Jump to content

Please Help Remove FBI Ransom Virus - frst log attached

NukeMeSlowly
 Share

Recommended Posts

NukeMeSlowly

NukeMeSlowly

Posted
Posted

Hello:

 

Need some help getting rid of this virus ASAP. Ran FRST on the infected laptop via a flash drive. Here is the log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-08-2013
Ran by SYSTEM on 06-08-2013 21:56:28
Running from F:\
Windows 7 Professional (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [acevents] - C:\Program Files\ActivIdentity\ActivClient\acevents.exe [196648 2009-12-04] (ActivIdentity)
HKLM\...\Run: [accrdsub] - C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [485416 2009-12-04] (ActivIdentity)
HKLM\...\Run: [FreeFallProtection] - C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [intelPROSet] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1934608 2010-12-23] (Intel® Corporation)
HKLM\...\Run: [MFNetworkScanUtility] - C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE [508312 2009-12-15] (CANON INC.)
HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-06] (IDT, Inc.)
HKLM\...\Run: [TdmNotify] - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [257392 2011-05-27] (Wave Systems Corp.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [McAfeeUpdaterUI] - C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [136512 2008-03-14] (McAfee, Inc.)
HKLM-x32\...\Run: [shStatEXE] - C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE [124240 2008-09-29] (McAfee, Inc.)
HKLM-x32\...\Run: [atr.exe] -  [x]
HKLM-x32\...\Run: [AnySync] - C:\Program Files (x86)\AnySync\SyncLauncher.exe [41984 2011-03-21] (iAnywhere Solutions, Inc.)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [bCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [Genie TimeLine Tray] - C:\Program Files\Genie-Soft\Genie Timeline\GSTimeLineAgent.exe [874624 2011-02-02] (Genie-soft)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-09-26] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [815512 2012-04-03] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
HKLM-x32\...\Run: [iJNetworkScanUtility] - C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE [124256 2010-01-18] (CANON INC.)
HKU\Marjan\...\Run: [AnyTime Organizer] - C:\Program Files (x86)\AnyTime Organizer Deluxe\AtDem.exe [65536 2007-11-21] (Individual Software, Inc.)
HKU\Marjan\...\Run: [CCleaner] - C:\Program Files\CCleaner\CCleaner64.exe [6154008 2013-05-24] (Piriform Ltd)
HKU\Marjan\...\Run: [iCloudServices] - C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-04-05] (Apple Inc.)
HKU\Marjan\...\Run: [ApplePhotoStreams] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-04-05] (Apple Inc.)
HKU\Marjan\...\Run: [0EnIeGij.exe] - C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.exe [58880 2013-08-06] (Hkhxv)
HKU\Marjan\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Marjan\...\Command Processor: "C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.exe" <===== ATTENTION!
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\Users\Marjan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)

==================== Services (Whitelisted) =================

S2 ac.sharedstore; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [277032 2009-06-03] (ActivIdentity)
S2 Canon Driver Information Assist Service; C:\Program Files\Canon\DIAS\CnxDIAS.exe [5873840 2011-03-18] (CANON INC.)
S2 GenieTimelineService; C:\Program Files\Genie-Soft\Genie Timeline\GenieTimelineService.exe [468096 2011-02-02] (Genie-Soft)
S2 McAfeeEngineService; C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [17920 2008-09-29] (McAfee, Inc.)
S2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [103744 2008-03-14] (McAfee, Inc.)
S2 McShield; C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe [175072 2008-09-29] (McAfee, Inc.)
S2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [62800 2008-09-29] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [75656 2008-09-29] (McAfee, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 MSSQL$MSSMLBIZ; C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\sqlservr.exe [43010392 2009-03-30] (Microsoft Corporation)
S2 MSSQL$QSRNVIVO10; c:\Program Files\Microsoft SQL Server\MSSQL10_50.QSRNVIVO10\MSSQL\Binn\sqlservr.exe [62218696 2012-06-28] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 O2SDIOAssist; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] ()
S4 SQLAgent$MSSMLBIZ; C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [366936 2009-03-30] (Microsoft Corporation)
S4 SQLAgent$QSRNVIVO10; c:\Program Files\Microsoft SQL Server\MSSQL10_50.QSRNVIVO10\MSSQL\Binn\SQLAGENT.EXE [441288 2012-06-28] (Microsoft Corporation)
S2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1600000 2011-07-01] (Wave Systems Corp.)
S2 ZcfgSvc7; C:\Program Files\Intel\WiFi\bin\ZCfgSvc7.exe [992256 2010-12-23] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [96016 2008-09-29] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [118688 2008-09-29] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [465792 2008-09-29] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [75800 2008-09-29] (McAfee, Inc.)
S1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [82504 2008-09-29] (McAfee, Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S4 RsFx0153; C:\Windows\System32\DRIVERS\RsFx0153.sys [321992 2012-06-28] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-06 21:56 - 2013-08-06 21:56 - 00000000 ____D C:\FRST
2013-08-06 16:51 - 2013-08-06 17:01 - 00000000 ____D C:\Users\Marjan\AppData\Local\7zh41ioRd
2013-08-06 16:51 - 2013-08-06 16:51 - 00267776 _____ C:\Users\Marjan\AppData\Roaming\Bsz1oXVEMxW
2013-08-06 16:51 - 2013-08-06 16:51 - 00267776 _____ C:\Users\Marjan\AppData\Local\xUtgombQJ
2013-08-06 16:51 - 2013-08-06 16:51 - 00267776 _____ C:\ProgramData\oC4C9VxNeom
2013-08-06 14:41 - 2013-08-06 16:52 - 00000168 _____ C:\Windows\setupact.log
2013-08-06 14:41 - 2013-08-06 14:41 - 00000000 _____ C:\Windows\setuperr.log
2013-08-04 00:24 - 2013-08-04 00:33 - 00014949 _____ C:\ads_err.adt
2013-08-04 00:24 - 2013-08-04 00:24 - 00004554 _____ C:\ads_err.adm
2013-08-04 00:24 - 2013-08-04 00:24 - 00003072 _____ C:\ads_err.adi
2013-08-04 00:24 - 2013-08-04 00:24 - 00000000 ____D C:\Users\Marjan\AppData\Roaming\XCPCSync.OEM
2013-08-03 13:01 - 2013-08-03 14:22 - 00000000 ____D C:\Users\Marjan\Desktop\MPS Student Handbook
2013-08-03 10:29 - 2013-08-05 07:33 - 00000000 ____D C:\Users\Marjan\Desktop\MPS Website August 2013
2013-08-02 08:47 - 2013-08-06 17:04 - 00483888 _____ C:\Windows\WindowsUpdate.log
2013-07-31 15:04 - 2013-07-31 15:04 - 00002095 _____ C:\Users\Public\Desktop\Canon MP Navigator EX 2.1.lnk
2013-07-31 14:38 - 2013-07-31 14:38 - 00000000 ___HD C:\Windows\System32\CanonIJ Uninstaller Information
2013-07-31 14:38 - 2009-06-16 07:37 - 01342976 _____ (CANON INC.) C:\Windows\System32\CNC860C.DLL
2013-07-31 14:38 - 2009-06-16 07:36 - 00092672 _____ (CANON INC.) C:\Windows\System32\CNC860I.DLL
2013-07-31 14:38 - 2009-02-19 09:20 - 00299520 _____ (CANON INC.) C:\Windows\System32\CNC860L.DLL
2013-07-31 14:38 - 2008-07-16 05:39 - 00235008 _____ (Canon Inc.) C:\Windows\System32\CNC860O.DLL
2013-07-31 14:37 - 2013-07-31 14:37 - 00000000 ___HD C:\Program Files\CanonBJ
2013-07-31 14:37 - 2008-09-11 05:40 - 00131584 _____ (CANON INC.) C:\Windows\System32\CNC860Z.DLL
2013-07-31 14:37 - 2008-09-11 05:39 - 00244736 _____ (CANON INC.) C:\Windows\System32\CNMIU9N.DLL
2013-07-31 13:33 - 2013-07-31 15:10 - 00000000 ___HD C:\ProgramData\CanonIJScan
2013-07-28 07:49 - 2012-08-30 07:18 - 00252416 _____ (CANON INC.) C:\Windows\System32\CNMN6PPM.DLL
2013-07-28 07:49 - 2012-08-30 07:18 - 00152064 _____ (CANON INC.) C:\Windows\System32\CNMN6UI.DLL
2013-07-28 07:49 - 2012-08-30 07:15 - 00366080 _____ (CANON INC.) C:\Windows\SysWOW64\CNMNPPM.DLL
2013-07-22 13:04 - 2013-07-22 13:04 - 00000000 ____D C:\Users\Marjan\AppData\Local\Evernote
2013-07-22 13:03 - 2013-07-22 13:03 - 00000932 _____ C:\Users\Marjan\Desktop\Evernote.lnk
2013-07-22 13:03 - 2013-07-22 13:03 - 00000000 ____D C:\Program Files (x86)\Evernote
2013-07-19 11:33 - 2013-07-19 12:05 - 06422528 _____ C:\Users\Marjan\Documents\Practice.mp.nvp
2013-07-19 11:29 - 2013-07-19 11:29 - 00000000 ____D C:\Users\Marjan\Desktop\Sample Project Data
2013-07-19 07:21 - 2013-07-19 09:49 - 04194304 _____ C:\Users\Marjan\Documents\Marjan's Test Project.nvp
2013-07-19 00:29 - 2013-07-19 00:29 - 00000000 ____D C:\Users\Marjan\AppData\Local\IsolatedStorage
2013-07-19 00:27 - 2013-07-19 00:27 - 00000000 ____D C:\Users\Marjan\AppData\Roaming\QSR_International
2013-07-19 00:22 - 2013-07-19 09:50 - 00000000 ____D C:\Users\Public\Documents\NVivo 10 Samples
2013-07-19 00:22 - 2013-07-19 00:22 - 00001924 _____ C:\Users\Public\Desktop\QSR NVivo 10.lnk
2013-07-19 00:22 - 2013-07-19 00:22 - 00000000 ____D C:\ProgramData\QSR
2013-07-19 00:22 - 2013-07-19 00:22 - 00000000 ____D C:\Program Files\QSR
2013-07-19 00:20 - 2013-07-19 00:21 - 00000000 ____D C:\Program Files (x86)\QSR
2013-07-19 00:18 - 2012-06-28 21:22 - 00082888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\perf-MSSQL$QSRNVIVO10-sqlctr10.52.4000.0.dll
2013-07-19 00:18 - 2012-06-28 21:22 - 00057288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\perf-MSSQL10_50.QSRNVIVO10-sqlagtctr.dll
2013-07-19 00:18 - 2012-06-28 21:17 - 00088520 _____ (Microsoft Corporation) C:\Windows\System32\perf-MSSQL$QSRNVIVO10-sqlctr10.52.4000.0.dll
2013-07-19 00:18 - 2012-06-28 21:17 - 00086984 _____ (Microsoft Corporation) C:\Windows\System32\perf-MSSQL10_50.QSRNVIVO10-sqlagtctr.dll
2013-07-19 00:17 - 2013-07-19 00:17 - 00000000 ____D C:\Windows\System32\RsFx
2013-07-19 00:17 - 2013-07-19 00:17 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 9.0
2013-07-12 03:49 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-12 03:49 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-12 03:49 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-12 03:49 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-12 03:49 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-12 03:49 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-12 03:49 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-12 03:49 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-12 03:49 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-12 03:49 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-12 03:49 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-12 03:49 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-12 03:49 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-12 03:49 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-12 03:49 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-12 03:49 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-12 03:49 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-12 03:49 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-12 03:49 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-12 03:49 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-12 03:49 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-12 03:49 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-11 14:48 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-11 14:48 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-11 14:48 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-11 14:48 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-11 14:44 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-11 14:43 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-11 14:43 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-08 19:59 - 2013-07-08 19:59 - 00000000 ____D C:\Program Files (x86)\QuickTime

