux3.cabDPF: {16C698C4-4BE0-4CDF-B777-39276A95F58F} - hxxp://meeting.zoho.com/login/ActivexViewer.jspDPF: {54D53429-945C-4188-B460-C81356541882} - hxxp://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CABDPF: {56426D1F-A2BB-4195-8555-CCE6533F81E8} - hxxp://meeting.zoho.com/login/Agent.jspDPF: {7BC974EF-A718-4A17-B77E-4C8DBC327AFA} - hxxps://secure.voloper.net/editor.cabDPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cabDPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - hxxp://www.contentpurity.com/xp/ScanFilexp.CABDPF: {87651085-BCBF-4281-B8F7-1F6E56E92515} - hxxp://meeting.zoho.com/login/Agent.jspDPF: {B7039D87-D648-4431-BA87-C3A04E6111DA} - hxxps://67.43.9.72:4643/vz/ssh/wodTelnetDLX.cabDPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} - hxxp://contentpurity.com/members/FileClean.CABDPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} - hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cabDPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cabFF - ProfilePath - c:\documents and settings\GaryT\Application Data\Mozilla\Firefox\Profiles\1llhjzre.default\FF - prefs.js: browser.startup.homepage - web.ebuddy.com|hxxp://www.netvibes.com/FF - ExtSQL: 2013-03-22 16:48; LogMeInClient@logmein.com; c:\documents and settings\GaryT\Application Data\Mozilla\Firefox\Profiles\1llhjzre.default\extensions\LogMeInClient@logmein.comFF - ExtSQL: !HIDDEN! 2011-07-10 18:12; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension.- - - - ORPHANS REMOVED - - - -.SafeBoot-14873701.sysAddRemove-{1E3CA1C4-1E90-401B-8CC0-911DF018D8D8} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{1E3CA~1\Setup.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2013-04-30 20:04Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ....scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(936)c:\program files\common files\logishrd\bluetooth\LBTWlgn.dllc:\windows\system32\LMIinit.dll.Completion time: 2013-04-30 20:06:34ComboFix-quarantined-files.txt 2013-05-01 00:06ComboFix2.txt 2013-04-30 11:40ComboFix3.txt 2010-07-12 18:52.Pre-Run: 45,369,098,240 bytes freePost-Run: 45,363,138,560 bytes free.- - End Of File - - 2B4AD2F9E4A44AA3830BA9D77A7B2054Things seem OK. What's next?Thanks, Gary Link to post Share on other sites More sharing options...
Staff gringo_pr Posted May 1, 2013 Staff ID:675416 Share Posted May 1, 2013 Hello gtdriski I would like to see a report that combofix makes.extra combofix reportpush the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)please copy and past the following into the boxC:\Qoobox\Add-Remove Programs.txtclick okcopy and paste the report into this topic for me to reviewGringo Link to post Share on other sites More sharing options...
gtdriski Posted May 1, 2013 Author ID:675477 Share Posted May 1, 2013 Gringo,Here is the report:3114 SATARAID5500eABBYY FineReader 5.0 SprintAdobe Acrobat 9 Standard - English, Français, DeutschAdobe Acrobat 9.5.4 - CPSID_83708Adobe AIRAdobe ConnectNowAdobe ConnectNow Add-inAdobe Flash Player 11 ActiveXAdobe Flash Player 11 PluginAdobe Shockwave Player 11Advanced Find and Replace v5.1AllWebMenus PRO 5.1.760AMD CPUInfoAMD Power MonitorAMD Processor DriverApple Software UpdateBrother BRAdmin Professional 2.51Brother HL-5170DNCamera Support Core LibraryCamera Window DSCamera Window DVCCamera Window MCCamtasia Studio 7Canon Camera Support Core LibraryCanon Camera Window DS for ZoomBrowser EXCanon Camera Window DVC for ZoomBrowser EXCanon Camera Window for ZoomBrowser EXCanon i950Canon MovieEdit Task for ZoomBrowser EXCanon PhotoRecordCanon RAW Image Task for ZoomBrowser EXCanon RemoteCapture Task for ZoomBrowser EXCanon Utilities Easy-PhotoPrintCanon ZoomBrowser EXCCleanerCisco AnyConnect VPN ClientCisco Network MagicCisco Unified Presenter Add-in 6x5ClickTracks Hosted ViewerCole2k Media - Codec Pack (Advanced) 7.1.0Compatibility Pack for the 2007 Office systemConstant Contact QuickImport - OutlookCorel Photo Album 6Critical Security UpdateCritical Update for Windows Media Player 11 (KB959772)CSS eXplorerCypress USB Mass Storage Driver Installationdel.icio.us Buttons for Internet ExplorerDeVilbiss