==================== One Month Modified Files and Folders =======

2013-08-06 17:04 - 2013-08-02 08:47 - 00483888 _____ C:\Windows\WindowsUpdate.log
2013-08-06 17:01 - 2013-08-06 16:51 - 00000000 ____D C:\Users\Marjan\AppData\Local\7zh41ioRd
2013-08-06 17:00 - 2009-07-13 20:45 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-06 17:00 - 2009-07-13 20:45 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-06 16:52 - 2013-08-06 14:41 - 00000168 _____ C:\Windows\setupact.log
2013-08-06 16:52 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-06 16:51 - 2013-08-06 16:51 - 00267776 _____ C:\Users\Marjan\AppData\Roaming\Bsz1oXVEMxW
2013-08-06 16:51 - 2013-08-06 16:51 - 00267776 _____ C:\Users\Marjan\AppData\Local\xUtgombQJ
2013-08-06 16:51 - 2013-08-06 16:51 - 00267776 _____ C:\ProgramData\oC4C9VxNeom
2013-08-06 16:27 - 2012-08-09 15:54 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-06 14:41 - 2013-08-06 14:41 - 00000000 _____ C:\Windows\setuperr.log
2013-08-05 07:33 - 2013-08-03 10:29 - 00000000 ____D C:\Users\Marjan\Desktop\MPS Website August 2013
2013-08-05 07:11 - 2013-04-09 08:51 - 00000000 ____D C:\Users\Marjan\Desktop\PACT April 2013_Setup
2013-08-04 00:33 - 2013-08-04 00:24 - 00014949 _____ C:\ads_err.adt
2013-08-04 00:24 - 2013-08-04 00:24 - 00004554 _____ C:\ads_err.adm
2013-08-04 00:24 - 2013-08-04 00:24 - 00003072 _____ C:\ads_err.adi
2013-08-04 00:24 - 2013-08-04 00:24 - 00000000 ____D C:\Users\Marjan\AppData\Roaming\XCPCSync.OEM
2013-08-04 00:22 - 2011-12-31 06:37 - 00000000 ____D C:\Program Files (x86)\AnyTime Organizer Deluxe
2013-08-03 14:22 - 2013-08-03 13:01 - 00000000 ____D C:\Users\Marjan\Desktop\MPS Student Handbook
2013-08-03 09:02 - 2009-07-13 21:13 - 00911684 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-31 15:10 - 2013-07-31 13:33 - 00000000 ___HD C:\ProgramData\CanonIJScan
2013-07-31 15:10 - 2012-06-03 12:39 - 00000000 ____D C:\Users\Marjan\AppData\Roaming\Canon
2013-07-31 15:04 - 2013-07-31 15:04 - 00002095 _____ C:\Users\Public\Desktop\Canon MP Navigator EX 2.1.lnk
2013-07-31 15:04 - 2011-12-28 07:00 - 00000000 ____D C:\Program Files (x86)\Canon
2013-07-31 14:38 - 2013-07-31 14:38 - 00000000 ___HD C:\Windows\System32\CanonIJ Uninstaller Information
2013-07-31 14:37 - 2013-07-31 14:37 - 00000000 ___HD C:\Program Files\CanonBJ
2013-07-31 13:07 - 2011-12-28 19:57 - 00000000 ____D C:\Users\Marjan\AppData\Roaming\Skype
2013-07-28 07:33 - 2012-07-23 17:34 - 00000000 ____D C:\Users\Marjan\Desktop\Papers (Active)
2013-07-22 13:04 - 2013-07-22 13:04 - 00000000 ____D C:\Users\Marjan\AppData\Local\Evernote
2013-07-22 13:03 - 2013-07-22 13:03 - 00000932 _____ C:\Users\Marjan\Desktop\Evernote.lnk
2013-07-22 13:03 - 2013-07-22 13:03 - 00000000 ____D C:\Program Files (x86)\Evernote
2013-07-19 12:05 - 2013-07-19 11:33 - 06422528 _____ C:\Users\Marjan\Documents\Practice.mp.nvp
2013-07-19 11:29 - 2013-07-19 11:29 - 00000000 ____D C:\Users\Marjan\Desktop\Sample Project Data
2013-07-19 09:50 - 2013-07-19 00:22 - 00000000 ____D C:\Users\Public\Documents\NVivo 10 Samples
2013-07-19 09:49 - 2013-07-19 07:21 - 04194304 _____ C:\Users\Marjan\Documents\Marjan's Test Project.nvp
2013-07-19 06:24 - 2013-03-13 20:54 - 00000000 ____D C:\Users\Marjan\Desktop\NATO 2013 Updated July
2013-07-19 06:14 - 2009-07-13 20:45 - 00419632 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-19 00:29 - 2013-07-19 00:29 - 00000000 ____D C:\Users\Marjan\AppData\Local\IsolatedStorage
2013-07-19 00:27 - 2013-07-19 00:27 - 00000000 ____D C:\Users\Marjan\AppData\Roaming\QSR_International
2013-07-19 00:27 - 2011-12-27 14:14 - 00110288 _____ C:\Users\Marjan\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-19 00:22 - 2013-07-19 00:22 - 00001924 _____ C:\Users\Public\Desktop\QSR NVivo 10.lnk
2013-07-19 00:22 - 2013-07-19 00:22 - 00000000 ____D C:\ProgramData\QSR
2013-07-19 00:22 - 2013-07-19 00:22 - 00000000 ____D C:\Program Files\QSR
2013-07-19 00:21 - 2013-07-19 00:20 - 00000000 ____D C:\Program Files (x86)\QSR
2013-07-19 00:17 - 2013-07-19 00:17 - 00000000 ____D C:\Windows\System32\RsFx
2013-07-19 00:17 - 2013-07-19 00:17 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 9.0
2013-07-19 00:17 - 2011-12-28 07:13 - 00000000 ____D C:\Program Files\Microsoft SQL Server
2013-07-19 00:17 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-07-19 00:15 - 2011-12-28 07:13 - 00000000 ____D C:\Windows\SysWOW64\1033
2013-07-19 00:15 - 2011-12-28 07:13 - 00000000 ____D C:\Windows\System32\1033
2013-07-19 00:15 - 2011-12-28 07:00 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server
2013-07-17 08:00 - 2011-12-27 14:15 - 00000000 ____D C:\Users\Marjan\AppData\Local\Citrix
2013-07-16 16:40 - 2011-12-28 09:01 - 00000000 ____D C:\Users\Marjan\Documents\Marjan 2013 Files
2013-07-15 07:26 - 2012-08-31 01:25 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-15 07:26 - 2012-08-31 01:25 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-14 14:56 - 2011-12-27 13:26 - 00000000 ____D C:\Windows\Panther
2013-07-14 14:54 - 2012-08-31 01:25 - 00003896 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-14 14:54 - 2012-08-31 01:25 - 00003644 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-12 11:49 - 2009-07-13 23:47 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-12 11:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-12 11:49 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-12 03:54 - 2011-12-28 06:43 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-12 03:50 - 2012-07-19 16:43 - 78185248 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-07-08 20:00 - 2011-12-28 19:57 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-07-08 20:00 - 2011-12-28 19:57 - 00000000 ____D C:\ProgramData\Skype
2013-07-08 19:59 - 2013-07-08 19:59 - 00000000 ____D C:\Program Files (x86)\QuickTime

Files to move or delete:
====================
C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.exe
C:\Users\Marjan\GoToAssistDownloadHelper.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-16 14:26:18
Restore point made on: 2013-07-19 00:21:37
Restore point made on: 2013-07-21 10:33:21
Restore point made on: 2013-07-22 13:03:48
Restore point made on: 2013-07-24 14:32:07
Restore point made on: 2013-07-28 07:01:43
Restore point made on: 2013-08-01 10:10:55
Restore point made on: 2013-08-04 10:41:55

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 8148.93 MB
Available physical RAM: 7086.31 MB
Total Pagefile: 8147.08 MB
Available Pagefile: 7076.67 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:371.47 GB) NTFS (Disk=0 Partition=2)
Drive f: () (Removable) (Total:0.96 GB) (Free:0.96 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 4042CAB4)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 983 MB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=983 MB) - (Type=0E)


LastRegBack: 2013-08-02 17:12

==================== End Of Log ============================

 

Please advise next steps

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

This should get you going. :)

 

Please do the following:

  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the flashdrive as fixlist.txt

HKU\Marjan\...\Run: [0EnIeGij.exe] - C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.exe [58880 2013-08-06] (Hkhxv)
HKU\Marjan\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Marjan\...\Command Processor: "C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.exe" <===== ATTENTION!
HKLM-x32\...\Run: [] -  [x]
C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.exe
C:\Users\Marjan\GoToAssistDownloadHelper.exe


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

After that- are you able to boot into normal mode? Let me know when you can as we have more malware to remove.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"
 

-------> Your topic will be closed if you haven't replied within 3 days! <--------
(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites
NukeMeSlowly

NukeMeSlowly

Posted
  • Author
Posted

Thank You! Looks like I am able to log in normally.

 

Here is the FRST Fix log:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-08-2013
Ran by SYSTEM at 2013-08-07 01:39:16 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

HKU\Marjan\Software\Microsoft\Windows\CurrentVersion\Run\\0EnIeGij.exe => Value deleted successfully.
HKU\Marjan\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Marjan\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.exe => Moved successfully.
C:\Users\Marjan\GoToAssistDownloadHelper.exe => Moved successfully.

==== End of Fixlog ====

 

What is next?

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Glad to hear you can boot. Let's start getting rid of the rest of it:

----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


----------Step 4----------------
Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------
In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

Link to post
Share on other sites
NukeMeSlowly

NukeMeSlowly

Posted
  • Author
Posted

Okay:

 

TDSSKiller did not find anything so no logfile popped up.
 

MBAR - also nothing detected:

 

mbar-log.tx

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org
 
Database version: v2013.08.07.02
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Marjan :: MARJAN-PC [administrator]
 
8/7/2013 1:53:06 AM
mbar-log-2013-08-07 (01-53-06).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 252094
Time elapsed: 8 minute(s), 32 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

 

MBAR system-log.txt

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 10.0.9200.16635
 
Java version: 1.6.0_33
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.494000 GHz
Memory total: 8544776192, free: 6432505856
 
Downloaded database version: v2013.08.07.02
Downloaded database version: v2013.08.06.01
Initializing...
------------ Kernel report ------------
     08/07/2013 01:53:03
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\stdcfltn.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\system32\DRIVERS\sbp2port.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\DRIVERS\PBADRV.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\mfetdik.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\DRIVERS\e1c62x64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\NETwNs64.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\nusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\1394ohci.sys
\SystemRoot\system32\DRIVERS\o2sdjw7x64.sys
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\O2MDRw7x64.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\accelern.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\nusb3hub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\AtihdW76.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\stwrt64.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\cvusbdrv.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WinUsb.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\System32\DRIVERS\scfilter.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\rpcrt4.dll
\Windows\System32\nsi.dll
\Windows\System32\ws2_32.dll
\Windows\System32\lpk.dll
\Windows\System32\oleaut32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\psapi.dll
\Windows\System32\ole32.dll
\Windows\System32\difxapi.dll
\Windows\System32\kernel32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\comdlg32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\normaliz.dll
\Windows\System32\clbcatq.dll
\Windows\System32\urlmon.dll
\Windows\System32\shell32.dll
\Windows\System32\user32.dll
\Windows\System32\wininet.dll
\Windows\System32\iertutil.dll
\Windows\System32\usp10.dll
\Windows\System32\Wldap32.dll
\Windows\System32\advapi32.dll
\Windows\System32\gdi32.dll
\Windows\System32\msctf.dll
\Windows\System32\setupapi.dll
\Windows\System32\sechost.dll
\Windows\System32\imm32.dll
\Windows\System32\comctl32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8007a27060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa80077f6060
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8007a27060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8007a27b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8007a27060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8007914cb0, DeviceName: Unknown, DriverName: \Driver\stdcfltn\
DevicePointer: 0xfffffa80077f6060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4042CAB4
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 976564224
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 500107862016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished
 
 
 

Security Check checkup.txt

 

 Results of screen317's Security Check version 0.99.71  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java 6 Update 33  
 Java version out of Date! 
 Google Chrome 28.0.1500.72  
 Google Chrome 28.0.1500.95  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 McAfee VirusScan Enterprise x64 EngineServer.exe 
 McAfee VirusScan Enterprise shstat.exe  
 McAfee VirusScan Enterprise VsTskMgr.exe  
 McAfee VirusScan Enterprise x64 McShield.exe 
 McAfee VirusScan Enterprise x64 mfeann.exe 
 Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
 
In terms of how my system is running - seems on track with before the virus hit.
 