Remote ControlDH Driver Cleaner.NETDirectory Submitter 1.0.29DivXDivX PlayerDomain SamuraiDriverMax 5DropboxDual-Core OptimizerEPSON Copy Utility 3EPSON Perf 2480 - 2580 GuideEPSON ScanEPSON Smart PaneleRegerLTESET NOD32 AntivirusEVEREST Ultimate Edition v5.02Evernote v. 4.5.10Family Tree Maker 2011Flash Decompiler TrillixFree Easy Burner V 3.8Google AdWords EditorGoogle ChromeGoogle Toolbar for Internet ExplorerGoogle Update HelperGoToMeeting 5.4.0.1082GSiteCrawlerGTK+ 2.10.6-1 runtime environmentHighMAT Extension to Microsoft Windows XP CD Writing WizardHotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Hotfix for Windows Internet Explorer 7 (KB947864)Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB2158563)Hotfix for Windows XP (KB2443685)Hotfix for Windows XP (KB2570791)Hotfix for Windows XP (KB2633952)Hotfix for Windows XP (KB2756822)Hotfix for Windows XP (KB2779562)Hotfix for Windows XP (KB952287)Hotfix for Windows XP (KB961118)Hotfix for Windows XP (KB970653-v3)Hotfix for Windows XP (KB976098-v2)Hotfix for Windows XP (KB979306)Hotfix for Windows XP (KB981793)HP eServices Local Prints and SaveHP ScrawlrInfraRecorderInternet Explorer Q903235Intra.Net 4.x ComponentsIrfanView (remove only)iTunesJava Auto UpdaterJava 6 Update 37Jawbone Updaterjoin.meKeyword Cloud Generator 1.0.21LightScribe 1.4.136.1Likno Web Button MakerLogitech Audio Echo Cancellation ComponentLogitech QuickCamLogitech SetPoint 6.50Logitech Solar App 1.0Logitech Video EnumeratorLogitech® Camera DriverLogMeInLtMoh_MARSMacromedia Dreamweaver 8Macromedia Extension ManagerMacromedia Flash 8Macromedia Flash 8 Video EncoderMalwarebytes Anti-Malware version 1.75.0.1300Market SamuraiMediaInfo 0.7.5.3MediaLifeMemory Zipper Plus 7.11Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Security Update (KB2698023)Microsoft .NET Framework 1.1 Security Update (KB2742597)Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft Kernel-Mode Driver Framework Feature Pack 1.9Microsoft National Language Support Downlevel APIsMicrosoft Office 2003 Primary Interop AssembliesMicrosoft Office File Validation Add-InMicrosoft Office Live Add-in 1.5Microsoft Office Professional Edition 2003Microsoft Office Project Standard 2003Microsoft Primary Interoperability Assemblies 2005Microsoft SilverlightMicrosoft SQL Server Compact 3.5 SP2 ENUMicrosoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft Visual Studio 2005 Tools for Office RuntimeMicrosoft WSE 3.0 RuntimeMirage Driver 1.1Mix-FXMovieEdit TaskMoyea Flash Video MX Pro Version: 5.0.16.932Moyea Flash Video MX Pro Version: 6.0.2.1174Moyea FLV Downloader version 1.15.0.15Moyea FLV Player version 1.5.2.7Moyea FLV to Video Converter Pro 3 Version: 3.0.6.0Mozilla Firefox 20.0.1 (x86 en-US)Mozilla Maintenance ServiceMSI DigiCellMSXML 4.0 SP2 (KB925672)MSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MSXML 4.0 SP2 Parser and SDKMSXML 6 Service Pack 2 (KB954459)MVisionMyPublisher BookMakerNetsparker [Community Edition] - Web Application Security ScannerNetwork MagicNmap 4.85BETA5Notepad++NVIDIA DriversOGA Notifier 2.0.0048.0Paint.NET v3.5.10Paros 3.2.13Passpack DESKTOPPerfectDisk 10 ProfessionalPhotoImpression 5PingPlotter Standard 3.30.0sPlexTools Professional V2.28Pure Networks PlatformQuickBooksQuickBooks Pro 2012Quicken 2006Quicken WillMaker Plus 2006QuickTimeRAW Image TaskRawShooter essentials 2005Realtek AC'97 AudioRecuva (remove only)RemoteCapture Task 1.1Report Viewer 2.3Revo Uninstaller Pro 2.5.9Roxio Content 9Roxio Drag-to-DiscRoxio Easy Media Creator 9 SuiteRoxio Media ExperienceRoxio Update ManagerSavings Bond WizardScanToWebSeaTools for WindowsSecurity Update for CAPICOM (KB931906)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)Security Update for Microsoft Windows (KB2564958)Security Update for Windows Internet Explorer 7 (KB2183461)Security Update for Windows Internet Explorer 7 (KB2360131)Security Update for Windows Internet Explorer 7 (KB2416400)Security Update for Windows Internet Explorer 7 (KB2482017)Security Update for Windows Internet Explorer 7 (KB2497640)Security Update for Windows Internet Explorer 7 (KB2530548)Security Update for Windows Internet Explorer 7 (KB2544521)Security Update for Windows Internet Explorer 7 (KB2559049)Security Update for Windows Internet Explorer 7 (KB2586448)Security Update for Windows Internet Explorer 7 (KB2618444)Security Update for Windows Internet Explorer 7 (KB2647516)Security Update for Windows Internet Explorer 7 (KB2675157)Security Update for Windows Internet Explorer 7 (KB2699988)Security Update for Windows Internet Explorer 7 (KB2722913)Security Update for Windows Internet Explorer 7 (KB2744842)Security Update for Windows Internet Explorer 7 (KB2761465)Security Update for Windows Internet Explorer 7 (KB2792100)Security Update for Windows Internet Explorer 7 (KB2797052)Security Update for Windows Internet Explorer 7 (KB2799329)Security Update for Windows Internet Explorer 7 (KB2809289)Security Update for Windows Internet Explorer 7 (KB2817183)Security Update for Windows Media Encoder (KB2447961)Security Update for Windows Media Player (KB2378111)Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player (KB954155)Security Update for Windows Media Player (KB968816)Security Update for Windows Media Player (KB973540)Security Update for Windows Media Player (KB975558)Security Update for Windows Media Player (KB978695)Security Update for Windows Media Player 10 (KB911565)Security Update for Windows Media Player 10 (KB917734)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 11 (KB954154)Security Update for Windows XP (KB2079403)Security Update for Windows XP (KB2115168)Security Update for Windows XP (KB2121546)Security Update for Windows XP (KB2160329)Security Update for Windows XP (KB2229593)Security Update for Windows XP (KB2259922)Security Update for Windows XP (KB2279986)Security Update for Windows XP (KB2286198)Security Update for Windows XP (KB2296011)Security Update for Windows XP (KB2296199)Security Update for Windows XP (KB2347290)Security Update for Windows XP (KB2360937)Security Update for Windows XP (KB2387149)Security Update for Windows XP (KB2393802)Security Update for Windows XP (KB2412687)Security Update for Windows XP (KB2419632)Security Update for Windows XP (KB2423089)Security Update for Windows XP (KB2436673)Security Update for Windows XP (KB2440591)Security Update for Windows XP (KB2443105)Security Update for Windows XP (KB2476490)Security Update for Windows XP (KB2476687)Security Update for Windows XP (KB2478960)Security Update for Windows XP (KB2478971)Security Update for Windows XP (KB2479628)Security Update for Windows XP (KB2479943)Security Update for Windows XP (KB2481109)Security Update for Windows XP (KB2483185)Security Update for Windows XP (KB2485376)Security Update for Windows XP (KB2485663)Security Update for Windows XP (KB2491683)Security Update for Windows XP (KB2503658)Security Update for Windows XP (KB2503665)Security Update for Windows XP (KB2506212)Security Update for Windows XP (KB2506223)Security Update for Windows XP (KB2507618)Security Update for Windows XP (KB2507938)Security Update for Windows XP (KB2508272)Security Update for Windows XP (KB2508429)Security Update for Windows XP (KB2509553)Security Update for Windows XP (KB2510581)Security Update for Windows XP (KB2511455)Security Update for Windows XP (KB2524375)Security Update for Windows XP (KB2535512)Security Update for Windows XP (KB2536276-v2)Security Update for Windows XP (KB2536276)Security Update for Windows XP (KB2544893-v2)Security Update for Windows XP (KB2544893)Security Update for Windows XP (KB2555917)Security Update for Windows XP (KB2562937)Security Update for Windows XP (KB2566454)Security Update for Windows XP (KB2567053)Security Update for Windows XP (KB2567680)Security Update for Windows XP (KB2570222)Security Update for Windows XP (KB2570947)Security Update for Windows XP (KB2584146)Security Update for Windows XP (KB2585542)Security Update for Windows XP (KB2592799)Security Update for Windows XP (KB2598479)Security Update for Windows XP (KB2603381)Security Update for Windows XP (KB2618451)Security Update for Windows XP (KB2619339)Security Update for Windows XP (KB2620712)Security Update for Windows XP (KB2621440)Security