However, I do have an awful lot of stuff running in the background and I am not sure what I can safely eliminate without causing problems. Any ideas?
 
Also, do I need to delete/uninstall all these antivirus tools (e.g., MBAR) now?
Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

 

However, I do have an awful lot of stuff running in the background and I am not sure what I can safely eliminate without causing problems. Any ideas?
 
Also, do I need to delete/uninstall all these antivirus tools (e.g., MBAR) now?

We're not yet done. For now, please leave MBAR and the other tools there as we may further need them. ;)

 

I need you to post the ComboFix log as well. Please re-read my instructions.

Link to post
Share on other sites
NukeMeSlowly

NukeMeSlowly

Posted
  • Author
Posted

Sorry for omission; I must plead 3am fatigue:

 

Here is the ComboFix Log:

 

ComboFix 13-08-05.03 - Marjan 08/07/2013   2:07.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8149.6062 [GMT -4:00]
Running from: c:\users\Marjan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Marjan\g2mdlhlpx.exe
c:\windows\security\Database\tmp.edb
c:\windows\SysWow64\instsrv.exe
c:\windows\SysWow64\SET3F71.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-07 to 2013-08-07  )))))))))))))))))))))))))))))))
.
.
2013-08-07 05:56 . 2013-08-07 05:56 -------- d-----w- C:\FRST
2013-08-07 05:53 . 2013-08-07 06:02 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-08-07 00:51 . 2013-08-07 09:39 -------- d-----w- c:\users\Marjan\AppData\Local\7zh41ioRd
2013-08-06 23:01 . 2013-07-02 08:34 9460976 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{72C444F3-D993-42BE-B7BD-92F7155E87E4}\mpengine.dll
2013-08-04 18:42 . 2013-07-02 08:34 9460976 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-08-04 08:24 . 2013-08-04 08:24 -------- d-----w- c:\users\Marjan\AppData\Roaming\XCPCSync.OEM
2013-07-31 22:38 . 2013-07-31 22:38 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2013-07-31 22:38 . 2009-06-16 15:36 92672 ----a-w- c:\windows\system32\CNC860I.DLL
2013-07-31 22:38 . 2009-02-19 17:20 299520 ----a-w- c:\windows\system32\CNC860L.DLL
2013-07-31 22:38 . 2008-07-16 13:39 235008 ----a-w- c:\windows\system32\CNC860O.DLL
2013-07-31 22:38 . 2009-06-16 15:37 1342976 ----a-w- c:\windows\system32\CNC860C.DLL
2013-07-31 22:37 . 2008-09-11 13:40 131584 ----a-w- c:\windows\system32\CNC860Z.DLL
2013-07-31 22:37 . 2008-09-11 13:39 244736 ----a-w- c:\windows\system32\CNMIU9N.DLL
2013-07-31 22:37 . 2013-07-31 22:37 -------- d--h--w- c:\program files\CanonBJ
2013-07-31 21:33 . 2013-07-31 23:10 -------- d--h--w- c:\programdata\CanonIJScan
2013-07-28 15:49 . 2012-08-30 15:18 152064 ----a-w- c:\windows\system32\CNMN6UI.DLL
2013-07-28 15:49 . 2012-08-30 15:18 252416 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2013-07-28 15:49 . 2012-08-30 15:15 366080 ----a-w- c:\windows\SysWow64\CNMNPPM.DLL
2013-07-22 21:04 . 2013-07-22 21:04 -------- d-----w- c:\users\Marjan\AppData\Local\Evernote
2013-07-22 21:03 . 2013-07-22 21:03 -------- d-----w- c:\program files (x86)\Evernote
2013-07-19 08:29 . 2013-07-19 08:29 -------- d-----w- c:\users\Marjan\AppData\Local\IsolatedStorage
2013-07-19 08:27 . 2013-07-19 08:27 -------- d-----w- c:\users\Marjan\AppData\Roaming\QSR_International
2013-07-19 08:22 . 2013-07-19 08:21 941720 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C66D362-92B9-46FB-A38E-F0DFC7277711}\gapaengine.dll
2013-07-19 08:22 . 2013-07-19 08:22 -------- d-----w- c:\programdata\QSR
2013-07-19 08:22 . 2013-07-19 08:22 -------- d-----w- c:\program files\QSR
2013-07-19 08:20 . 2013-07-19 08:21 -------- d-----w- c:\program files (x86)\QSR
2013-07-19 08:18 . 2012-06-29 05:22 57288 ----a-w- c:\windows\SysWow64\perf-MSSQL10_50.QSRNVIVO10-sqlagtctr.dll
2013-07-19 08:18 . 2012-06-29 05:17 86984 ----a-w- c:\windows\system32\perf-MSSQL10_50.QSRNVIVO10-sqlagtctr.dll
2013-07-19 08:18 . 2012-06-29 05:22 82888 ----a-w- c:\windows\SysWow64\perf-MSSQL$QSRNVIVO10-sqlctr10.52.4000.0.dll
2013-07-19 08:18 . 2012-06-29 05:17 88520 ----a-w- c:\windows\system32\perf-MSSQL$QSRNVIVO10-sqlctr10.52.4000.0.dll
2013-07-19 08:17 . 2013-07-19 08:17 -------- d-----w- c:\windows\system32\RsFx
2013-07-19 08:17 . 2013-07-19 08:17 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2013-07-19 08:16 . 2013-07-19 08:16 -------- d-----w- c:\program files\Microsoft.NET
2013-07-11 22:48 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-07-11 22:48 . 2013-05-27 05:50 571904 ----a-w- c:\program files\Windows Defender\MpClient.dll
2013-07-11 22:48 . 2013-05-27 05:50 314880 ----a-w- c:\program files\Windows Defender\MpCommu.dll
2013-07-11 22:48 . 2013-05-27 04:57 392704 ----a-w- c:\program files (x86)\Windows Defender\MpClient.dll
2013-07-11 22:48 . 2013-06-04 06:00 624128 ----a-w- c:\windows\system32\qedit.dll
2013-07-11 22:48 . 2013-06-04 04:53 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2013-07-11 22:48 . 2013-05-27 04:57 4608 ----a-w- c:\program files (x86)\Windows Defender\MsMpLics.dll
2013-07-11 22:48 . 2013-05-27 04:57 54784 ----a-w- c:\program files (x86)\Windows Defender\MpOAV.dll
2013-07-11 22:48 . 2013-05-27 03:15 9216 ----a-w- c:\program files (x86)\Windows Defender\MpAsDesc.dll
2013-07-11 22:48 . 2013-05-06 06:03 1887744 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-11 22:48 . 2013-05-06 04:56 1620480 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2013-07-11 22:44 . 2013-06-05 03:34 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-07-11 22:43 . 2013-04-10 05:48 1732608 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-07-11 22:43 . 2013-04-10 05:46 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-07-11 22:43 . 2013-04-10 05:46 1393152 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-07-11 22:43 . 2013-04-10 05:46 1367040 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 22:43 . 2013-04-10 05:03 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 22:43 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-07-11 22:43 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-07-09 03:59 . 2013-07-09 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2013-07-09 03:59 . 2013-07-09 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2013-07-09 03:59 . 2013-07-09 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2013-07-09 03:59 . 2013-07-09 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2013-07-09 03:59 . 2013-07-09 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2013-07-09 03:59 . 2013-07-09 03:59 -------- d-----w- c:\program files (x86)\QuickTime
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-12 11:50 . 2012-07-20 00:43 78185248 ----a-w- c:\windows\system32\MRT.exe
2013-06-21 07:51 . 2013-03-12 15:27 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-06-12 18:27 . 2012-08-09 23:54 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-12 18:27 . 2011-12-28 16:21 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-13 05:51 . 2013-06-12 17:55 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 05:51 . 2013-06-12 17:56 1464320 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 05:51 . 2013-06-12 17:55 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 05:50 . 2013-06-12 17:55 52224 ----a-w- c:\windows\system32\certenc.dll
2013-05-13 04:45 . 2013-06-12 17:56 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-05-13 04:45 . 2013-06-12 17:55 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-05-13 04:45 . 2013-06-12 17:55 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-05-13 03:43 . 2013-06-12 17:56 1192448 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-12 17:56 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2013-05-13 03:08 . 2013-06-12 17:55 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2013-05-10 05:49 . 2013-06-12 17:56 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-10 03:20 . 2013-06-12 17:56 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12 130736 ----a-w- c:\users\Marjan\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12 130736 ----a-w- c:\users\Marjan\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12 130736 ----a-w- c:\users\Marjan\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyTime Organizer"="c:\program files (x86)\AnyTime Organizer Deluxe\AtDem.exe" [2007-11-21 65536]
"CCleaner"="c:\program files\CCleaner\CCleaner64.exe" [2013-05-24 6154008]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-04-05 59720]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-04-05 59720]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"AnySync"="c:\program files (x86)\AnySync\SyncLauncher.exe" [2011-03-21 41984]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Genie TimeLine Tray"="c:\program files\Genie-Soft\Genie Timeline\GSTimeLineAgent.exe" [2011-02-02 874624]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-27 343168]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2010-01-19 124256]
.
c:\users\Marjan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2013-5-22 1089888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 164904]
Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-1-20 1552240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrSerIb.sys [x]
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrUsbSIb.sys [x]
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys;c:\windows\SYSNATIVE\DRIVERS\S3XXx64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0153;RsFx0153 Driver;c:\windows\system32\DRIVERS\RsFx0153.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0153.sys [x]
R4 SQLAgent$MSSMLBIZ;SQL Server Agent (MSSMLBIZ);c:\program files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE;c:\program files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [x]
R4 SQLAgent$QSRNVIVO10;SQL Server Agent (QSRNVIVO10);c:\program files\Microsoft SQL Server\MSSQL10_50.QSRNVIVO10\MSSQL\Binn\SQLAGENT.EXE;c:\program files\Microsoft SQL Server\MSSQL10_50.QSRNVIVO10\MSSQL\Binn\SQLAGENT.EXE [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys;c:\windows\SYSNATIVE\DRIVERS\stdcfltn.sys [x]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [x]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [x]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [x]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [x]
S2 GenieTimelineService;Genie Timeline Service;c:\program files\Genie-Soft\Genie Timeline\GenieTimelineService.exe;c:\program files\Genie-Soft\Genie Timeline\GenieTimelineService.exe [x]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [x]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 MSSQL$QSRNVIVO10;SQL Server (QSRNVIVO10);c:\program files\Microsoft SQL Server\MSSQL10_50.QSRNVIVO10\MSSQL\Binn\sqlservr.exe;c:\program files\Microsoft SQL Server\MSSQL10_50.QSRNVIVO10\MSSQL\Binn\sqlservr.exe [x]
S2 O2SDIOAssist;O2SDIOAssist;c:\windows\SysWOW64\srvany.exe;c:\windows\SysWOW64\srvany.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [x]
S2 ZcfgSvc7;Intel® PROSet/Wireless ZeroConfig Service;c:\program files\Intel\WiFi\bin\ZCfgSvc7.exe;c:\program files\Intel\WiFi\bin\ZCfgSvc7.exe [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys;c:\windows\SYSNATIVE\DRIVERS\accelern.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys;c:\windows\SYSNATIVE\Drivers\cvusbdrv.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\O2MDRw7x64.sys [x]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\o2sdjw7x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-01 02:31 1173456 ----a-w- c:\program files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 18:27]
.
2013-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-31 09:25]
.
2013-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-31 09:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12 164016 ----a-w- c:\users\Marjan\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12 164016 ----a-w- c:\users\Marjan\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12 164016 ----a-w- c:\users\Marjan\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12 164016 ----a-w- c:\users\Marjan\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2011-05-27 22:46 139128 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2011-05-27 22:46 139128 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-12-04 196648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-12-04 485416]
"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2011-07-25 686704]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-23 1934608]
"MFNetworkScanUtility"="c:\program files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE" [2009-12-15 508312]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-07 525312]
"TdmNotify"="c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe" [2011-05-27 257392]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Clip Image - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: NCapture for NVivo - c:\program files (x86)\QSR\NCapture\Internet Explorer\QSR.NCapture.IE.Resources.dll/101
IE: New Note - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html
IE: {{b9c5d5a9-2b89-427d-bb30-32f567eaa60d} - {b9c5d5a9-2b89-427d-bb30-32f567eaa60d} - mscoree.dll
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-atr.exe - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\sysWOW64\SDIOAssist.exe
c:\program files\Genie-Soft\Genie Timeline\x86\WebServer\PHP\php-cgi.exe
c:\program files\Genie-Soft\Genie Timeline\x86\WebServer\nginx\GSTimeLineSearch.exe
c:\program files\Genie-Soft\Genie Timeline\x86\WebServer\nginx\GSTimeLineSearch.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2013-08-07  02:18:19 - machine was rebooted
ComboFix-quarantined-files.txt  2013-08-07 06:18
.
Pre-Run: 398,592,262,144 bytes free
Post-Run: 397,925,982,208 bytes free
.
- - End Of File - - 2FC54B31E052F108952BDB1AFD12F50A
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