Update for Windows XP (KB2624667)Security Update for Windows XP (KB2631813)Security Update for Windows XP (KB2633171)Security Update for Windows XP (KB2639417)Security Update for Windows XP (KB2641653)Security Update for Windows XP (KB2646524)Security Update for Windows XP (KB2647518)Security Update for Windows XP (KB2653956)Security Update for Windows XP (KB2655992)Security Update for Windows XP (KB2659262)Security Update for Windows XP (KB2676562)Security Update for Windows XP (KB2685939)Security Update for Windows XP (KB2686509)Security Update for Windows XP (KB2691442)Security Update for Windows XP (KB2695962)Security Update for Windows XP (KB2698365)Security Update for Windows XP (KB2705219)Security Update for Windows XP (KB2707511)Security Update for Windows XP (KB2709162)Security Update for Windows XP (KB2712808)Security Update for Windows XP (KB2718523)Security Update for Windows XP (KB2719985)Security Update for Windows XP (KB2723135)Security Update for Windows XP (KB2724197)Security Update for Windows XP (KB2727528)Security Update for Windows XP (KB2731847)Security Update for Windows XP (KB2753842-v2)Security Update for Windows XP (KB2753842)Security Update for Windows XP (KB2757638)Security Update for Windows XP (KB2758857)Security Update for Windows XP (KB2761226)Security Update for Windows XP (KB2770660)Security Update for Windows XP (KB2778344)Security Update for Windows XP (KB2779030)Security Update for Windows XP (KB2780091)Security Update for Windows XP (KB2799494)Security Update for Windows XP (KB2802968)Security Update for Windows XP (KB2807986)Security Update for Windows XP (KB2808735)Security Update for Windows XP (KB2813170)Security Update for Windows XP (KB2813345)Security Update for Windows XP (KB2820917)Security Update for Windows XP (KB979687)Security Update for Windows XP (KB980436)Security Update for Windows XP (KB981322)Security Update for Windows XP (KB981852)Security Update for Windows XP (KB981957)Security Update for Windows XP (KB981997)Security Update for Windows XP (KB982132)Security Update for Windows XP (KB982214)Security Update for Windows XP (KB982665)Security Update for Windows XP (KB982802)Sibelius Scorch (Firefox, Opera, Netscape, Chrome only)Skype Click to CallSkype™ 6.3SmartFTP ClientSmartFTP Client 3.0 Setup Files (remove only)SmartFTP Client 4.0 Setup Files (remove only)SmartLink DesktopSnagit 10.0.1SnagIt StudioSOS Online BackupStuffIt Expander 2009Sumopaint ProSupportSoft Assisted ServiceSystem Requirements LabTeamViewer 6Time Zone Data Update Tool for Microsoft Office OutlookTuneUp Utilities 2013TuneUp Utilities Language Pack (en-US)ubCoreUEStudio '10.30UltraCompare v7.20UltraSentryUpdate for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Windows Internet Explorer 7 (KB976749)Update for Windows Internet Explorer 7 (KB980182)Update for Windows XP (KB2141007)Update for Windows XP (KB2345886)Update for Windows XP (KB2467659)Update for Windows XP (KB2541763)Update for Windows XP (KB2616676-v2)Update for Windows XP (KB2641690)Update for Windows XP (KB2661254-v2)Update for Windows XP (KB2718704)Update for Windows XP (KB2736233)Update for Windows XP (KB2749655)Update for Windows XP (KB951072-v2)Update for Windows XP (KB951978)Update for Windows XP (KB955759)Update for Windows XP (KB955839)Update for Windows XP (KB967715)Update for Windows XP (KB968389)Update for Windows XP (KB971029)Update for Windows XP (KB971737)Update for Windows XP (KB973687)Update for Windows XP (KB973815)USB Storage Adapter FX (SM1)User Profile Hive Cleanup ServiceVisual Studio 2005 Tools for Office Second Edition RuntimeWeb CEO 9.1WebExWebFldrs XPWindows Genuine Advantage v1.3.0254.0Windows Imaging ComponentWindows Installer Clean UpWindows Live Sign-in AssistantWindows Media Encoder 9 SeriesWindows Media Format 11 runtimeWindows Media Player 11Windows Resource Kit Tools - SubInAcl.exeWindows XP Service Pack 3WinMerge 2.12.4winpcap-nmap 4.02WinZip 15.0WSI Power SearchXML Paper Specification Shared Components Pack 1.0XSitePro2XviD MPEG-4 CodecYugmaNexr?Thanks, Gary Link to post Share on other sites More sharing options...
Recommended Posts