Please advise next steps.

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

We're making progress. :)

----------Step 1----------------
Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

----------Step 2----------------
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

----------Step 3----------------
We need to create a New FULL OTL Report

  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Run Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

----------Step 4 (note: this scan may take a little time)----------------I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


----------Step 5----------------
Please post the AdwCleaner logfile, the JRT.txt, the OTL.txt and Extras.txt, and the ESET online scan log in your next reply.

Let me know how things go.

Link to post
Share on other sites
NukeMeSlowly

NukeMeSlowly

Posted
  • Author
Posted

AdwCleaner logfile:

 

# AdwCleaner v2.306 - Logfile created 08/07/2013 at 14:43:15
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Marjan - MARJAN-PC
# Boot Mode : Normal
# Running from : C:\Users\Marjan\Desktop\AdwCleaner.exe
# Option [search]
 
 
***** [services] *****
 
 
***** [Files / Folders] *****
 
File Found : C:\Program Files (x86)\Mozilla Firefox\.autoreg
Folder Found : C:\ProgramData\Ask
Folder Found : C:\Users\Marjan\AppData\Roaming\DSite
 
***** [Registry] *****
 
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
 
***** [internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16635
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v [unable to get version]
 
-\\ Google Chrome v28.0.1500.95
 
File : C:\Users\Marjan\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [2090 octets] - [07/08/2013 14:43:15]
 
########## EOF - C:\AdwCleaner[R1].txt - [2150 octets] ##########
 

 

 

JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.3.6 (08.07.2013:2)
OS: Windows 7 Professional x64
Ran by Marjan on Wed 08/07/2013 at 14:45:48.05
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installcore
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\trolltech
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AC3AFA01-E1BE-4601-A747-6E6C0987CED5}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Marjan\AppData\Roaming\dsite"
Successfully deleted: [Folder] "C:\ProgramData\ask"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/07/2013 at 14:50:28.50
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

OTL.txt:

 

OTL logfile created on: 8/7/2013 2:52:24 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Marjan\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16635)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
7.96 Gb Total Physical Memory | 6.05 Gb Available Physical Memory | 76.01% Memory free
15.91 Gb Paging File | 13.56 Gb Available in Paging File | 85.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.66 Gb Total Space | 370.02 Gb Free Space | 79.46% Space Free | Partition Type: NTFS
 
Computer Name: MARJAN-PC | User Name: Marjan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - File not found -- 
PRC - [2013/08/07 14:42:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Marjan\Desktop\OTL.exe
PRC - [2013/07/24 20:49:49 | 000,846,288 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
PRC - [2013/05/22 17:46:08 | 001,089,888 | ---- | M] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) -- C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
PRC - [2013/04/21 21:43:52 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
PRC - [2013/04/05 12:59:08 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
PRC - [2013/04/05 12:58:26 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
PRC - [2012/04/04 01:53:56 | 000,815,512 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
PRC - [2012/02/16 12:49:28 | 002,310,544 | ---- | M] (WIBU-SYSTEMS AG) -- C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
PRC - [2011/07/25 10:43:18 | 000,686,704 | ---- | M] () -- C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
PRC - [2010/12/03 13:20:18 | 002,656,280 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2010/12/03 13:20:16 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2010/11/29 16:10:32 | 000,210,896 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
PRC - [2010/11/17 13:53:16 | 000,113,288 | ---- | M] (Renesas Electronics Corporation) -- C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
PRC - [2010/08/13 21:25:08 | 000,223,848 | ---- | M] (O2Micro.) -- C:\Windows\SysWOW64\SDIOAssist.exe
PRC - [2010/06/14 21:55:52 | 000,039,936 | ---- | M] (The PHP Group) -- C:\Program Files\Genie-Soft\Genie Timeline\x86\WebServer\PHP\php-cgi.exe
PRC - [2010/06/14 21:53:48 | 001,417,216 | ---- | M] () -- C:\Program Files\Genie-Soft\Genie Timeline\x86\WebServer\nginx\GSTimeLineSearch.exe
PRC - [2010/03/25 08:45:38 | 000,031,144 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2010/01/18 21:43:00 | 000,124,256 | ---- | M] (CANON INC.) -- C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
PRC - [2008/09/29 09:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2008/09/29 09:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2008/03/14 05:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
PRC - [2008/03/14 05:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
PRC - [2008/03/14 05:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
PRC - [2003/04/18 22:06:26 | 000,008,192 | ---- | M] () -- C:\Windows\SysWOW64\srvany.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013/07/24 20:49:46 | 000,396,240 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\ppgooglenaclpluginchrome.dll
MOD - [2013/07/24 20:49:44 | 004,052,944 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\pdf.dll
MOD - [2013/07/24 20:48:54 | 000,601,552 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\libglesv2.dll
MOD - [2013/07/24 20:48:53 | 000,123,344 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\libegl.dll
MOD - [2013/07/24 20:48:51 | 001,597,392 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\ffmpegsumo.dll
MOD - [2012/09/08 13:16:30 | 000,433,664 | ---- | M] () -- C:\Program Files (x86)\Evernote\Evernote\libxml2.dll
MOD - [2012/09/08 13:16:20 | 000,315,392 | ---- | M] () -- C:\Program Files (x86)\Evernote\Evernote\libtidy.dll
MOD - [2012/02/20 21:29:04 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/02/20 21:28:42 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/07/25 10:43:18 | 000,686,704 | ---- | M] () -- C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
MOD - [2010/08/30 23:42:12 | 000,023,040 | ---- | M] () -- C:\Program Files\Genie-Soft\Genie Timeline\x86\WebServer\PHP\ext\php_gstl_interface.dll
MOD - [2010/06/14 21:53:48 | 001,417,216 | ---- | M] () -- C:\Program Files\Genie-Soft\Genie Timeline\x86\WebServer\nginx\GSTimeLineSearch.exe
MOD - [2005/08/22 16:38:16 | 003,264,512 | ---- | M] () -- C:\Program Files (x86)\McAfee\Common Framework\cryptocme2.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2013/05/27 01:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2013/01/27 12:34:32 | 000,379,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2013/01/27 12:34:32 | 000,022,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011/09/26 19:10:06 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2011/07/01 14:52:32 | 001,600,000 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe -- (Wave Authentication Manager Service)
SRV:64bit: - [2011/05/27 18:46:56 | 003,792,240 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV:64bit: - [2011/05/24 16:42:08 | 002,154,888 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV:64bit: - [2011/03/18 09:34:20 | 005,873,840 | ---- | M] (CANON INC.) [Auto | Running] -- C:\Program Files\Canon\DIAS\CnxDIAS.exe -- (Canon Driver Information Assist Service)
SRV:64bit: - [2011/02/02 10:25:24 | 000,468,096 | ---- | M] (Genie-Soft) [Auto | Running] -- C:\Program Files\Genie-Soft\Genie Timeline\GenieTimelineService.exe -- (GenieTimelineService)
SRV:64bit: - [2011/01/20 15:33:20 | 000,517,488 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe -- (dcpsysmgrsvc)
SRV:64bit: - [2011/01/06 23:32:52 | 000,283,648 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Program Files\IDT\WDM\stacsv64.exe -- (STacSV)
SRV:64bit: - [2010/12/23 18:23:48 | 001,515,792 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV:64bit: - [2010/12/23 18:14:10 | 000,992,256 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc7.exe -- (ZcfgSvc7)
SRV:64bit: - [2010/12/23 18:07:12 | 000,845,584 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV:64bit: - [2010/10/28 18:05:50 | 000,036,768 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -- (Credential Vault Host Storage)
SRV:64bit: - [2010/10/28 18:05:48 | 001,035,680 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -- (Credential Vault Host Control Service)
SRV:64bit: - [2010/02/10 21:50:50 | 000,072,296 | ---- | M] (O2Micro International) [Auto | Running] -- C:\Windows\SysNative\drivers\o2flash.exe -- (O2FLASH)
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/06/03 17:38:36 | 000,277,032 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe -- (ac.sharedstore)
SRV:64bit: - [2009/03/03 06:42:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\IDT\WDM\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2008/09/29 09:07:00 | 000,075,656 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)
SRV - [2013/06/12 14:27:25 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/06/03 16:21:54 | 000,162,408 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/06/05 16:56:28 | 000,266,240 | ---- | M] (Brother Industries, Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Browny02\BrYNSvc.exe -- (BrYNSvc)
SRV - [2012/02/16 12:49:28 | 002,310,544 | ---- | M] (WIBU-SYSTEMS AG) [Auto | Running] -- C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe -- (CodeMeter.exe)
SRV - [2011/12/27 18:15:11 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
SRV - [2010/12/03 13:20:18 | 002,656,280 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2010/12/03 13:20:16 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2010/11/29 16:10:32 | 000,210,896 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe -- (jhi_service)
SRV - [2010/03/25 08:45:38 | 000,031,144 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/09/29 09:07:00 | 000,175,072 | ---- | M] (McAfee, Inc.) [Auto | Paused] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe -- (McShield)
SRV - [2008/09/29 09:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2008/09/29 09:07:00 | 000,017,920 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe -- (McAfeeEngineService)
SRV - [2008/03/14 05:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2003/04/18 22:06:26 | 000,008,192 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\srvany.exe -- (O2SDIOAssist)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2013/01/20 16:59:04 | 000,130,008 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/31 07:56:58 | 000,095,344 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BrSerIb.sys -- (BrSerIb)
DRV:64bit: - [2012/06/29 01:23:42 | 000,321,992 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\RsFx0153.sys -- (RsFx0153)
DRV:64bit: - [2012/06/21 21:59:36 | 000,021,872 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BrUsbSib.sys -- (BrUsbSIb)
DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/09/26 20:00:22 | 009,321,472 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/09/26 18:33:00 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/09/07 11:46:58 | 000,070,016 | ---- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\S3XXx64.sys -- (S3XXx64)
DRV:64bit: - [2011/07/22 13:28:56 | 000,027,760 | ---- | M] (ST Microelectronics) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\accelern.sys -- (Acceler)
DRV:64bit: - [2011/07/15 22:31:22 | 000,022,128 | ---- | M] (ST Microelectronics) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\stdcfltn.sys -- (stdcfltn)
DRV:64bit: - [2011/06/06 19:07:00 | 000,231,440 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/01/06 23:32:52 | 000,520,192 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA)
DRV:64bit: - [2011/01/04 17:31:16 | 000,075,240 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\o2sdjw7x64.sys -- (O2SDJRDR)
DRV:64bit: - [2011/01/03 18:19:56 | 000,074,984 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\O2MDRw7x64.sys -- (O2MDRRDR)
DRV:64bit: - [2010/12/21 13:08:48 | 008,505,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwNs64.sys -- (NETwNs64)
DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 05:37:42 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/19 14:34:26 | 000,181,248 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2010/11/19 14:34:26 | 000,080,384 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2010/10/28 11:42:32 | 000,315,568 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress)
DRV:64bit: - [2010/10/19 14:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
DRV:64bit: - [2010/08/24 18:46:02 | 000,038,440 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/07/13 20:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\serscan.sys -- (StillCam)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/09/29 09:07:00 | 000,465,792 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2008/09/29 09:07:00 | 000,118,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2008/09/29 09:07:00 | 000,096,016 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2008/09/29 09:07:00 | 000,082,504 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfetdik.sys -- (mfetdik)
DRV:64bit: - [2008/09/29 09:07:00 | 000,075,800 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2008/06/04 17:14:00 | 000,032,240 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PBADRV.SYS -- (PBADRV)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = FD 25 F6 35 D8 28 CE 01  [binary data]
IE - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.7: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin: C:\Users\Marjan\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012/05/13 16:51:40 | 000,000,000 | ---D | M]
 
[2012/10/02 14:51:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marjan\AppData\Roaming\Mozilla\Extensions
[2012/10/02 14:51:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/09/05 21:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/09/05 21:26:22 | 000,002,253 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Java Platform SE 6 U33 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.330.5 (Enabled) = C:\Windows\SysWOW64\npdeployJava1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\Marjan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\Marjan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: NCapture = C:\Users\Marjan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgomjifbpjfhpodjhihemafahhmegbek\1.0.128.0_0\
CHR - Extension: Skype Click to Call = C:\Users\Marjan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.9.0.12585_0\
CHR - Extension: Gmail = C:\Users\Marjan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
 
O1 HOSTS File: ([2013/08/07 02:14:56 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Evernote extension) - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
O4:64bit: - HKLM..\Run: [acevents] C:\Program Files\ActivIdentity\ActivClient\acevents.exe (ActivIdentity)
O4:64bit: - HKLM..\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe ()
O4:64bit: - HKLM..\Run: [intelPROSet] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4:64bit: - HKLM..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE (CANON INC.)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4:64bit: - HKLM..\Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AnySync] C:\Program Files (x86)\AnySync\SyncLauncher.exe (iAnywhere Solutions, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Genie TimeLine Tray] C:\Program Files\Genie-Soft\Genie Timeline\GSTimeLineAgent.exe (Genie-soft)
O4 - HKLM..\Run: [iJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
O4 - HKLM..\Run: [shStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [startCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-926839969-3728488504-4215999852-1000..\Run: [AnyTime Organizer] C:\Program Files (x86)\AnyTime Organizer Deluxe\AtDem.exe (Individual Software, Inc.)
O4 - HKU\S-1-5-21-926839969-3728488504-4215999852-1000..\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe (Apple Inc.)
O4 - HKU\S-1-5-21-926839969-3728488504-4215999852-1000..\Run: [CCleaner] C:\Program Files\CCleaner\CCleaner64.exe (Piriform Ltd)
O4 - HKU\S-1-5-21-926839969-3728488504-4215999852-1000..\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O4 - Startup: C:\Users\Marjan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk = C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-926839969-3728488504-4215999852-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Clip Image - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4 File not found
O8:64bit: - Extra context menu item: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8:64bit: - Extra context menu item: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8:64bit: - Extra context menu item: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O8:64bit: - Extra context menu item: NCapture for NVivo - C:\Program Files (x86)\QSR\NCapture\Internet Explorer\QSR.NCapture.IE.Resources.dll (QSR International)
O8:64bit: - Extra context menu item: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html ()
O8 - Extra context menu item: Clip Image - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4 File not found
O8 - Extra context menu item: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8 - Extra context menu item: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8 - Extra context menu item: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O8 - Extra context menu item: NCapture for NVivo - C:\Program Files (x86)\QSR\NCapture\Internet Explorer\QSR.NCapture.IE.Resources.dll (QSR International)
O8 - Extra context menu item: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html ()
O9:64bit: - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} https://aumail4.american.edu/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} https://www36.verizon.com/FiOSVoice/UnProtected/FiosVoiceVMUtil.CAB (IOBIVMUtil.VMDecoder)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CEF002D2-5A9F-4656-AA41-85DA2534ACBD} https://aumail4.american.edu/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8CCC2E89-291C-4D63-9C6D-2A5452C8901C}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E43D08ED-FFDD-426B-8341-E586DF075969}: DhcpNameServer = 68.87.73.242 68.87.71.226
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll) - C:\Program Files (x86)\Citrix\GoToAssist\615\g2awinlogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20:64bit: - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) -  File not found
O20:64bit: - Winlogon\Notify\spba: DllName - (C:\Program Files\Common Files\SPBA\homefus2.dll) - C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/08/07 14:45:46 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/08/07 14:42:21 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Marjan\Desktop\OTL.exe
[2013/08/07 14:42:00 | 000,563,082 | ---- | C] (Oleg N. Scherbakov) -- C:\Users\Marjan\Desktop\JRT.exe
[2013/08/07 02:41:18 | 000,000,000 | ---D | C] -- C:\Users\Marjan\AppData\Local\Programs
[2013/08/07 02:18:21 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/08/07 02:14:59 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2013/08/07 02:05:31 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/08/07 02:05:31 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/08/07 02:05:31 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/08/07 02:05:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/08/07 02:05:13 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/08/07 02:04:19 | 005,100,695 | R--- | C] (Swearware) -- C:\Users\Marjan\Desktop\ComboFix.exe
[2013/08/07 01:56:18 | 000,000,000 | ---D | C] -- C:\FRST
[2013/08/07 01:53:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2013/08/07 01:51:23 | 000,000,000 | ---D | C] -- C:\Users\Marjan\Desktop\mbar-1.06.0.1004
[2013/08/07 01:46:42 | 002,240,864 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Marjan\Desktop\tdsskiller.exe
[2013/08/06 20:51:02 | 000,000,000 | ---D | C] -- C:\Users\Marjan\AppData\Local\7zh41ioRd
[2013/08/04 04:24:15 | 000,000,000 | ---D | C] -- C:\Users\Marjan\AppData\Roaming\XCPCSync.OEM
[2013/08/03 17:01:06 | 000,000,000 | ---D | C] -- C:\Users\Marjan\Desktop\MPS Student Handbook
[2013/08/03 14:29:34 | 000,000,000 | ---D | C] -- C:\Users\Marjan\Desktop\MPS Website August 2013
[2013/07/31 19:04:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
[2013/07/31 18:39:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon IJ Network Utilities
[2013/07/31 18:38:10 | 000,000,000 | -H-D | C] -- C:\Windows\SysNative\CanonIJ Uninstaller Information
[2013/07/31 18:38:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MX860 series
[2013/07/31 18:38:07 | 000,299,520 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNC860L.DLL
[2013/07/31 18:38:07 | 000,235,008 | ---- | C] (Canon Inc.) -- C:\Windows\SysNative\CNC860O.DLL
[2013/07/31 18:38:07 | 000,092,672 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNC860I.DLL
[2013/07/31 18:38:06 | 001,342,976 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNC860C.DLL
[2013/07/31 18:37:41 | 000,244,736 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNMIU9N.DLL
[2013/07/31 18:37:41 | 000,131,584 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNC860Z.DLL
[2013/07/31 18:37:36 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2013/07/31 17:33:24 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJScan
[2013/07/28 11:49:21 | 000,366,080 | ---- | C] (CANON INC.) -- C:\Windows\SysWow64\CNMNPPM.DLL
[2013/07/28 11:49:21 | 000,252,416 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNMN6PPM.DLL
[2013/07/28 11:49:21 | 000,152,064 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNMN6UI.DLL
[2013/07/22 17:04:15 | 000,000,000 | ---D | C] -- C:\Users\Marjan\AppData\Local\Evernote
[2013/07/22 17:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Evernote
[2013/07/22 17:03:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Evernote
[2013/07/19 15:29:26 | 000,000,000 | ---D | C] -- C:\Users\Marjan\Desktop\Sample Project Data
[2013/07/19 04:29:47 | 000,000,000 | ---D | C] -- C:\Users\Marjan\AppData\Local\IsolatedStorage
[2013/07/19 04:27:11 | 000,000,000 | ---D | C] -- C:\Users\Marjan\AppData\Roaming\QSR_International
[2013/07/19 04:22:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QSR
[2013/07/19 04:22:01 | 000,000,000 | ---D | C] -- C:\ProgramData\QSR
[2013/07/19 04:22:01 | 000,000,000 | ---D | C] -- C:\Program Files\QSR
[2013/07/19 04:22:01 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\NVivo 10 Samples
[2013/07/19 04:20:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QSR
[2013/07/19 04:18:34 | 000,086,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\perf-MSSQL10_50.QSRNVIVO10-sqlagtctr.dll
[2013/07/19 04:18:34 | 000,057,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\perf-MSSQL10_50.QSRNVIVO10-sqlagtctr.dll
[2013/07/19 04:18:23 | 000,088,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\perf-MSSQL$QSRNVIVO10-sqlctr10.52.4000.0.dll
[2013/07/19 04:18:23 | 000,082,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\perf-MSSQL$QSRNVIVO10-sqlctr10.52.4000.0.dll
[2013/07/19 04:17:47 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\RsFx
[2013/07/19 04:17:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 9.0
[2013/07/19 04:16:43 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2013/07/19 04:14:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft SQL Server 2008 R2
[2013/07/12 07:49:38 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/07/12 07:49:37 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/07/12 07:49:36 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2013/07/12 07:49:36 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2013/07/12 07:49:36 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe
[2013/07/12 07:49:36 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe
[2013/07/12 07:49:36 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2013/07/12 07:49:36 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2013/07/12 07:49:36 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2013/07/12 07:49:36 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2013/07/12 07:49:36 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2013/07/12 07:49:35 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/07/12 07:49:35 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/07/12 07:49:35 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/07/12 07:49:34 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/07/11 18:48:19 | 000,624,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\qedit.dll
[2013/07/11 18:48:19 | 000,509,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\qedit.dll
[2013/07/11 18:48:18 | 001,887,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMVDECOD.DLL
[2013/07/11 18:48:18 | 001,620,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMVDECOD.DLL
[2013/07/11 18:43:32 | 001,643,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2013/07/08 23:59:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2013/07/08 23:59:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[3 C:\Users\Marjan\Desktop\*.tmp files -> C:\Users\Marjan\Desktop\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/08/07 14:42:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Marjan\Desktop\OTL.exe
[2013/08/07 14:42:04 | 000,563,082 | ---- | M] (Oleg N. Scherbakov) -- C:\Users\Marjan\Desktop\JRT.exe
[2013/08/07 14:40:50 | 000,666,633 | ---- | M] () -- C:\Users\Marjan\Desktop\AdwCleaner.exe
[2013/08/07 14:27:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/08/07 11:26:41 | 000,014,256 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/08/07 11:26:41 | 000,014,256 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/08/07 11:18:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/08/07 11:18:12 | 2113,613,823 | -HS- | M] () -- C:\hiberfil.sys
[2013/08/07 02:41:41 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/08/07 02:24:15 | 000,891,098 | ---- | M] () -- C:\Users\Marjan\Desktop\SecurityCheck.exe
[2013/08/07 02:14:56 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2013/08/07 02:04:20 | 005,100,695 | R--- | M] (Swearware) -- C:\Users\Marjan\Desktop\ComboFix.exe
[2013/08/07 01:51:05 | 013,399,154 | ---- | M] () -- C:\Users\Marjan\Desktop\mbar-1.06.0.1004.zip
[2013/08/07 01:46:43 | 002,240,864 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Marjan\Desktop\tdsskiller.exe
[2013/08/06 20:51:08 | 000,267,776 | ---- | M] () -- C:\Users\Marjan\AppData\Local\xUtgombQJ
[2013/08/06 20:51:08 | 000,267,776 | ---- | M] () -- C:\ProgramData\oC4C9VxNeom
[2013/08/06 20:51:08 | 000,267,776 | ---- | M] () -- C:\Users\Marjan\AppData\Roaming\Bsz1oXVEMxW
[2013/08/04 04:33:45 | 000,014,949 | ---- | M] () -- C:\ads_err.adt
[2013/08/04 04:24:37 | 000,004,554 | ---- | M] () -- C:\ads_err.adm
[2013/08/04 04:24:37 | 000,003,072 | ---- | M] () -- C:\ads_err.adi
[2013/08/03 13:02:33 | 000,911,684 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/08/03 13:02:33 | 000,755,896 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/08/03 13:02:33 | 000,156,260 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/07/31 19:04:30 | 000,002,095 | ---- | M] () -- C:\Users\Public\Desktop\Canon MP Navigator EX 2.1.lnk
[2013/07/22 17:13:49 | 000,001,127 | ---- | M] () -- C:\Users\Marjan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
[2013/07/22 17:03:58 | 000,000,932 | ---- | M] () -- C:\Users\Marjan\Desktop\Evernote.lnk
[2013/07/19 16:05:25 | 006,422,528 | ---- | M] () -- C:\Users\Marjan\Documents\Practice.mp.nvp
[2013/07/19 13:49:28 | 004,194,304 | ---- | M] () -- C:\Users\Marjan\Documents\Marjan's Test Project.nvp
[2013/07/19 10:14:31 | 000,419,632 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/07/19 04:22:20 | 000,001,924 | ---- | M] () -- C:\Users\Public\Desktop\QSR NVivo 10.lnk
[2013/07/15 11:26:54 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/15 11:26:54 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[3 C:\Users\Marjan\Desktop\*.tmp files -> C:\Users\Marjan\Desktop\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/08/07 14:40:47 | 000,666,633 | ---- | C] () -- C:\Users\Marjan\Desktop\AdwCleaner.exe
[2013/08/07 02:41:41 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/08/07 02:24:14 | 000,891,098 | ---- | C] () -- C:\Users\Marjan\Desktop\SecurityCheck.exe
[2013/08/07 02:05:31 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/08/07 02:05:31 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/08/07 02:05:31 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/08/07 02:05:31 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/08/07 02:05:31 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/08/07 01:51:05 | 013,399,154 | ---- | C] () -- C:\Users\Marjan\Desktop\mbar-1.06.0.1004.zip
[2013/08/06 20:51:18 | 000,267,776 | ---- | C] () -- C:\Users\Marjan\AppData\Local\xUtgombQJ
[2013/08/06 20:51:18 | 000,267,776 | ---- | C] () -- C:\ProgramData\oC4C9VxNeom
[2013/08/06 20:51:18 | 000,267,776 | ---- | C] () -- C:\Users\Marjan\AppData\Roaming\Bsz1oXVEMxW
[2013/08/04 04:24:17 | 000,014,949 | ---- | C] () -- C:\ads_err.adt
[2013/08/04 04:24:17 | 000,004,554 | ---- | C] () -- C:\ads_err.adm
[2013/08/04 04:24:17 | 000,003,072 | ---- | C] () -- C:\ads_err.adi
[2013/07/31 19:04:30 | 000,002,095 | ---- | C] () -- C:\Users\Public\Desktop\Canon MP Navigator EX 2.1.lnk
[2013/07/22 17:13:49 | 000,001,127 | ---- | C] () -- C:\Users\Marjan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
[2013/07/22 17:03:58 | 000,000,932 | ---- | C] () -- C:\Users\Marjan\Desktop\Evernote.lnk
[2013/07/19 15:33:59 | 006,422,528 | ---- | C] () -- C:\Users\Marjan\Documents\Practice.mp.nvp
[2013/07/19 11:21:26 | 004,194,304 | ---- | C] () -- C:\Users\Marjan\Documents\Marjan's Test Project.nvp
[2013/07/19 04:22:20 | 000,001,924 | ---- | C] () -- C:\Users\Public\Desktop\QSR NVivo 10.lnk
[2013/06/15 00:20:25 | 000,000,005 | ---- | C] () -- C:\Users\Marjan\AppData\Roaming\WBPU-TTL.DAT
[2013/02/20 16:53:20 | 000,000,260 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2013/02/20 16:53:20 | 000,000,064 | ---- | C] () -- C:\Windows\brpcfx.ini
[2013/02/20 16:51:25 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini
[2013/02/20 16:51:21 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat
[2013/01/20 08:41:51 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Pop Flute
[2013/01/20 08:41:51 | 000,000,268 | RH-- | C] () -- C:\Users\Marjan\AppData\Roaming\Plug-In Settings
[2013/01/20 08:41:51 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLdu.DAT
[2012/05/07 18:15:08 | 000,059,232 | ---- | C] () -- C:\Windows\SysWow64\CNC990W.DAT
[2012/02/07 15:28:10 | 000,000,336 | ---- | C] () -- C:\Windows\BRCALIB.INI
[2011/12/29 00:50:47 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/12/28 11:16:22 | 000,819,960 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/12/28 09:36:39 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\sysprs7.dll
[2011/12/28 09:36:39 | 000,000,205 | ---- | C] () -- C:\Windows\SysWow64\lsprst7.dll
[2011/12/27 15:43:23 | 000,080,368 | ---- | C] () -- C:\Windows\SysWow64\pbadrvdll.dll
[2011/12/27 15:28:15 | 000,008,192 | ---- | C] () -- C:\Windows\SysWow64\srvany.exe
[2011/12/27 15:20:25 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/09/26 19:23:32 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
 
========== ZeroAccess Check ==========
 
[2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013/02/27 01:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 00:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
< End of report >
Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

We're nearly in the clear. :)

 

----------Step 1----------------
We need to run an OTL Fix

  • Please reopen otlicon.png on your desktop.
  • Copy and Paste the following code into the customscanfix.png textbox.

     

     

    :OTL
    [3 C:\Users\Marjan\Desktop\*.tmp files -> C:\Users\Marjan\Desktop\*.tmp -> ]
    [2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
     
    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
     
    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
     
    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
     
    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
     
    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2013/02/27 01:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment
     
    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 00:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment
     
    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free
     
    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free
     
    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both
     
    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]


    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]

  • Push runfix.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

----------Step 2----------------
Instructions for DELETE:

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

Afterwards, please reboot the computer.

----------Step 3----------------
Please post the OTL and AdwCleaner reports in your next reply. How are things running now?

Link to post
Share on other sites
NukeMeSlowly

NukeMeSlowly

Posted
  • Author
Posted

Extras.txt:

 

OTL Extras logfile created on: 8/7/2013 2:52:24 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Marjan\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16635)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
7.96 Gb Total Physical Memory | 6.05 Gb Available Physical Memory | 76.01% Memory free
15.91 Gb Paging File | 13.56 Gb Available in Paging File | 85.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.66 Gb Total Space | 370.02 Gb Free Space | 79.46% Space Free | Partition Type: NTFS
 
Computer Name: MARJAN-PC | User Name: Marjan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_USERS\S-1-5-21-926839969-3728488504-4215999852-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
========== Firewall Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0DB65D31-E2A8-4E37-A385-7EC81597AFDA}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{1146FB26-47BD-4518-BBDE-E8472B57E828}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{179A96EE-CE79-4069-99BF-C26571BB51C4}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe | 
"{33176D8E-6215-4F84-BEB7-7405B05753BB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{3406FED7-B036-4F71-BC70-030907ED0CDC}" = rport=139 | protocol=6 | dir=out | app=system | 
"{391C505E-EA14-40AA-A628-E7BD8FFBC643}" = lport=139 | protocol=6 | dir=in | app=system | 
"{4FAF2245-E245-45F0-9912-B87529CA77F3}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{5601E3A4-C78B-4487-B83E-B15A04339FD8}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{64076E02-52ED-45BC-9245-DD625682A259}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{72726A52-7316-4E9F-8DB0-90D37AD1A65F}" = rport=137 | protocol=17 | dir=out | app=system | 
"{76F408CD-2B9B-482F-9DCD-62C10B6D57DD}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{785BF150-4A8B-4DBE-A344-E81CBDE94FE0}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{854A93B8-5D23-4698-A457-EDFB4C39F654}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{88171309-B209-4229-B892-E52F27B41284}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{8881F569-31FD-407F-8ABA-4F1C17313661}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{89906D12-770C-4C4C-A390-999BA02DD60D}" = lport=138 | protocol=17 | dir=in | app=system | 
"{9A96BFB5-8239-4900-B9CE-81973D62C311}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{9D16D6B7-B882-4ADA-8548-678579E2E786}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{AF27D78D-A855-4C0D-B478-A1DAB563C7F3}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{B84E4D0F-07FE-454D-BD8C-9E5695C6B88E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{BEF2F4C2-92AE-4A61-BC2F-5D2A5FCA9E11}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{C03D3E30-8744-4A50-8DAE-B6A4C1641441}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{C0B06B03-32BE-4E1D-A115-EBDCB1C9728A}" = lport=445 | protocol=6 | dir=in | app=system | 
"{C0C7BA16-126B-4FAF-9104-4891EA1984AB}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{C20721CF-46BB-458F-98A8-2D67586CC86D}" = lport=137 | protocol=17 | dir=in | app=system | 
"{C64C5AFF-00CC-490E-A1DD-B67858B74B2C}" = rport=138 | protocol=17 | dir=out | app=system | 
"{C86C4219-E628-437F-B9BA-C5AA35C83DA8}" = rport=445 | protocol=6 | dir=out | app=system | 
"{D23EBEB2-B844-4CA7-A9A1-393C67579D7E}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{E9416211-32BE-48B0-9FBB-C2574B9D80BD}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{EAE90FBB-8645-4015-9A12-D2F81887061B}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{EEA84EE4-E73D-4F51-BAEF-DAA6CD4EE83E}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{F29AB0B0-1B6C-4570-833D-CBFA39DF27E9}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01E66307-44CB-4448-BCF2-ED0015B9F3E9}" = protocol=17 | dir=in | app=c:\program files (x86)\novell\groupwise\notify.exe | 
"{0DBE4728-8236-4A03-A303-9AE7D498B6FD}" = protocol=17 | dir=in | app=c:\users\marjan\appdata\roaming\dropbox\bin\dropbox.exe | 
"{140FE54B-1453-4984-B682-62D53FE72998}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe | 
"{1FBE83E6-EBBA-44C3-BD51-25E3EE2026B9}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{252111DD-377E-438D-A2D7-670B668780F8}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\groove.exe | 
"{32932778-EB17-42A0-B50D-1C3EE5E4C666}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"{39C9C8CE-00D1-4AAB-ADDC-2B50B13D5A00}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe | 
"{4060816F-6CCB-41D0-8B75-4B0A9A337003}" = protocol=6 | dir=in | app=c:\program files (x86)\novell\groupwise\grpwise.exe | 
"{4F3B2CFC-7630-41D8-8C49-D107168349CB}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\groove.exe | 
"{53C6864F-7F06-4A1E-8585-94895E5DA3C1}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{545CB1FB-73B1-4DED-A497-B437E704E90E}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | 
"{5C9DD961-BEE3-4FBB-95D2-EC197D7B8668}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{67538317-1B68-464A-9840-4ECBE72D4F6B}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{6B249F61-2EA5-4FD7-883F-D0B6B1CA9D71}" = protocol=6 | dir=out | app=system | 
"{7794B147-AE60-4EE1-89BF-B54195EF74CC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{7D17D359-AEF2-4F34-A977-B01961672D4E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{7D9EDF5B-4033-4396-9349-575C8CB7F589}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{7E101A26-1F95-4299-B3DF-6A811B1F2E4E}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | 
"{7EDE1E59-78DC-4222-87B2-D35111115422}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{7FBCD583-133B-4EE3-A170-8ADA5C12ED40}" = protocol=17 | dir=in | app=c:\program files (x86)\codemeter\runtime\bin\codemeter.exe | 
"{80CCA550-27A7-4B18-9915-A39899579C1D}" = protocol=6 | dir=in | app=c:\program files (x86)\codemeter\runtime\bin\codemeter.exe | 
"{8326760D-688B-45DE-8D77-124D4097E2F1}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{838F4089-2AD0-420D-8BE3-6C1F69A1CC90}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe | 
"{94404A4B-B9AE-4B1B-AD23-A2D630AF86D7}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe | 
"{9A455869-98E8-459B-AA3E-E6A6964A0AA7}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | 
"{9E10E1A1-09C8-4CE1-869D-C9933F0E55E9}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{A5D7D1C4-ED7D-4FF8-84F2-5230F185850B}" = protocol=17 | dir=in | app=c:\program files (x86)\novell\groupwise\grpwise.exe | 
"{A76AAA36-1973-49BB-9BA7-7221E50BFF9C}" = protocol=6 | dir=in | app=c:\users\marjan\appdata\roaming\dropbox\bin\dropbox.exe | 
"{A9451202-C3F2-4F58-8AC2-84990D0CFB03}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe | 
"{A984994B-8DBF-444C-BAE1-82BEC8B02E22}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe | 
"{AA8F44E7-A3E2-4CBD-A7A5-8FECE180E4F0}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{ADF3587E-0939-495A-8172-75197D6F3CA0}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{B5566688-12FE-4B95-8CAB-BC5C50313591}" = protocol=17 | dir=in | app=c:\program files (x86)\codemeter\runtime\bin\codemeter.exe | 
"{B7059A25-59F8-48CE-854E-D52E1D0C5B53}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe | 
"{BF450517-34CD-4B13-B612-0B35D8818E25}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{C664DE27-830E-4341-80A7-5C4314C28B6B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | 
"{CAE32BB5-F96C-4CD5-B83D-270A5C52DA2E}" = protocol=6 | dir=in | app=c:\program files (x86)\novell\groupwise\notify.exe | 
"{CCD1B7CE-2266-4654-B374-424A7B7DE5B3}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe | 
"{CF023A4B-2D4E-47D3-8254-DA3F19885136}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{D52E57D6-467F-46E6-8EC7-20CA955B3D61}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{D7EFECCF-EE4D-4C90-88F3-FAFC503AB0AF}" = protocol=6 | dir=in | app=c:\program files (x86)\codemeter\runtime\bin\codemeter.exe | 
"{E1D6661F-DC55-415A-82F7-BECE0293E1CF}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{ED189FAE-0B04-4DF6-9287-F29BACE8D1AE}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{FB35CEB1-8508-4EE8-A6EE-52A06788ADF0}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{FCD3DB5F-6CF5-4731-B651-FC165E024AA1}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{FD6D1EB3-A489-43BF-9605-0C485B7C9966}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{FDABF8CC-09BB-416E-A898-AD2E56EF58ED}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"TCP Query User{081E4F28-7F63-47AA-90B3-E382F14CAA7E}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe | 
"TCP Query User{0C99E3CC-5DDB-4B18-9CE5-4C12FBCD7D94}C:\program files\ibm\spss\statistics\20\stats.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\stats.exe | 
"TCP Query User{185A6AD3-9CAB-4FAC-817A-2D956536F4F4}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe | 
"TCP Query User{4DD8F184-1330-4FC1-BA03-B6607E996E68}C:\users\marjan\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\marjan\appdata\roaming\dropbox\bin\dropbox.exe | 
"TCP Query User{61AF5A9F-F0F7-410B-8FC9-73BE262AEF6D}C:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe | 
"TCP Query User{6D4FC898-ACCA-468C-9836-1589960B205C}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe | 
"UDP Query User{383A4EEE-CFBC-4DA8-9437-557E10C1298D}C:\users\marjan\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\marjan\appdata\roaming\dropbox\bin\dropbox.exe | 
"UDP Query User{A9D23EF6-7661-4A81-8530-D728A4383497}C:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe | 
"UDP Query User{B521EF32-EFFE-4D00-A651-475E6B0B2625}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe | 
"UDP Query User{C388E34D-48B0-4B85-A309-5C9A343D1697}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe | 
"UDP Query User{D1FDA46A-3424-4FBC-A4BC-43AA9D8C9817}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe | 
"UDP Query User{EFD9134B-1981-46E7-B27F-BEDCA35DBC37}C:\program files\ibm\spss\statistics\20\stats.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\stats.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software Installer
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX860_series" = Canon MX860 series MP Drivers
"{234F6B0D-10AE-4BB7-B2F3-E48D4861952D}" = SQL Server 2008 R2 SP2 Common Files
"{288D79EE-A2D1-42AF-9597-B0ADCC23A8ED}" = Microsoft SQL Server VSS Writer
"{2AF8017B-E503-408F-AACE-8A335452CAD2}" = IBM SPSS Statistics 20
"{2EECD5EF-5095-467C-B80C-4AB3096EFD60}" = SPBA 5.9
"{2F72F540-1F60-4266-9506-952B21D6640D}" = Apple Mobile Device Support
"{36F70DEE-1EBF-4707-AFA2-E035EEAEBAA1}" = SQL Server 2008 R2 SP2 Common Files
"{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}" = Preboot Manager
"{3DCDFCDB-4D96-4CF0-9BB3-C91DAE9073F3}" = PC-CCID
"{49BFDB10-A9AC-4368-9BF1-236D569DD8F0}" = QSR NVivo 10
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{4C1CCA11-0D08-4D5E-8444-2D9FB48BCABF}" = Intel® PROSet/Wireless WiFi Software
"{4E60E212-3177-4B16-BCB3-616CCC52357D}" = Upek Touchchip Fingerprint Reader
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5318020E-E32C-4A33-BC8D-EEF5CC2F6CA1}" = SQL Server 2008 R2 SP2 Database Engine Services
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{6AC87FB3-ACFC-4416-890C-8976D5A9B371}" = Trusted Drive Manager
"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{704C0303-D20C-45AF-BD2B-556EAF31BE09}" = iCloud
"{7206B668-FEE0-455B-BB1F-9B5A2E0EC94A}" = Custom
"{76FF0F03-B707-4332-B5D1-A56C8303514E}" = iTunes
"{777FF553-493D-4068-BAC7-EE2D73DB7434}" = Wave Infrastructure Installer
"{79A2C6E8-C727-4D12-B4B3-19790C181DEA}" = Microsoft SQL Server 2008 R2 Native Client
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{86D58D69-DC49-5E97-C63C-1BB8D6AED9DE}" = ccc-utility64
"{86E45973-5352-439F-A115-2E8EE4D40140}" = ActivClient CAC x64
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A6B4FE2-7CC4-4DAC-BC68-D9E170B758FD}" = Dell ControlVault Host Components Installer 64 bit
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{91CE5F03-3A2A-4268-935A-04944F058AE9}" = Gemalto
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9DAED4FC-2B0E-4F3F-8141-F2ABF02CCFCB}" = BioAPI Framework
"{9FFAE13C-6160-4DD0-A67A-DAC5994F81BD}" = SQL Server 2008 R2 SP2 Database Engine Services
"{A2122A9C-A699-4365-ADF8-68FEAC125D61}" = SQL Server 2008 R2 SP2 Database Engine Shared
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Data Protection | Access
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B40EE88B-400A-4266-A17B-E3DE64E94431}" = Microsoft SQL Server 2008 Setup Support Files 
"{C3525BF7-3698-4CD3-A8C3-69BD6F57BA3B}" = Microsoft SQL Server 2008 R2 Setup (English)
"{C942A025-A840-4BF2-8987-849C0DD44574}" = SQL Server 2008 R2 SP2 Database Engine Shared
"{D406D803-C60C-4CF5-9B97-B95C3DF87F52}" = Microsoft SQL Server 2008 R2 RsFx Driver
"{D954C6C2-544B-4091-A47F-11E77162883E}" = Microsoft Security Client
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
"{DB3D2C81-EF11-4b1f-9B55-3959AEE09E55}" = Canon MF8300C Series
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{EECA7F7F-FC25-7AF8-E0C5-DEFC4C705FD6}" = ATI Catalyst Install Manager
"{F31183CF-E10F-4DE1-BB59-6C0FF38E481E}" = Sql Server Customer Experience Improvement Program
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F839C6BD-E92E-48FA-9CE6-7BFAF94F7096}" = DellAccess
"{FDF509ED-9624-4FDE-9BAA-9566C186AB96}" = Dell System Manager
"815EB4ED418166EC2BBE3A39EAC38C74AE911A8C" = Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric  (07/02/2009 8.5.0.251)
"9512AA21B791B05A54E27065C45BBC417AB282DF" = Windows Driver Package - Dell Inc. PBADRV System  (09/11/2009 1.0.1.6)
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft SQL Server 10" = Microsoft SQL Server 2008 R2 (64-bit)
"Microsoft SQL Server 2008 R2" = Microsoft SQL Server 2008 R2 (64-bit)
"ProInst" = Intel PROSet Wireless
"PROSet" = Intel® Network Connections Drivers
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{050BF7DA-82C4-416A-8294-7AFEB8ED94E1}" = Microsoft® Office Language Pack 2010 – English (Business Contact Manager for Microsoft Outlook 2010)
"{079A722B-B7BA-E464-E023-4150C8D766BB}" = CCC Help Korean
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
"{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files
"{1B7D35ED-B68B-479F-94D7-0D8DF2BBC90E}" = O2Micro Flash Memory Card Windows Driver
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java 6 Update 33
"{2C43790E-8470-1027-82D3-DF319F3C410F}" = Intel® Identity Protection Technology 1.0.71.0
"{3318B54A-B5A8-49B1-8016-753DC6CAC63B}" = Citrix Online Launcher
"{33AE9E89-47C9-4A0D-9E9D-BDD6966A3804}" = Microsoft SQL Server 2008 RsFx Driver
"{34403D44-0BA0-4CB3-9C7C-EFD30F2C3AA8}" = QSR NVivo Add-In for OneNote
"{349D9525-A9D9-2EAE-73AB-07CCDB6A1C6C}" = Catalyst Pro Control Center
"{361A1B67-3B21-D60B-BC19-C74741B79380}" = CCC Help Chinese Standard
"{3A3915D6-86A1-3D5F-9582-ABD25DF3D1F8}" = CCC Help Danish
"{4815BD99-96A4-49FE-A885-DCF06E9E4E78}" = Microsoft SQL Server 2008 Database Engine Shared
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files
"{4E4E65EE-C456-45AC-B5AD-C62C3A325BD0}" = Dell Data Protection | Access | Drivers
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.5
"{53E079E5-4DEC-4E95-8EB9-8FF9A82D82AC}" = Catalyst Control Center - Branding
"{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}" = Microsoft SQL Server 2008 Database Engine Services
"{59674E04-026D-5EFB-D485-A18261D18DD1}" = CCC Help German
"{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}" = Apple Application Support
"{6146B9DC-C33D-11E2-BDE1-984BE15F174E}" = Evernote v. 4.6.6
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components
"{664FE4DC-E38D-40A0-83F0-D80B37015CAB}" = InstallRoot 3.12
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7196E6BD-4B65-43F9-9D30-73A8E58D0E84}" = Avery Wizard 4.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75714348-A747-24A8-DCA3-8755AF0AC1E8}" = CCC Help Japanese
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7C113200-C529-0123-4A2E-AEF6F6271677}" = Catalyst Control Center Localization All
"{7DE75545-D263-FFEB-0845-AC772E771C37}" = CCC Help Russian
"{81FADFBE-3B56-47FC-A122-3C69D1708089}" = GroupWise
"{86B3F2D6-AC2B-0014-8AE1-F2F77F781B0C}" = EndNote X4
"{870594CD-9A49-0643-24E0-610DA7466629}" = CCC Help Italian
"{87434D51-51DB-4109-B68F-A829ECDCF380}" = AccelerometerP11
"{8E2BC848-4490-4A19-8304-5A9D79DD33FA}" = AnySync
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0116-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{94F57B0C-54F0-4612-7895-3F07024B95BC}" = CCC Help Portuguese
"{979742CC-2CBB-49D8-9BEE-C2F7875F5393}" = Brother MFL-Pro Suite MFC-9970CDW
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ADA656A-36AA-A333-1655-04D5F3A1224A}" = CCC Help Finnish
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D5B85C5-45B9-30A1-8433-B011398C38AA}" = CCC Help Norwegian
"{A2471C92-D798-30D7-5801-6C3542A0DD5D}" = CCC Help Spanish
"{A638557B-1F13-40A0-9627-C892FBCA6960}" = McAfee Agent
"{A7D91856-258D-4C87-8041-B170851CE432}" = Dell Data Protection | Access
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch
"{AE0F1B03-E104-AA68-850A-A2DE9F95BCBF}" = CCC Help English
"{AF11C2C6-2B08-2666-53AF-FB96D686D12B}" = CCC Help Swedish
"{B32CD9BC-7C16-4152-A579-2AA32730E24E}" = QSR NCapture for Internet Explorer
"{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}" = Microsoft SQL Server 2008 Database Engine Services
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{BA4DA261-CB60-4690-B202-44998DFC6986}" = Microsoft SQL Server 2008 Setup Support Files 
"{BF9BF038-FE03-429D-9B26-2FA0FD756052}" = Microsoft SQL Server Browser
"{C28422FB-F2CD-427A-ADED-9F281745CDB2}" = Secure Download Manager
"{C965F01C-76EA-4BD7-973E-46236AE312D7}" = Sql Server Customer Experience Improvement Program
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
"{E30E7561-A466-4393-B8BF-FD93E733EF3C}" = Microsoft Office Live Meeting 2007
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E4B48349-A165-4097-8D78-AC950BD8638E}" = Business Contact Manager for Microsoft Outlook 2010
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EA9A9EEE-2275-F448-80CA-173F11D56B9A}" = Catalyst Control Center InstallProxy
"{EB78E6E7-6E0B-4EEE-A485-9361C3500096}" = QSR NCapture for Chrome
"{F2F8DB1D-16B0-ED0D-E510-57C921E72616}" = CCC Help Dutch
"{F3494AB6-6900-41C6-AF57-823626827ED8}" = Microsoft SQL Server 2008 Database Engine Shared
"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel® Control Center
"{F9EC8B11-E5F2-47A7-C631-7D4430DF3CE2}" = CCC Help French
"{FACF1591-128A-0365-F10D-28379C9776BC}" = CCC Help Chinese Traditional
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"AnyTime Organizer" = AnyTime Organizer
"Business Contact Manager" = Business Contact Manager for Microsoft Outlook 2010
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"Genie Timeline" = LaCie Genie Timeline 2.1
"Google Chrome" = Google Chrome
"GoToAssist" = GoToAssist Corporate
"InstallShield_{1B7D35ED-B68B-479F-94D7-0D8DF2BBC90E}" = O2Micro Flash Memory Card Windows Driver
"InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft SQL Server 10" = Microsoft SQL Server 2008
"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008
"MiPony" = MiPony 2.0.2
"MP Navigator EX 2.1" = Canon MP Navigator EX 2.1
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper
"VLC media player" = VLC media player 2.0.7
"WMS" = Windows NT Messaging
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-926839969-3728488504-4215999852-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ActiveTouchMeetingClient" = Cisco WebEx Meetings
"Dropbox" = Dropbox
"DSite" = Update for Mipony Download Manager
"GoToMeeting" = GoToMeeting 5.6.0.1157
 
< End of report >
 

 


ESET:

 

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=61b42f9f889b5744b56047b18af2c71b
# engine=14692
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-08-07 08:36:41
# local_time=2013-08-07 04:36:41 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 1327654 127451251 0 0
# scanned=234078
# found=3
# cleaned=3
# scan_time=5267
sh=A32DB4D9496F111DF0489BC4352496C6058B4F7D ft=1 fh=5f34d5a98eda74b2 vn="a variant of Win32/Kryptik.BHKC trojan (cleaned by deleting - quarantined)" ac=C fn="C:\FRST\Quarantine\0EnIeGij.exe"
sh=818189BDD688028C1961F8840F38C6EC279F285C ft=1 fh=5f34d5a94bbe81ca vn="a variant of Win32/Kryptik.BHKC trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.dll"
sh=A32DB4D9496F111DF0489BC4352496C6058B4F7D ft=1 fh=5f34d5a98eda74b2 vn="a variant of Win32/Kryptik.BHKC trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Marjan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\22268c2c-59c70453"
 

 

ESETSscan:

 

C:\FRST\Quarantine\0EnIeGij.exe a variant of Win32/Kryptik.BHKC trojan cleaned by deleting - quarantined
C:\Users\Marjan\AppData\Local\7zh41ioRd\0EnIeGij.dll a variant of Win32/Kryptik.BHKC trojan cleaned by deleting - quarantined
C:\Users\Marjan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\22268c2c-59c70453 a variant of Win32/Kryptik.BHKC trojan cleaned by deleting - quarantined
 
 
Please advise next steps.
Link to post
Share on other sites
NukeMeSlowly

NukeMeSlowly

Posted
  • Author
Posted

OTL fix:

 

All processes killed
========== OTL ==========
C:\Users\Marjan\Desktop\~WRL0005.tmp deleted successfully.
C:\Users\Marjan\Desktop\~WRL0338.tmp deleted successfully.
C:\Users\Marjan\Desktop\~WRL1492.tmp deleted successfully.
C:\Windows\assembly\Desktop.ini moved successfully.
File EY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
File EY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 not found.
File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] not found.
File EY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
File EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64\ not found.
Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]\ not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64\ not found.
Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]\ not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Marjan
->Temp folder emptied: 1235991 bytes
->Temporary Internet Files folder emptied: 333 bytes
->Java cache emptied: 3963467 bytes
->FireFox cache emptied: 87796165 bytes
->Google Chrome cache emptied: 8152336 bytes
->Flash cache emptied: 523 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8614 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 36033870 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 131.00 mb
 
 
[EMPTYJAVA]
 
User: All Users
 
User: Default
 
User: Default User
 
User: Marjan
->Java cache emptied: 0 bytes
 
User: Public
 
Total Java Files Cleaned = 0.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default
 
User: Default User
 
User: Marjan
->Flash cache emptied: 0 bytes
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 08072013_165447
 
Files\Folders moved on Reboot...
C:\Users\Marjan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Marjan\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
 
PendingFileRenameOperations files...
 
Registry entries deleted on Reboot...
 

 

 

AdwCleaner delete:

 

# AdwCleaner v2.306 - Logfile created 08/07/2013 at 17:02:06
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Marjan - MARJAN-PC
# Boot Mode : Normal
# Running from : C:\Users\Marjan\Desktop\AdwCleaner.exe
# Option [Delete]
 
 
***** [services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\Program Files (x86)\Mozilla Firefox\.autoreg
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
 
***** [internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16635
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v [unable to get version]
 
-\\ Google Chrome v28.0.1500.95
 
File : C:\Users\Marjan\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [2213 octets] - [07/08/2013 14:43:15]
AdwCleaner[s1].txt - [1913 octets] - [07/08/2013 17:02:06]
 
########## EOF - C:\AdwCleaner[s1].txt - [1973 octets] ##########
 
Laptop seems up to snuff. FBI virus is no where to be seen.
 
Any remaining steps to take?
Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Things look good. Judging by your last few logs, I'd say your system is clean. :)

Before we move on, please take the time to install the following updates. Program updates are a critical part of your computer's safety net, as outdated applications leave you vulnerable to malware.

 

---------

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://java.com/en/download/index.jsp.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to Start > Control Panel and open Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).  
They will have this icon next to them:  javaicon.gif
Select each in turn and click Remove.

Once old versions are gone, please install the newest version.
 

---------

 

Please let me know how the updates went, as failed updates may be due to malware.

Link to post
Share on other sites
NukeMeSlowly

NukeMeSlowly

Posted
  • Author
Posted

Deleted existing versin of Java and then downloaded latest.

No problems with installation until the very end when I got an error message - something like "browserError3"? I checked the control panel and the newest version of Java is there.

 

Is this just a hiccup or a real problem?

 

Thanks again for all your help.

Link to post
Share on other sites
D-FRED-BROWN

D-FRED-BROWN

Posted
Posted

Sounds like just a hiccup. I wouldn't worry about it, but let me know if you have any issues.

 

-----------

 

Glad to hear the updates went successfully!

Unless there are any other issues, I will now provide you with some steps to better protect your computer.

First, we need to remove ComboFix.

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------------

Let's remove OTL and the other tools we used as well:

  • Reopen otlicon.png on your desktop.
  • Click on cleanup.png
  • You will be prompted to reboot your system. Please do so.


-------------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

-------------------

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.
AntiVir
AVG
Microsoft Security Essentials

-------------------

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

-------------------

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.
A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available


A tutorial on understanding and using firewalls may be found here.

-------------------

Please keep your security programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time.

-------------------

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewa...nti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

-------------------

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

-------------------

For more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

-------------------

I would grateful if you could reply to this post so that I know you have read it and, if you have no other questions, the thread can then be closed.

I will leave the thread open for a few more days. If you need anything, just come back here and let me know. After that time you will have to send me a PM.


---------------------------------------------------------



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against malware, then click here:
paypal.gif Every little bit helps. smile.png

-DFB
 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept